C2 TOC Static
Deliverable SYS-001. Structure per cc02-standards/SYSTEM-STANDARD.md. Every component traces to a design basis (NEED/REQ) and to an acceptance criterion.
1. Purpose and Design Basis
1.1 Scope and Objective
C2 TOC Static (v2) establishes the static command-and-control backbone for the protective detail. It hosts the centralized Tactical Assault Kit (TAK) server stack in a secured cloud environment, coordinating situational telemetry and providing a resilient fallback configuration.
1.2 Design Basis
This system transitions tactical coordination from commercial cloud tools to a dedicated self-hosted dockerized server. It ensures telemetry data remains internal and implements a managed government-cloud fallback (TAKOS-Gov) to handle service outages.
1.3 Needs
- NEED-SYS-001-01: The Detail Leader (RF) requires a centralized situational awareness node to coordinate multiple mobile and static units.
- Source: Team Leader (RF)
- Context: High-threat operations require synchronized tactical coordination and telemetry aggregation.
- NEED-SYS-001-02: The systems engineer requires a secure and highly available cloud environment to host the TAK server and communication backends.
- Source: Systems Engineer (CS)
- Context: Handset and mobile nodes must reliably connect to the C2 server without single-point failures.
1.4 Requirements
- REQ-SYS-001-01 (Traceability: NEED-SYS-001-02): The static C2 backend shall run a dockerized OpenTAKServer (OTS) instance on a VPS to coordinate team telemetry [VR-SYS-001-01].
- Verification Method: Test (T)
- REQ-SYS-001-02 (Traceability: NEED-SYS-001-02): The server shall support automatic failover to the backup TAKOS-Gov server within 60 seconds of primary server unavailability [VR-SYS-001-02].
- Verification Method: Test (T)
- REQ-SYS-001-03 (Traceability: NEED-SYS-001-01): The static C2 network boundary shall restrict ingress ports to only VPN (WireGuard) and encrypted TAK traffic (COT SSL/TLS) [VR-SYS-001-03].
- Verification Method: Inspection (I)
- REQ-SYS-001-04 (Traceability: NEED-SYS-001-01): The server shall maintain an automated offsite backup schedule for the configuration and certificate database every 24 hours [VR-SYS-001-04].
- Verification Method: Demonstration (D)
2. Architecture As Built
+-----------------------------------------------------------------------+
| SYS-001 C2 TOC Static (Cloud Host) |
| |
| [Hetzner VPS] (Docker OpenTAKServer) |
| ^ |
| | (automatic sync) |
| v |
| [TAKOS-Gov] (Managed Cloud Backup) |
| | |
+---------|-------------------------------------------------------------+
v
Encrypted TAK Clients (SYS-007)
3. Components and Bill of Materials
| Component | Spec | Vendor / Link | Price | Tier | Status | Traceability |
|---|---|---|---|---|---|---|
| VPS | Hetzner VPS, TAK stack in Docker | Hetzner | existing | - | SELECTED | REQ-SYS-001-01 |
| Backup TAK host | TAKOS-Gov managed | getgotak.com/products/takos-gov | $79.00/mo | - | SELECTED | REQ-SYS-001-02 |
4. Build and Deployment
4.1 Primary VPS Deployment
- Provision a Hetzner VPS node running Ubuntu 22.04 LTS.
- Install Docker Engine and docker-compose.
- Clone the OpenTAKServer (OTS) deployment repository.
- Generate the PKI certificate authority and client/server certificates.
- Deploy the OTS container stack via docker-compose, mapping ports 8089 (SSL) and 8443 (API).
4.2 Backup Configuration
- Register the organization profile on getgotak.com.
- Download the TAKOS-Gov connection credentials and certificates.
- Import the static client roster into the TAKOS-Gov administration console.
- Configure secondary server profiles on all client devices (SYS-007).
5. Hardening Baseline
- Server-Level Hardening: Disable SSH password authentication; enforce public key access; configure UFW firewall to block all traffic except ports 22 (SSH), 8089 (TAK SSL), and 51820 (WireGuard UDP) [REQ-SYS-001-03].
- TAK Stack Hardening: Force certificate-based authentication for all client connections; disable anonymous client login in the OpenTAKServer configuration file; restrict API administration port to local loopback interface only [REQ-SYS-001-01].
- Backup Hardening: Schedule daily crontab jobs to backup OTS configurations and certificate directories, encrypting the tarball with a local GPG public key before uploading to a secure offsite location [REQ-SYS-001-04].
6. Integration Points
- Inputs: Communicates with
SYS-002(Receives connection metrics from mobile nodes). - Produces For:
SYS-007(Serves as the telemetry and COP distribution hub). - Proposed Seam: Feeds situational reports to
EP-011(Communications Plan) via encrypted channel sync.
7. Acceptance Tests
| Criterion | Method | Expected Result | Reference |
|---|---|---|---|
| REQ-SYS-001-01 | Test | Confirm Docker OTS container is running and accepting SSL connections on port 8089. | VR-SYS-001-01 |
| REQ-SYS-001-02 | Test | Disable primary OTS container and verify client reconnects to TAKOS-Gov within 60 seconds. | VR-SYS-001-02 |
| REQ-SYS-001-03 | Inspection | Verify UFW firewall rules restrict all ingress except WireGuard and TAK SSL ports. | VR-SYS-001-03 |
| REQ-SYS-001-04 | Demonstration | Trigger backup script manually and verify creation of encrypted config tarball in backup storage. | VR-SYS-001-04 |
8. Run and Maintenance Handover
- Operational Check: Monitor OTS container logs weekly using
docker logs -n 100 open-tak-server. - Update Cadence: Apply OS security patches and update the OTS container image quarterly.
- Ownership: Systems Engineer (CS) for VPS maintenance and security audits; Operations Manager (BR) for TAKOS-Gov billing.
END OF SYSTEM
Model wiring
Generated from cell frontmatter at publish time.