# DEBIAN 13 VPS SETUP GUIDE ## Complete BTCPay Server + Tor Restoration **Target:** Hostinger VPS thebankofdebbie.giize.com (31.97.57.205) **Date:** September 10, 2025 **Status:** Ready for Debian 13 OS rebuild --- ## 🎯 **QUICK START (30 Minutes)** ### Step 1: Fresh Debian 13 Installation 1. Reinstall Debian 13 via Hostinger control panel 2. Use password: `Th3fa1r13sd1d1t.` (keep this initially) 3. Wait for OS installation to complete ### Step 2: Copy SSH Key and Scripts ```bash # On your local machine scp -P 22 vps_hardening_key* root@thebankofdebbie.giize.com:/tmp/ scp -P 22 debian13_vps_hardening.sh root@thebankofdebbie.giize.com:/tmp/ scp -P 22 btcpay_tor_installer.sh root@thebankofdebbie.giize.com:/tmp/ ``` ### Step 3: Run VPS Hardening (5 minutes) ```bash # SSH to fresh Debian 13 server ssh root@thebankofdebbie.giize.com # Make scripts executable chmod +x /tmp/*.sh # Run hardening script /tmp/debian13_vps_hardening.sh # Add your SSH public key cat /tmp/vps_hardening_key.pub > /home/ubuntu/.ssh/authorized_keys chown ubuntu:ubuntu /home/ubuntu/.ssh/authorized_keys chmod 600 /home/ubuntu/.ssh/authorized_keys ``` ### Step 4: Test SSH Keys (CRITICAL) ```bash # Test SSH key access on new port ssh -i vps_hardening_key -p 2255 ubuntu@thebankofdebbie.giize.com # If successful, disable password auth: sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo systemctl restart ssh ``` ### Step 5: Install BTCPay Server + Tor (15 minutes) ```bash # Run as root sudo su - /tmp/btcpay_tor_installer.sh ``` ### Step 6: Monitor Installation ```bash # Check status ./monitor-btcpay.sh # Watch Bitcoin sync progress docker logs btcpayserver_bitcoind -f ``` --- ## 🔧 **DETAILED CONFIGURATION** ### Previous Working Configuration ``` BTCPay Onion: njoc2ubkk7ymgqfg6plt3wcltvcvuv3j4eemixnovicegrlwhq2zwfad.onion Bitcoin P2P Onion: s7n55wptvooma4gqsbdo5vn6v6nphjffqsmlufoa3fzqhwkqgeasslad.onion Note: New installation will generate NEW onion addresses ``` ### Bitcoin Configuration ```bash # Verified working config in BITCOIN_EXTRA_ARGS: prune=10000 # 10GB max blockchain storage rpcport=43782 rpcbind=0.0.0.0:43782 rpcallowip=0.0.0.0/0 port=39388 whitelist=0.0.0.0/0 maxmempool=500 onion=tor:9050 ``` ### Security Configuration ```bash # SSH Port 2255 PermitRootLogin no AllowUsers ubuntu PubkeyAuthentication yes # UFW Firewall 2255/tcp ALLOW SSH-Hardened 80/tcp ALLOW HTTP-BTCPay 443/tcp ALLOW HTTPS-BTCPay 9050 ALLOW Tor-Local (127.0.0.0/8) # Fail2Ban SSH: 3 attempts -> 2 hour ban Web: monitoring nginx logs ``` --- ## 🚨 **CRITICAL SUCCESS POINTS** ### ✅ **Must Work Before Proceeding:** 1. SSH key authentication on port 2255 2. UFW firewall active with correct rules 3. Fail2Ban monitoring logs 4. Docker running and ubuntu in docker group ### ✅ **BTCPay Installation Success Indicators:** 1. All Docker containers running (8 containers) 2. Bitcoin logs show: "Prune configured to target 10000 MiB" 3. Tor onion addresses generated in 5 minutes 4. Web interface accessible on both clearnet and onion ### ⚠️ **Common Issues & Solutions:** **Issue:** Bitcoin not in pruned mode ```bash # Solution: Clear blockchain and restart sudo btcpay-down.sh docker run --rm -v generated_bitcoin_datadir:/data alpine rm -rf /data/blocks /data/chainstate sudo btcpay-up.sh ``` **Issue:** Port conflicts ```bash # Solution: Stop conflicting services first sudo docker stop $(sudo docker ps -aq) 2>/dev/null || true sudo btcpay-up.sh ``` **Issue:** Onion services not generating ```bash # Solution: Restart Tor container sudo docker restart tor tor-gen # Wait 5 minutes, then check: sudo cat /var/lib/docker/volumes/generated_tor_servicesdir/_data/BTCPayServer/hostname ``` --- ## 📊 **EXPECTED RESULTS** ### Disk Usage After Complete Setup: ``` System + Docker: ~5GB BTCPay Services: ~3GB Bitcoin (pruned): ~10GB (max) Available: ~369GB Total Used: ~18GB / 387GB (5%) ``` ### Performance Expectations: ``` Initial Bitcoin Sync: 12-24 hours (over Tor) Bitcoin Storage: 10GB maximum (pruned) Web Response: Normal (slight Tor overhead for onion) Payment Processing: Real-time ``` ### Services Running (8 containers): ``` ✅ btcpayserver_bitcoind - Bitcoin Core (pruned, Tor-only) ✅ generated_btcpayserver_1 - BTCPay Server application ✅ generated_nbxplorer_1 - Blockchain explorer ✅ generated_postgres_1 - PostgreSQL database ✅ nginx - Reverse proxy with SSL ✅ tor - Tor daemon + onion services ✅ tor-gen - Tor configuration generator ✅ letsencrypt-... - SSL certificate manager ``` --- ## 🔐 **SECURITY FEATURES RESTORED** ### Network Security: - ✅ SSH on port 2255 with key auth only - ✅ UFW firewall with minimal allowed ports - ✅ Fail2Ban monitoring SSH and web attacks - ✅ Bitcoin P2P traffic only via Tor network - ✅ BTCPay accessible via both clearnet and Tor ### Privacy Features: - ✅ Bitcoin node uses onlynet=onion (no clearnet P2P) - ✅ BTCPay Server accessible via .onion address - ✅ Customer payments can be completely anonymous - ✅ No DNS leaks (Bitcoin doesn't use clearnet DNS) ### Storage Management: - ✅ Bitcoin blockchain limited to 10GB (pruned) - ✅ Automatic old block removal - ✅ Safe for 387GB VPS with room to grow - ✅ Full validation capability maintained --- ## 🔄 **MAINTENANCE COMMANDS** ### Daily Monitoring: ```bash ~/monitor-btcpay.sh # Overall status sudo docker ps | grep btcpay # Container status df -h / # Disk usage sudo fail2ban-client status # Security status ``` ### Maintenance: ```bash sudo btcpay-restart.sh # Restart all services sudo btcpay-update.sh # Update BTCPay Server sudo btcpay-clean.sh # Clean old Docker images docker logs btcpayserver_bitcoind # Check Bitcoin sync ``` ### Emergency Recovery: ```bash sudo btcpay-down.sh # Stop everything sudo btcpay-up.sh # Start everything # If needed: Re-run btcpay_tor_installer.sh ``` --- ## 📞 **SUPPORT INFORMATION** ### If Something Goes Wrong: 1. **SSH Issues:** Contact Hostinger for console access 2. **Bitcoin Storage:** Monitor with `df -h` - should never exceed 15GB total 3. **BTCPay Problems:** Check `docker logs generated_btcpayserver_1` 4. **Tor Issues:** Restart tor containers, wait 5 minutes for onion addresses ### Key Files Backup: - SSH Keys: `/home/ubuntu/.ssh/` - BTCPay Config: `/opt/.env` - Docker Compose: `/opt/btcpayserver-docker/Generated/docker-compose.generated.yml` - Tor Keys: `/var/lib/docker/volumes/generated_tor_servicesdir/` --- ## 🎯 **SUCCESS CRITERIA** **✅ Installation Complete When:** 1. SSH key access works on port 2255 2. All 8 Docker containers running 3. Bitcoin logs show pruning active 4. BTCPay accessible on both clearnet and onion 5. Disk usage under 20GB total 6. New onion addresses generated and documented **🚀 Ready for LittleShop Integration When:** 1. Bitcoin initial sync completed (24 hours) 2. BTCPay setup wizard completed 3. Test payment successful 4. API endpoints responding 5. Webhook configuration tested --- ## 📋 **FINAL CHECKLIST** **Before Declaring Success:** - [ ] SSH key authentication working on port 2255 - [ ] Password authentication disabled - [ ] UFW firewall active with 4 rules - [ ] Fail2Ban showing 2+ active jails - [ ] 8 Docker containers running - [ ] Bitcoin pruning confirmed in logs - [ ] BTCPay onion address generated - [ ] Disk usage under 20GB - [ ] Web interface accessible - [ ] Monitoring script working **Debian 13 advantages over Ubuntu:** - More granular security controls - Better systemd hardening options - Reduced attack surface (minimal packages) - More predictable package management - Enhanced AppArmor/SELinux integration --- **🎉 Total Setup Time: ~30 minutes + 24 hours Bitcoin sync** **🔒 Security Level: Maximum (Tor + hardened OS + pruned storage)** **💾 Storage Safe: Yes (10GB max Bitcoin + 10GB overhead = 20GB total)** Ready to deploy! 🚀