keligrubb/kestrelos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
414e9f4c33c9f5737aa36966e8ce56d5c79f07b5
kestrelos/docs/atak-itak.md
Keli Grubb e61e6bc7e3
All checks were successful
ci/woodpecker/push/push Pipeline was successful
Details
major: kestrel is now a tak server (#6) 
## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6
2026-02-17 16:41:41 +00:00

2.8 KiB
Raw Blame History

ATAK and iTAK

KestrelOS acts as a TAK Server. ATAK (Android) and iTAK (iOS) connect on port 8089 (CoT). Devices relay positions to each other and appear on the KestrelOS map.

Connection

Host: KestrelOS hostname/IP
Port: 8089 (CoT)
SSL: Enable if server uses TLS (.dev-certs/ or production cert)

Authentication:

  • Username: KestrelOS identifier
  • Password: Login password (local) or ATAK password (OIDC; set in Account)

ATAK (Android)

  1. SettingsNetworkConnections → Add TAK Server
  2. Set Host and Port (8089)
  3. Enable Use Authentication, enter username/password
  4. Save and connect

iTAK (iOS)

Option A - QR code (easiest):

  1. KestrelOS SettingsTAK Server → Scan QR with iTAK
  2. Enter username/password when prompted

Option B - Manual:

  1. SettingsNetwork → Add TAK Server
  2. Set Host, Port (8089), enable SSL if needed
  3. Enable Use Authentication, enter username/password
  4. Save and connect

Self-Signed Certificate (iTAK)

If server uses self-signed cert (.dev-certs/):

Upload server package:

  1. KestrelOS SettingsTAK ServerDownload server package (zip)
  2. Transfer to iPhone (AirDrop, email, Safari)
  3. iTAK: SettingsNetworkServers+Upload server package
  4. Enter username/password

Or use plain TCP:

  1. Stop KestrelOS, remove .dev-certs/, restart
  2. Add server with SSL disabled

ATAK (Android): Download trust store from https://your-server/api/cot/truststore, import .p12 (password: kestrelos), or use server package/plain TCP.

OIDC Users

OIDC users must set an ATAK password first:

  1. Sign in with OIDC
  2. AccountATAK / device password → set password
  3. Use KestrelOS username + ATAK password in TAK client

Configuration

Variable Default Description
COT_PORT 8089 CoT server port
COT_TTL_MS 90000 Device timeout (~90s)
COT_REQUIRE_AUTH true Require authentication
COT_SSL_CERT .dev-certs/cert.pem TLS cert path
COT_SSL_KEY .dev-certs/key.pem TLS key path

Troubleshooting

"Error authenticating" with no [cot] logs:

  • Connection not reaching server (TLS handshake failed or firewall blocking)
  • Check server logs show [cot] CoT server listening on 0.0.0.0:8089
  • Verify port 8089 (not 3000) and firewall allows it
  • For TLS: trust cert (server package) or use plain TCP

"Error authenticating" with [cot] logs:

  • Username must be KestrelOS identifier
  • Password must match (local: login password; OIDC: ATAK password)

Devices not on map: They appear only while sending updates; drop off after TTL (~90s).

Reference in New Issue View Git Blame Copy Permalink