C2 TOC Static

Deliverable SYS-001. Structure per cc02-standards/SYSTEM-STANDARD.md. Every component traces to a design basis (NEED/REQ) and to an acceptance criterion.

1. Purpose and Design Basis

1.1 Scope and Objective

C2 TOC Static (v2) establishes the static command-and-control backbone for the protective detail. It hosts the centralized Tactical Assault Kit (TAK) server stack in a secured cloud environment, coordinating situational telemetry and providing a resilient fallback configuration.

1.2 Design Basis

This system transitions tactical coordination from commercial cloud tools to a dedicated self-hosted dockerized server. It ensures telemetry data remains internal and implements a managed government-cloud fallback (TAKOS-Gov) to handle service outages.

1.3 Needs

  • NEED-SYS-001-01: The Detail Leader (RF) requires a centralized situational awareness node to coordinate multiple mobile and static units.
    • Source: Team Leader (RF)
    • Context: High-threat operations require synchronized tactical coordination and telemetry aggregation.
  • NEED-SYS-001-02: The systems engineer requires a secure and highly available cloud environment to host the TAK server and communication backends.
    • Source: Systems Engineer (CS)
    • Context: Handset and mobile nodes must reliably connect to the C2 server without single-point failures.

1.4 Requirements

  • REQ-SYS-001-01 (Traceability: NEED-SYS-001-02): The static C2 backend shall run a dockerized OpenTAKServer (OTS) instance on a VPS to coordinate team telemetry [VR-SYS-001-01].
    • Verification Method: Test (T)
  • REQ-SYS-001-02 (Traceability: NEED-SYS-001-02): The server shall support automatic failover to the backup TAKOS-Gov server within 60 seconds of primary server unavailability [VR-SYS-001-02].
    • Verification Method: Test (T)
  • REQ-SYS-001-03 (Traceability: NEED-SYS-001-01): The static C2 network boundary shall restrict ingress ports to only VPN (WireGuard) and encrypted TAK traffic (COT SSL/TLS) [VR-SYS-001-03].
    • Verification Method: Inspection (I)
  • REQ-SYS-001-04 (Traceability: NEED-SYS-001-01): The server shall maintain an automated offsite backup schedule for the configuration and certificate database every 24 hours [VR-SYS-001-04].
    • Verification Method: Demonstration (D)

2. Architecture As Built

+-----------------------------------------------------------------------+
| SYS-001 C2 TOC Static (Cloud Host)                                    |
|                                                                       |
|  [Hetzner VPS] (Docker OpenTAKServer)                                 |
|         ^                                                             |
|         | (automatic sync)                                            |
|         v                                                             |
|  [TAKOS-Gov] (Managed Cloud Backup)                                   |
|         |                                                             |
+---------|-------------------------------------------------------------+
          v
Encrypted TAK Clients (SYS-007)

3. Components and Bill of Materials

ComponentSpecVendor / LinkPriceTierStatusTraceability
VPSHetzner VPS, TAK stack in DockerHetznerexisting-SELECTEDREQ-SYS-001-01
Backup TAK hostTAKOS-Gov managedgetgotak.com/products/takos-gov$79.00/mo-SELECTEDREQ-SYS-001-02

4. Build and Deployment

4.1 Primary VPS Deployment

  1. Provision a Hetzner VPS node running Ubuntu 22.04 LTS.
  2. Install Docker Engine and docker-compose.
  3. Clone the OpenTAKServer (OTS) deployment repository.
  4. Generate the PKI certificate authority and client/server certificates.
  5. Deploy the OTS container stack via docker-compose, mapping ports 8089 (SSL) and 8443 (API).

4.2 Backup Configuration

  1. Register the organization profile on getgotak.com.
  2. Download the TAKOS-Gov connection credentials and certificates.
  3. Import the static client roster into the TAKOS-Gov administration console.
  4. Configure secondary server profiles on all client devices (SYS-007).

5. Hardening Baseline

  • Server-Level Hardening: Disable SSH password authentication; enforce public key access; configure UFW firewall to block all traffic except ports 22 (SSH), 8089 (TAK SSL), and 51820 (WireGuard UDP) [REQ-SYS-001-03].
  • TAK Stack Hardening: Force certificate-based authentication for all client connections; disable anonymous client login in the OpenTAKServer configuration file; restrict API administration port to local loopback interface only [REQ-SYS-001-01].
  • Backup Hardening: Schedule daily crontab jobs to backup OTS configurations and certificate directories, encrypting the tarball with a local GPG public key before uploading to a secure offsite location [REQ-SYS-001-04].

6. Integration Points

  • Inputs: Communicates with SYS-002 (Receives connection metrics from mobile nodes).
  • Produces For: SYS-007 (Serves as the telemetry and COP distribution hub).
  • Proposed Seam: Feeds situational reports to EP-011 (Communications Plan) via encrypted channel sync.

7. Acceptance Tests

CriterionMethodExpected ResultReference
REQ-SYS-001-01TestConfirm Docker OTS container is running and accepting SSL connections on port 8089.VR-SYS-001-01
REQ-SYS-001-02TestDisable primary OTS container and verify client reconnects to TAKOS-Gov within 60 seconds.VR-SYS-001-02
REQ-SYS-001-03InspectionVerify UFW firewall rules restrict all ingress except WireGuard and TAK SSL ports.VR-SYS-001-03
REQ-SYS-001-04DemonstrationTrigger backup script manually and verify creation of encrypted config tarball in backup storage.VR-SYS-001-04

8. Run and Maintenance Handover

  • Operational Check: Monitor OTS container logs weekly using docker logs -n 100 open-tak-server.
  • Update Cadence: Apply OS security patches and update the OTS container image quarterly.
  • Ownership: Systems Engineer (CS) for VPS maintenance and security audits; Operations Manager (BR) for TAKOS-Gov billing.

END OF SYSTEM

Model wiring

Generated from cell frontmatter at publish time.