Configuration Reference¶
This page documents every environment variable in the MAGK platform's .env.template file. Variables are organized by the same sections found in the template.
To get started, copy the template and customize:
cp .env.template .env
For variables that require generated secrets, see the Installation Guide for generation commands.
Quick secret generation
Run bash config/scaling/generate-config.sh to auto-generate all required secrets at once.
Database¶
PostgreSQL connection credentials used by all platform services.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
POSTGRES_DB | PostgreSQL database name | magk | String | Yes |
POSTGRES_USER | PostgreSQL username | magk | String | Yes |
POSTGRES_PASSWORD | PostgreSQL password | — | Generated: openssl rand -base64 24 | Yes |
Warning
POSTGRES_PASSWORD must be generated before first deployment. Never use the placeholder value in production.
Staging database name
For staging deployments, set POSTGRES_DB=magk_staging to isolate the staging database from production on the same host. Production uses the default magk.
Message Queue¶
RabbitMQ broker credentials for inter-service messaging and background jobs.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
RABBITMQ_USER | RabbitMQ username | magk | String | Yes |
RABBITMQ_PASSWORD | RabbitMQ password | — | Generated: openssl rand -base64 24 | Yes |
RABBITMQ_VHOST | RabbitMQ virtual host | magk | String | Yes |
Domain & SSL¶
Public domain and Let's Encrypt certificate configuration. See the Installation Guide for full SSL/TLS setup details.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
DOMAIN | Public domain for the platform | localhost | Hostname (e.g., magktech.com) | Yes |
SSL_EMAIL | Email for Let's Encrypt certificate notifications | admin@magktech.com | Email address | Yes |
Info
Set DOMAIN to your actual domain (e.g., magktech.com) for staging and production deployments. Traefik uses this value to request wildcard TLS certificates via the Route53 DNS challenge.
Authentication (Better Auth)¶
Session-based authentication configuration using Better Auth.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
BETTER_AUTH_SECRET | Secret key for signing session tokens | — | Generated: openssl rand -hex 32 | Yes |
BETTER_AUTH_URL | Base URL for auth callbacks | https://${DOMAIN} | URL | Yes |
BETTER_AUTH_TRUSTED_ORIGINS | Additional trusted origins for CSRF validation | (empty) | Comma-separated URLs (e.g., http://localhost:3200) | No |
Tip
BETTER_AUTH_TRUSTED_ORIGINS is useful when accessing the platform through a port-mapped staging URL or an external domain that differs from DOMAIN.
Admin Account¶
Initial administrator account credentials used during first deployment. The deploy workflow seeds this account via the Better Auth sign-up endpoint.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
ADMIN_USERNAME | Admin display name | administrator | String | Yes |
ADMIN_PASSWORD | Admin account password | — | No default — deploy fails if unset | Yes |
ADMIN_EMAIL | Admin account email | admin@magktech.com | Email address | Yes |
No default password
ADMIN_PASSWORD has no fallback value. If it is not set in the environment file, the deployment will fail explicitly rather than create an admin account with a known password. This is intentional fail-closed behavior to prevent insecure default credentials in staging and production.
LDAP¶
OpenLDAP directory service configuration for TAK client authentication and group management.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
LDAP_ORGANISATION | LDAP organization name | MAGK | String | Yes |
LDAP_DOMAIN | LDAP domain | magktech.com | Domain name | Yes |
LDAP_ADMIN_PASSWORD | LDAP administrator password | — | Generated: openssl rand -base64 24 | Yes |
LDAP_CONFIG_PASSWORD | LDAP configuration password | — | Generated: openssl rand -base64 24 | Yes |
LDAP_BASE_DN | LDAP base distinguished name | dc=magktech,dc=com | LDAP DN | Yes |
LDAP_ADMIN_DN | LDAP admin distinguished name | cn=admin,dc=magktech,dc=com | LDAP DN | Yes |
LDAP_TLS | Enable TLS for LDAP connections | true | true / false | Yes |
Note
Update LDAP_BASE_DN and LDAP_ADMIN_DN if you change LDAP_DOMAIN to match your domain's DN structure.
