Configuration


Config file


When you first start OpenTAKServer, a default configuration file will be generated for you at ~/ots/config.yml. You can override the defaults there. You must restart OpenTAKServer for the changes to take effect.

Secrets


The following sensitive options will compromise the security of your server if they are leaked. If you are asking for support over public channels such as Discord or GitHub, remove these settings before posting. If these settings are mistakenly shared publicly, change them immediately.

  • SECRET_KEY

  • SECURITY_PASSWORD_SALT

  • OTS_MEDIAMTX_TOKEN

  • MAIL_USERNAME

  • MAIL_PASSWORD

Config Options


DEBUG

This setting puts Flask in debug mode and will produce many more log messages. Do not use on production servers. Default False

SECRET_KEY

The Flask secret key. It is generated automatically with secrets.token_hex() the first time you run OpenTAKServer.

SECURITY_PASSWORD_SALT

Used by Flask-Security to salt hashed passwords. If you change this after users have been generated, they will be locked out until their passwords have been reset. This will lock out the administrator as well. It is automatically generated the first time you run OpenTAKServer using secrets.SystemRandom().getrandbits(128)

OpenTAKServer Settings


OTS_DATA_FOLDER

Folder for all of OpenTAKServer’s data (sqlite db, video recordings, uploaded files, etc). Default: ~/ots

OTS_LISTENER_PORT

OpenTAKServer’s API listens on this port on the loopback interface. Nginx will proxy HTTP requests to this port. Default 8081

OTS_MARTI_HTTP_PORT(Renamed from OTS_HTTP_PORT as of version 1.1.3)

Port that nginx listens on for HTTP requests. Nginx will proxy these requests to OTS_LISTENER_PORT. Default 8080

OTS_MARTI_HTTPS_PORT(Renamed from OTS_HTTPS_PORT as of version 1.1.3)

Nginx listens on this port for HTTPS requests and proxies them to OTS_LISTENER_PORT. Default 8443

OTS_CERTIFICATE_ENROLLMENT_PORT

Nginx listens on this port for certificate enrollment requests and proxies them to OTS_LISTENER_PORT. Default 8446

OTS_TCP_STREAMING_PORT

OpenTAKServer listens on this port for TCP connections from ATAK, WinTAK, and iTAK. Default 8088

OTS_SSL_STREAMING_PORT

OpenTAKServer listens on this port for SSL connections from ATAK, WinTAK, and iTAK. Default 8089

OTS_BACKUP_COUNT(Added in 1.1.4)

Log files in ~/ots/logs/ will rotate at midnight every night. This setting determines the number of days to keep rotated logs Log files older than this setting will be automatically deleted. Default 7

OTS_RABBITMQ_SERVER_ADDRESS(Added in 1.1.4)

Address of the RabbitMQ server. Default 127.0.0.1

OTS_RABBITMQ_TTL(Added in 1.3.0)

Time To Live setting for messages published to RabbitMQ. Default: 86400000 (one day)

OTS_MEDIAMTX_API_ADDRESS(Added in 1.1.4)

Address for MediaMTX’s API server. Make sure to include the scheme (ie http://), address, and port. Default http://localhost:9997

OTS_MEDIAMTX_TOKEN

This token protects the /api/mediamtx/webhook endpoint. It is generated using python3 -c 'import secrets; print(secrets.token_hex())

OTS_SSL_VERIFICATION_MODE

SSL verification mode for the SSL CoT port. See Python’s documentation for more details. Default ssl.CERT_REQUIRED

OTS_NODE_ID

Unique node ID of this server. It can be generated with the following command python3 -c "import random; import string; print(''.join(random.choices(string.ascii_lowercase + string.digits, k=64)))

OTS_CA_NAME

Name for your certificate authority. Default OpenTAKServer-CA

OTS_CA_FOLDER

Location of your certificate authority. Default ~/ots/ca

OTS_CA_PASSWORD

Password for all generated certificate. Default atakatak

OTS_CA_EXPIRATION_TIME

Number of days that generated certificates should be valid. Default 3650

OTS_CA_COUNTRY

ISO country code for your certificate authority. Default WW

OTS_CA_STATE

State abbreviation for your certificate authority. Default XX

OTS_CA_CITY

City name for your certificate authority. Default YY

OTS_CA_ORGANIZATION

Organization name for your certificate authority. Default ZZ

OTS_CA_ORGANIZATIONAL_UNIT

Organizational Unit (OU) name for your certificate authority.

