Configuration
Config file
When you first start OpenTAKServer, a default configuration file will be
generated for you at ~/ots/config.yml
. You can override the defaults
there. You must restart OpenTAKServer for the changes to take effect.
Secrets
The following sensitive options will compromise the security of your server if they are leaked. If you are asking for support over public channels such as Discord or GitHub, remove these settings before posting. If these settings are mistakenly shared publicly, change them immediately.
SECRET_KEY
SECURITY_PASSWORD_SALT
OTS_MEDIAMTX_TOKEN
MAIL_USERNAME
MAIL_PASSWORD
Config Options
- DEBUG
This setting puts Flask in debug mode and will produce many more log messages. Do not use on production servers. Default
False
- SECRET_KEY
The Flask secret key. It is generated automatically with
secrets.token_hex()
the first time you run OpenTAKServer.
- SECURITY_PASSWORD_SALT
Used by Flask-Security to salt hashed passwords. If you change this after users have been generated, they will be locked out until their passwords have been reset. This will lock out the administrator as well. It is automatically generated the first time you run OpenTAKServer using
secrets.SystemRandom().getrandbits(128)
OpenTAKServer Settings
- OTS_DATA_FOLDER
Folder for all of OpenTAKServer’s data (sqlite db, video recordings, uploaded files, etc). Default:
~/ots
- OTS_LISTENER_PORT
OpenTAKServer’s API listens on this port on the loopback interface. Nginx will proxy HTTP requests to this port. Default
8081
- OTS_MARTI_HTTP_PORT(Renamed from OTS_HTTP_PORT as of version 1.1.3)
Port that nginx listens on for HTTP requests. Nginx will proxy these requests to OTS_LISTENER_PORT. Default
8080
- OTS_MARTI_HTTPS_PORT(Renamed from OTS_HTTPS_PORT as of version 1.1.3)
Nginx listens on this port for HTTPS requests and proxies them to OTS_LISTENER_PORT. Default
8443
- OTS_CERTIFICATE_ENROLLMENT_PORT
Nginx listens on this port for certificate enrollment requests and proxies them to OTS_LISTENER_PORT. Default
8446
- OTS_TCP_STREAMING_PORT
OpenTAKServer listens on this port for TCP connections from ATAK, WinTAK, and iTAK. Default
8088
- OTS_SSL_STREAMING_PORT
OpenTAKServer listens on this port for SSL connections from ATAK, WinTAK, and iTAK. Default
8089
- OTS_BACKUP_COUNT(Added in 1.1.4)
Log files in
~/ots/logs/
will rotate at midnight every night. This setting determines the number of days to keep rotated logs Log files older than this setting will be automatically deleted. Default7
- OTS_RABBITMQ_SERVER_ADDRESS(Added in 1.1.4)
Address of the RabbitMQ server. Default
127.0.0.1
- OTS_RABBITMQ_TTL(Added in 1.3.0)
Time To Live setting for messages published to RabbitMQ. Default:
86400000
(one day)
- OTS_MEDIAMTX_API_ADDRESS(Added in 1.1.4)
Address for MediaMTX’s API server. Make sure to include the scheme (ie
http://
), address, and port. Defaulthttp://localhost:9997
- OTS_MEDIAMTX_TOKEN
This token protects the /api/mediamtx/webhook endpoint. It is generated using
python3 -c 'import secrets; print(secrets.token_hex())
- OTS_SSL_VERIFICATION_MODE
SSL verification mode for the SSL CoT port. See Python’s documentation for more details. Default
ssl.CERT_REQUIRED
- OTS_NODE_ID
Unique node ID of this server. It can be generated with the following command
python3 -c "import random; import string; print(''.join(random.choices(string.ascii_lowercase + string.digits, k=64)))
- OTS_CA_NAME
Name for your certificate authority. Default
OpenTAKServer-CA
- OTS_CA_FOLDER
Location of your certificate authority. Default
~/ots/ca
- OTS_CA_PASSWORD
Password for all generated certificate. Default
atakatak
- OTS_CA_EXPIRATION_TIME
Number of days that generated certificates should be valid. Default
3650
- OTS_CA_COUNTRY
ISO country code for your certificate authority. Default
WW
- OTS_CA_STATE
State abbreviation for your certificate authority. Default
XX
- OTS_CA_CITY
City name for your certificate authority. Default
YY
- OTS_CA_ORGANIZATION
Organization name for your certificate authority. Default
ZZ
- OTS_CA_ORGANIZATIONAL_UNIT
Organizational Unit (OU) name for your certificate authority.