TAK Service¶
TAK protocol ports and database connection for the Python TAK microservice.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
TAK_TCP_PORT | TCP port for unencrypted CoT traffic | 8087 | Port number | Yes |
TAK_SSL_PORT | SSL port for encrypted CoT traffic | 8089 | Port number | Yes |
TAK_SSL_ENABLED | Enable SSL for TAK connections | true | true / false | Yes |
TAK_MARTI_PORT | Marti API HTTPS port (mTLS via Nginx) | 8443 | Port number | Yes |
TAK_DATABASE_HOST | Database hostname for TAK service | postgresql | Hostname | Yes |
TAK_DATABASE_PORT | Database port for TAK service | 5432 | Port number | Yes |
TAK_DATABASE_NAME | Database name for TAK service | ${POSTGRES_DB} | String (references POSTGRES_DB) | Yes |
TAK_DATABASE_USER | Database username for TAK service | ${POSTGRES_USER} | String (references POSTGRES_USER) | Yes |
TAK_DATABASE_PASSWORD | Database password for TAK service | ${POSTGRES_PASSWORD} | String (references POSTGRES_PASSWORD) | Yes |
Info
The TAK service shares the main MAGK database by default. The TAK_DATABASE_* variables reference the Database section values via shell variable expansion.
Meshtastic Mesh Radio¶
Optional Meshtastic mesh radio bridge. When configured, the TAK service polls a Meshtastic device for node positions and converts them to CoT events for display on the tactical map. Set either a serial port or TCP host to enable.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
MESHTASTIC_SERIAL_PORT | Serial port for Meshtastic device | (empty) | Device path (e.g., /dev/ttyUSB0) | No |
MESHTASTIC_TCP_HOST | TCP hostname for Meshtastic device | (empty) | Hostname or IP | No |
MESHTASTIC_TCP_PORT | TCP port for Meshtastic device | 4403 | Port number | No |
MESHTASTIC_RECONNECT_DELAY | Seconds to wait before reconnecting after a connection loss | 10 | Positive integer (seconds) | No |
Tip
Set either MESHTASTIC_SERIAL_PORT (for USB-connected devices) or MESHTASTIC_TCP_HOST (for network-connected devices). Leave both empty to disable the Meshtastic bridge entirely.
Real-Time Services¶
WebSocket server and UDP gateway configuration for real-time communication.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
WS_PORT | WebSocket server port (dedicated HTTP server for WS upgrade handling) | 3001 | Port number | Yes |
NODE_UDP_ENABLED | Enable the Node UDP Gateway for hardware node communication | false | true / false | No |
NODE_UDP_PORT | UDP port for MAGK hardware nodes | 5683 | Port number | No |
Tip
Set NODE_UDP_ENABLED=true only if you are using MAGK hardware nodes (HaLow devices). The UDP gateway listens on port 5683 by default.
OAuth¶
Optional single sign-on providers. Leave blank to disable, or configure via the Admin Settings page at runtime.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
GOOGLE_CLIENT_ID | Google OAuth client ID | (empty) | String from Google Cloud Console | No |
GOOGLE_CLIENT_SECRET | Google OAuth client secret | (empty) | String | No |
GITHUB_CLIENT_ID | GitHub OAuth client ID | (empty) | String from GitHub Developer Settings | No |
GITHUB_CLIENT_SECRET | GitHub OAuth client secret | (empty) | String | No |
OAuth redirect URIs
- Google:
https://yourdomain.com/api/auth/callback/google - GitHub:
https://yourdomain.com/api/auth/callback/github
Replace yourdomain.com with your actual DOMAIN value.