OTS_CA_SUBJECT

Subject for your certificate authority. Default /C=OTS_CA_COUNTRY/ST=OTS_CA_STATE/L=OTS_CA_CITY/O=OTS_CA_ORGANIZATION/OU=OTS_CA_ORGANIZATIONAL_UNIT

OTS_AIRPLANES_LIVE_LAT

Latitude used to query ADS-B data from Airplanes.live. Default 40.744213 (Manhattan)

OTS_AIRPLANES_LIVE_LON

Longitude used to query ADS-B data from Airplanes.live. Default -73.986939 (Manhattan)

OTS_AIRPLANES_LIVE_RADIUS

Radius in nautical miles to query ADSB from Airplanes.live. Default 10 Max 250

OTS_AISHUB_USERNAME(Added in 1.3.0)

Username of your AISHub.net account. Default: None

OTS_AISHUB_SOUTH_LAT(Added in 1.3.0)

Southern latitude. Default: None

OTS_AISHUB_WEST_LON(Added in 1.3.0)

Western longitude. Default: None

OTS_AISHUB_NORTH_LAT(Added in 1.3.0)

Northern latitude. Default: None

OTS_AISHUB_EAST_LON(Added in 1.3.0)

Eastern Longitude. Default: None

OTS_AISHUB_MMSI_LIST(Added in 1.3.0)

A comma-separated string of MMSI numbers of specific vessels to search, for example "367658140,366902120" Default: ""

OTS_AISHUB_IMO_LIST

A comma-separated string of IMO numbers of specific vessels to search, for example "1234,5678" Default: ""

OTS_PROFILE_MAP_SOURCES(Added in 1.3.0)

Automatically install map tile sources from ATAK-Maps when an EUD first connects to the server. Default: true

OTS_ENABLE_MUMBLE_AUTHENTICATION

This option provide authentication for your Mumble server. When connecting to the Mumble server you will have to use your OpenTAKServer username and password. This also prevents anyone without an account on your OpenTAKServer from connecting. Default: False

OTS_ENABLE_EMAIL

Allow users to self-register accounts with an email address. Emails will only be sent to users to confirm their registration, reset their passwords, and optionally for two-factor authentication. Default False

OTS_EMAIL_DOMAIN_WHITELIST

If OTS_ENABLE_EMAIL is set to True, you can use this whitelist to only allow users with email accounts with specific domains to register. For example, if you set this option to ['gmail.com', 'yahoo.com'], only users with gmail.com or yahoo.com email addresses can register. Leave the default setting to allow any domain to register. Default: []

OTS_EMAIL_DOMAIN_BLACKLIST

Similar to OTS_EMAIL_DOMAIN_WHITELIST, but prevents specific email domains from registering accounts. Leave the default setting to allow any domain to register. Default: []

OTS_EMAIL_TLD_WHITELIST

Similar to OTS_EMAIL_DOMAIN_WHITELIST but only allows users with specific top level domains to register. For example, you could set this to ['gov', 'mil'] to only allow users with .gov or .mil email addresses to register. Do not put a dot before the TLD. Leave the default setting to allow any TLD to register. Default: []

OTS_EMAIL_TLD_BLACKLIST

Similar to OTS_EMAIL_TLD_WHITELIST, but prevents certain top level domains from registering accounts. Leave the default setting to allow any TLD to register. Default: []

OTS_DELETE_OLD_DATA_SECONDS(Added in 1.4.0)

Used by the Delete Old Data scheduled job. Default: 0

OTS_DELETE_OLD_DATA_MINUTES(Added in 1.4.0)

Used by the Delete Old Data scheduled job. Default: 0

OTS_DELETE_OLD_DATA_HOURS(Added in 1.4.0)

Used by the Delete Old Data scheduled job. Default: 0

OTS_DELETE_OLD_DATA_DAYS(Added in 1.4.0)

Used by the Delete Old Data scheduled job. Default: 0

OTS_DELETE_OLD_DATA_WEEKS(Added in 1.4.0)

Used by the Delete Old Data scheduled job. Default: 1

Flask-Security


You can check defaultconfig.py for the settings that OpenTAKServer uses. To learn about each setting you can check Flask-Security’s documentation.

Flask-Mailman settings


These settings only take effect if OTS_ENABLE_EMAIL is True. The defaults will send email via a Gmail account, just provide your username and app password. See Email for details.

MAIL_ASCII_ATTACHMENTS

Default False

MAIL_DEBUG

Default False

MAIL_DEFAULT_SENDER

Default null

MAIL_MAX_EMAILS

Default: null

MAIL_PORT

Default 587

MAIL_SERVER

Default smtp.gmail.com

MAIL_SUPPRESS_SEND

Default false

MAIL_USERNAME

Default null

MAIL_PASSWORD

Default null

MAIL_USE_SSL

Default false

MAIL_USE_TLS

Default true

MediaMTX


OpenTAKServer’s default configuration assumes that MediaMTX is running on the same server and OpenTAKServer connects to it via the loopback interface. As of version 1.1.4, MediaMTX can now be hosted on a different server. To do so you will need to change two settings.

The first is OTS_MEDIAMTX_API_ADDRESS in config.yml. Make sure to include the scheme (ie http:// or https://), server address, and port.

The nginx config also needs to be changed. In /etc/nginx/sites-enabled/ots_https (or c:\tools\nginx-1.25.4\conf\ots\ots_https.conf on Windows), look for the location blocks for webrtc and hls. Each should have a proxy_pass line that starts with https://127.0.0.1. Change that address (and port number if necessary) to the address of your MediaMTX server.

After changing these settings make sure to restart both OpenTAKServer and nginx.

Max Upload Size


OpenTAKServer’s default configuration limits the size of uploaded files, including data packages, to 100MB. This setting is found in the ots_http and ots_https nginx config files. In those files, change the line client_max_body_size 100M; to raise the limit.