- OTS_CA_SUBJECT
Subject for your certificate authority. Default
/C=OTS_CA_COUNTRY/ST=OTS_CA_STATE/L=OTS_CA_CITY/O=OTS_CA_ORGANIZATION/OU=OTS_CA_ORGANIZATIONAL_UNIT
- OTS_AIRPLANES_LIVE_LAT
Latitude used to query ADS-B data from Airplanes.live. Default
40.744213
(Manhattan)
- OTS_AIRPLANES_LIVE_LON
Longitude used to query ADS-B data from Airplanes.live. Default
-73.986939
(Manhattan)
- OTS_AIRPLANES_LIVE_RADIUS
Radius in nautical miles to query ADSB from Airplanes.live. Default
10
Max250
- OTS_AISHUB_USERNAME(Added in 1.3.0)
Username of your AISHub.net account. Default:
None
- OTS_AISHUB_SOUTH_LAT(Added in 1.3.0)
Southern latitude. Default:
None
- OTS_AISHUB_WEST_LON(Added in 1.3.0)
Western longitude. Default:
None
- OTS_AISHUB_NORTH_LAT(Added in 1.3.0)
Northern latitude. Default:
None
- OTS_AISHUB_EAST_LON(Added in 1.3.0)
Eastern Longitude. Default:
None
- OTS_AISHUB_MMSI_LIST(Added in 1.3.0)
A comma-separated string of MMSI numbers of specific vessels to search, for example
"367658140,366902120"
Default:""
- OTS_AISHUB_IMO_LIST
A comma-separated string of IMO numbers of specific vessels to search, for example
"1234,5678"
Default:""
- OTS_PROFILE_MAP_SOURCES(Added in 1.3.0)
Automatically install map tile sources from ATAK-Maps when an EUD first connects to the server. Default:
true
- OTS_ENABLE_MUMBLE_AUTHENTICATION
This option provide authentication for your Mumble server. When connecting to the Mumble server you will have to use your OpenTAKServer username and password. This also prevents anyone without an account on your OpenTAKServer from connecting. Default:
False
- OTS_ENABLE_EMAIL
Allow users to self-register accounts with an email address. Emails will only be sent to users to confirm their registration, reset their passwords, and optionally for two-factor authentication. Default
False
- OTS_EMAIL_DOMAIN_WHITELIST
If
OTS_ENABLE_EMAIL
is set toTrue
, you can use this whitelist to only allow users with email accounts with specific domains to register. For example, if you set this option to['gmail.com', 'yahoo.com']
, only users with gmail.com or yahoo.com email addresses can register. Leave the default setting to allow any domain to register. Default:[]
- OTS_EMAIL_DOMAIN_BLACKLIST
Similar to
OTS_EMAIL_DOMAIN_WHITELIST
, but prevents specific email domains from registering accounts. Leave the default setting to allow any domain to register. Default:[]
- OTS_EMAIL_TLD_WHITELIST
Similar to
OTS_EMAIL_DOMAIN_WHITELIST
but only allows users with specific top level domains to register. For example, you could set this to['gov', 'mil']
to only allow users with .gov or .mil email addresses to register. Do not put a dot before the TLD. Leave the default setting to allow any TLD to register. Default:[]
- OTS_EMAIL_TLD_BLACKLIST
Similar to
OTS_EMAIL_TLD_WHITELIST
, but prevents certain top level domains from registering accounts. Leave the default setting to allow any TLD to register. Default:[]
- OTS_DELETE_OLD_DATA_SECONDS(Added in 1.4.0)
Used by the Delete Old Data scheduled job. Default:
0
- OTS_DELETE_OLD_DATA_MINUTES(Added in 1.4.0)
Used by the Delete Old Data scheduled job. Default:
0
- OTS_DELETE_OLD_DATA_HOURS(Added in 1.4.0)
Used by the Delete Old Data scheduled job. Default:
0
- OTS_DELETE_OLD_DATA_DAYS(Added in 1.4.0)
Used by the Delete Old Data scheduled job. Default:
0
- OTS_DELETE_OLD_DATA_WEEKS(Added in 1.4.0)
Used by the Delete Old Data scheduled job. Default:
1
Flask-Security
You can check defaultconfig.py for the settings that OpenTAKServer uses. To learn about each setting you can check Flask-Security’s documentation.
Flask-Mailman settings
These settings only take effect if OTS_ENABLE_EMAIL
is True
. The
defaults will send email via a Gmail account, just provide your username
and app
password.
See Email for details.
- MAIL_ASCII_ATTACHMENTS
Default
False
- MAIL_DEBUG
Default
False
- MAIL_DEFAULT_SENDER
Default
null
- MAIL_MAX_EMAILS
Default:
null
- MAIL_PORT
Default
587
- MAIL_SERVER
Default
smtp.gmail.com
- MAIL_SUPPRESS_SEND
Default
false
- MAIL_USERNAME
Default
null
- MAIL_PASSWORD
Default
null
- MAIL_USE_SSL
Default
false
- MAIL_USE_TLS
Default
true
MediaMTX
OpenTAKServer’s default configuration assumes that MediaMTX is running on the same server and OpenTAKServer connects to it via the loopback interface. As of version 1.1.4, MediaMTX can now be hosted on a different server. To do so you will need to change two settings.
The first is OTS_MEDIAMTX_API_ADDRESS
in config.yml
. Make sure
to include the scheme (ie http://
or https://
), server address,
and port.
The nginx config also needs to be changed. In
/etc/nginx/sites-enabled/ots_https
(or
c:\tools\nginx-1.25.4\conf\ots\ots_https.conf
on Windows), look for
the location
blocks for webrtc and hls. Each should have a
proxy_pass
line that starts with https://127.0.0.1
. Change that
address (and port number if necessary) to the address of your MediaMTX
server.
After changing these settings make sure to restart both OpenTAKServer and nginx.
Max Upload Size
OpenTAKServer’s default configuration limits the size of uploaded files,
including data packages, to 100MB. This setting is found in the
ots_http
and ots_https
nginx config files. In those files,
change the line client_max_body_size 100M;
to raise the limit.