Email / SMTP¶
Optional email delivery configuration. Works with any SMTP provider (AWS SES, SendGrid, Mailgun, etc.). Can also be configured via Admin Settings at runtime.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
SMTP_HOST | SMTP server hostname | (empty) | Hostname (e.g., email-smtp.us-east-1.amazonaws.com) | No |
SMTP_PORT | SMTP server port | 587 | Port number | No |
SMTP_USER | SMTP authentication username | (empty) | String | No |
SMTP_PASSWORD | SMTP authentication password | (empty) | String | No |
SMTP_SECURE | Use TLS for SMTP connection | false | true / false | No |
FROM_EMAIL | Sender email address for outgoing mail | noreply@magktech.com | Email address | No |
FROM_NAME | Sender display name for outgoing mail | MAGK | String | No |
AWS SES
For AWS SES, use host=email-smtp.<region>.amazonaws.com, port=587, and your SES SMTP credentials (not IAM access keys).
Monitoring¶
Grafana dashboard access credentials.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
GRAFANA_ADMIN_PASSWORD | Grafana admin user password | — | Generated: openssl rand -base64 16 | Yes |
Media Streaming¶
MediaMTX configuration for RTSP/RTMP video streaming.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
MTX_PROTOCOLS | Allowed streaming protocols | tcp | Protocol name(s) | No |
MEDIAMTX_RTSP_PORT | RTSP streaming port | 8554 | Port number | No |
MEDIAMTX_RTMP_PORT | RTMP streaming port | 1935 | Port number | No |
Deployment¶
Environment type, log verbosity, and Docker Compose project isolation.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
DEPLOYMENT_ENV | Deployment environment identifier | development | development / staging / production | Yes |
LOG_LEVEL | Minimum log severity for the ECS logging service | INFO | debug / info / warn / error / fatal (case-insensitive) | Yes |
COMPOSE_PROJECT_NAME | Docker Compose project name for environment isolation | magk | String | Yes |
Environment isolation
COMPOSE_PROJECT_NAME prefixes all container names, volumes, and networks. Use different values to run multiple environments on the same host:
- Local dev:
magk(default) - Staging:
magk-staging - Production:
magk-prod
See the Installation Guide for more details on environment isolation.
Logging (ECS Logging Service)¶
Configuration for the structured logging service that persists logs to PostgreSQL.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
LOG_RETENTION_DAYS | Days to retain log entries before automatic trimming | 2 | Positive integer | Yes |
LOG_BATCH_SIZE | Number of log entries to batch before flushing to PostgreSQL | 100 | Positive integer | Yes |
LOG_FLUSH_INTERVAL_MS | Interval in milliseconds between automatic buffer flushes | 2000 | Positive integer (milliseconds) | Yes |
Security (Scanner Detector)¶
Automated scanner/bot detection and IP banning thresholds.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
SCANNER_BAN_DURATION_MINUTES | Duration in minutes to ban IPs that exceed the scanner threshold | 30 | Positive integer (minutes) | Yes |
SCANNER_THRESHOLD_HITS | Number of scanner path hits before an IP is banned | 5 | Positive integer | Yes |
SCANNER_THRESHOLD_WINDOW_MINUTES | Sliding window in minutes for counting scanner path hits per IP | 10 | Positive integer (minutes) | Yes |
MAX_REQUEST_BODY_BYTES | Maximum allowed request body size in bytes | 1048576 | Positive integer (bytes; default is 1 MB) | Yes |
Staging Overrides¶
Port mappings and domain used with docker-compose.staging.yml. These allow staging to run alongside production on the same host with different ports.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
STAGING_DOMAIN | Staging environment domain | staging.magktech.com | Hostname | Yes (staging) |
STAGING_WEB_PORT | Staging web application port | 3200 | Port number | Yes (staging) |
STAGING_TAK_TCP_PORT | Staging TAK TCP CoT port (offset required — no SNI) | 18087 | Port number | Yes (staging) |
STAGING_TAK_SSL_PORT | Staging TAK SSL CoT port (offset required — no SNI) | 18089 | Port number | Yes (staging) |
STAGING_HTTP_PORT | Staging Traefik HTTP port | 18080 | Port number | Yes (staging) |
STAGING_HTTPS_PORT | Staging Traefik HTTPS port | 18443 | Port number | Yes (staging) |
STAGING_LDAP_PORT | Staging LDAP port | 10389 | Port number | Yes (staging) |
STAGING_RTSP_PORT | Staging RTSP streaming port | 18554 | Port number | Yes (staging) |
STAGING_PROMETHEUS_PORT | Staging Prometheus port | 9190 | Port number | Yes (staging) |
STAGING_GRAFANA_PORT | Staging Grafana port | 3101 | Port number | Yes (staging) |
Traefik SNI Routing for Shared Ports
TAK ports 8443 (Marti API), 8446 (enrollment), and 64738 (Mumble TCP) use Traefik SNI routing and do not need staging port offsets — Traefik routes traffic based on the TLS Server Name Indication (SNI) header, so staging and production share these ports on the same host.
