ntr.smooker.org
System Documentation — 2026-03-14
| Property | Value |
|---|
| Host | Neterra VPS |
| OS | Gentoo Linux, profile 23.0 (split-usr) |
| Init | OpenRC |
| SSH | non-standard port, key-only auth |
Users
| User | Groups | Notes |
|---|
| smooker | wheel, team | admin, su to root |
| claude | team | SSH key auth only |
- Group
team — shared tmux socket permissions
- Skel: custom .bashrc (isodate prompt, chroot detect), .vimrc (codedark theme, F5 trailing whitespace strip)
Installed Packages
| Package | Version | Notes |
|---|
| gcc | 15.2.1 | profile 23.0 rebuild |
| vim | 9.1.1652 | compiled from source |
| git | 2.52.0 | |
| tmux | 3.5a | shared sessions |
| nginx | 1.29.5 | OpenRC default runlevel |
| openvpn | 2.6.x | dual UDP+TCP servers |
| syslog-ng | 4.10 | custom log separation |
| logrotate | 3.22.0 | weekly, 12 rotations |
| cronie | — | OpenRC default runlevel |
| acme.sh | — | Let's Encrypt, --nginx mode |
| perl | 5.40 | APRS-IS tracker |
OpenVPN
PKI: pki.pl v1.0 — Root CA → Sub-CA → server + client certs
| Instance | Proto | Port | Interface | Subnet |
|---|
| Primary | UDP | *** | tap | 10.x.x.0/24 |
| Secondary | TCP | *** | tap | 10.x.x.0/24 |
- Keepalive: 10/40
- Per-client config directory (CCD)
- Separate log files per instance
- OpenRC auto-start
nginx
| Vhost | SSL | Description |
|---|
| ntr.smooker.org | Let's Encrypt | Landing page, CS team logo |
| def.smooker.org | Let's Encrypt | Default server, landing page |
| map.smooker.org | Let's Encrypt | APRS live tracking map |
- All HTTP → HTTPS redirect
- acme.sh
--nginx mode for certificate management
- Auto-renewal via cron
APRS-IS Tracker
- Callsign: LZ1CCM
- Map: map.smooker.org (Leaflet/OpenStreetMap)
- Position update: cron every minute → position.json
- Auto-start: OpenRC local.d → shared tmux session
- Source: track_aprs
syslog-ng
| Log file | Facility |
|---|
| /var/log/messages | all except auth, cron |
| /var/log/auth.log | auth, authpriv |
| /var/log/kern.log | kern |
| /var/log/cron.log | cron |
OpenVPN: separate log files via log-append
Firewall
- Policy: INPUT DROP, FORWARD DROP, OUTPUT ACCEPT
- Allowed inbound: SSH, ICMP, OpenVPN, HTTP/HTTPS
- Persistent via
iptables-save/restore + OpenRC
Logrotate
- OpenVPN logs — weekly, 12 rotations, compress, copytruncate
- Auth/kern/cron — weekly, 12 rotations, compress, syslog-ng reload
- nginx, syslog-ng — package defaults
Security
- SSH: non-standard port, key-only authentication, no password auth
- Removed 4 unauthorized vendor SSH keys from root (see SECURITY.md)
- Firewall: default DROP policy on INPUT
smooker & claude // LZ1CCM // Sofia, Bulgaria
