Files
kestrelos/docs/atak-itak.md
T
keligrubb bb01e9a06c
Push / release (push) Successful in 13s
Push / publish (push) Successful in 1m4s
Add ADS-B, AIS, and ALPR map layers with live CoT streaming (#36)
## Summary

- **ADS-B & AIS:** OpenSky and AISStream OSINT feeds upsert into the CoT store; tactical tracks still arrive via adsbcot/aiscot on `:8089`. Map clients subscribe via `GET /api/cot/stream` (SSE) with viewport bbox filtering and Air / Surface / Team layer toggles.
- **ALPR (Flock/OSM):** Toggleable license-plate reader layer sourced from OpenStreetMap, with SQLite cache, Overpass fallback, tiled viewport fetching, and clustered markers with direction cones.
- **Map performance:** Ring-based tile selection (fixes zoom-out crash), immutable tile cache, incremental marker sync, split cluster load/query, and padded SSE bbox to reduce reconnect churn.

## Docs

- `docs/tracking.md` — ADS-B/AIS accuracy tiers, freshness, self-hosted receivers, optional OSINT API keys
- `docs/map-and-cameras.md` — ALPR layer and map behavior updates

---------

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #36
2026-06-24 20:54:50 +00:00

2.8 KiB

ATAK and iTAK

KestrelOS acts as a TAK Server. ATAK (Android) and iTAK (iOS) connect on port 8089 (CoT). Devices relay positions to each other and appear on the KestrelOS map.

ADS-B and AIS via adsbcot / aiscot: see tracking.md.

Connection

Host: KestrelOS hostname/IP
Port: 8089 (CoT)
SSL: Enable if server uses TLS (.dev-certs/ or production cert)

Authentication:

  • Username: KestrelOS identifier
  • Password: Login password (local) or ATAK password (OIDC; set in Account)

ATAK (Android)

  1. SettingsNetworkConnections → Add TAK Server
  2. Set Host and Port (8089)
  3. Enable Use Authentication, enter username/password
  4. Save and connect

iTAK (iOS)

Option A - QR code (easiest):

  1. KestrelOS SettingsTAK Server → Scan QR with iTAK
  2. Enter username/password when prompted

Option B - Manual:

  1. SettingsNetwork → Add TAK Server
  2. Set Host, Port (8089), enable SSL if needed
  3. Enable Use Authentication, enter username/password
  4. Save and connect

Self-Signed Certificate (iTAK)

If server uses self-signed cert (.dev-certs/):

Upload server package:

  1. KestrelOS SettingsTAK ServerDownload server package (zip)
  2. Transfer to iPhone (AirDrop, email, Safari)
  3. iTAK: SettingsNetworkServers+Upload server package
  4. Enter username/password

Or use plain TCP:

  1. Stop KestrelOS, remove .dev-certs/, restart
  2. Add server with SSL disabled

ATAK (Android): Download trust store from https://your-server/api/cot/truststore, import .p12 (password: kestrelos), or use server package/plain TCP.

OIDC Users

OIDC users must set an ATAK password first:

  1. Sign in with OIDC
  2. AccountATAK / device password → set password
  3. Use KestrelOS username + ATAK password in TAK client

Configuration

Variable Default Description
COT_PORT 8089 CoT server port
COT_REQUIRE_AUTH true Require authentication
COT_SSL_CERT .dev-certs/cert.pem TLS cert path
COT_SSL_KEY .dev-certs/key.pem TLS key path

Troubleshooting

"Error authenticating" with no [cot] logs:

  • Connection not reaching server (TLS handshake failed or firewall blocking)
  • Check server logs show [cot] CoT server listening on 0.0.0.0:8089
  • Verify port 8089 (not 3000) and firewall allows it
  • For TLS: trust cert (server package) or use plain TCP

"Error authenticating" with [cot] logs:

  • Username must be KestrelOS identifier
  • Password must match (local: login password; OIDC: ATAK password)

Devices not on map: They appear only while sending updates; drop off after TTL (~90s).