CoT streaming ports 8089 (SSL) and 8087 (TCP) still require offsets because ATAK does not send SNI headers on these connections. Mumble UDP also requires a direct port mapping via MUMBLE_EXTERNAL_PORT since UDP does not support SNI.
Info
Staging overrides use offset port numbers to avoid conflicts with production services running on the same host. See the Installation Guide for the full staging deployment workflow.
Production Overrides¶
Port mappings used with docker-compose.production.yml.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
WEB_PORT | Production web application port | 3000 | Port number | Yes (production) |
PROMETHEUS_PORT | Production Prometheus port | 9090 | Port number | Yes (production) |
GRAFANA_PORT | Production Grafana port | 3001 | Port number | Yes (production) |
LDAP_PORT | Production LDAP port | 389 | Port number | Yes (production) |
LDAPS_PORT | Production LDAPS (secure LDAP) port | 636 | Port number | Yes (production) |
Branding¶
UI branding variables that control the platform's display name and color scheme.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
BRAND_NAME | Platform display name | MAGK | String | Yes |
BRAND_TAGLINE | Platform tagline | Multipurpose Awareness and Group Kit | String | Yes |
BRAND_COLOR_PRIMARY | Primary brand color (deep navy) | #1e3c72 | Hex color code | Yes |
BRAND_COLOR_ACCENT | Accent brand color (tactical orange) | #ff6b35 | Hex color code | Yes |
AI / LLM Provider¶
Configuration for the optional AI assistant feature. Supports LiteLLM (self-hosted proxy) or AWS Bedrock as the LLM backend.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
MAGK_AI_PROVIDER | LLM provider backend | litellm | litellm / bedrock | No |
MAGK_AI_ASSISTANT_ENABLED | Enable the AI assistant in the sidebar | false | true / false | No |
LITELLM_MASTER_KEY | LiteLLM proxy authentication key | — | Generated: openssl rand -hex 32 | No (required if provider is litellm) |
LITELLM_LOG_LEVEL | LiteLLM proxy log verbosity | INFO | DEBUG / INFO / WARNING / ERROR | No |
LiteLLM Version Security
LiteLLM version must be >=1.83.0. Versions 1.82.7 and 1.82.8 are compromised:
- CVE-2024-6587: SSRF credential leakage
- CVE-2025-0330: API key exposure in error responses
- March 2026 supply chain attack on versions 1.82.7/1.82.8
Tip
Set MAGK_AI_ASSISTANT_ENABLED=true to show the AI Assistant in the sidebar for admin and organizer users. The assistant is hidden by default.
MCP Server (AI Assistant Tool Access)¶
Configuration for the MCP (Model Context Protocol) server that provides AI assistant tool access.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
MCP_API_KEY | API key for MCP server authentication | — | Generated: openssl rand -hex 32, prefixed with mcp_ | No |
Tip
Generate the key with: echo "mcp_$(openssl rand -hex 32)"
Mumble Voice Communications¶
Optional Mumble voice server integration for event-based voice channels. When enabled, MAGK deploys a Mumble server (magk-mumble) and an Ice Admin Sidecar (magk-mumble-admin) that manages channels, ACLs, and LDAP authentication.
| Variable | Description | Default | Format | Required |
|---|---|---|---|---|
MUMBLE_HOST | Mumble server hostname (Docker service name) | magk-mumble | Hostname | No |
MUMBLE_PORT | Mumble protocol port for client connections | 64738 | Port number | No |
MUMBLE_SUPERUSER_PASSWORD | SuperUser password for the Mumble server | — | Generated: openssl rand -base64 24 | When enabled |
MUMBLE_ENABLED | Enable Mumble voice communications integration | false | true / false | No |
MUMBLE_ICE_PORT | ZeroC Ice RPC port for server administration | 6502 | Port number | No |
MUMBLE_LDAP_ENABLED | Enable LDAP-based Mumble authentication via the Ice Admin Sidecar | false | true / false | No |
MUMBLE_ADMIN_API_PORT | Internal HTTP API port for the Ice Admin Sidecar | 6503 | Port number | No |
MUMBLE_MONITORING_ENABLED | Enable the optional Monitoring Bot for real-time channel/user state | false | true / false | No |
MUMBLE_EXTERNAL_PORT | External Mumble port for TAK clients (defaults to MUMBLE_PORT) | 64738 | Port number | No |
MUMBLE_MEMBERSHIP_API_URL | Internal API URL for membership lookups | http://magk-web:3000/api/internal/mumble-groups | URL | No |
MUMBLE_MEMBERSHIP_CACHE_TTL | Cache duration in seconds for group memberships | 60 | Positive integer (seconds) | No |
MUMBLE_MEMBERSHIP_TIMEOUT | HTTP timeout in seconds for membership lookups | 2 | Positive integer (seconds) | No |
Note
Set MUMBLE_ENABLED=true to add the Mumble server and admin sidecar to the Docker Compose stack. Channels are provisioned per-event during roster finalization. Players authenticate using LDAP credentials when MUMBLE_LDAP_ENABLED=true.
Mumble Port Routing
Mumble TCP connections use Traefik SNI routing (shared port with production/staging). Mumble UDP connections require a direct port mapping via MUMBLE_EXTERNAL_PORT since UDP does not support SNI.
EUD Emulator Fleet¶
Configuration for the 10-device ATAK emulator fleet managed by scripts/eud-fleet.sh. Only consulted by the fleet tooling — the rest of the MAGK platform ignores these variables. See EUD Emulator Fleet for the operator guide.
| Variable | Default | Description |
|---|---|---|
FLEET_SIZE | 10 | Number of EUDs to start when running eud-fleet.sh start with no index. Must match the services declared in compose/docker-compose.android-fleet.yml. |
FLEET_BOOT_BATCH | 3 | Emulators are booted in batches of this size to avoid saturating KVM on shared hosts. |
FLEET_CALLSIGN_PREFIX | MAGK | Callsign prefix. Each EUD is named <prefix>-NN (e.g. MAGK-01 … MAGK-10). |
FLEET_BASE_EMAIL_USER | ops | Local part of the base email used to seed one MAGK user per EUD. Combined with FLEET_BASE_EMAIL_DOMAIN using the +eudN sub-addressing convention. |
FLEET_BASE_EMAIL_DOMAIN | magktech.com | Domain part of the base email. |
FLEET_USER_PASSWORD | MagkEud2026! | Shared password seeded into every MAGK user — rotate after real use. |
FLEET_ATAK_SERVER | tak-service | CoT streaming hostname reachable from inside the Docker network. |
FLEET_ATAK_SERVER_PORT | 8089 | CoT streaming SSL port. |
FLEET_TAK_UPDATE_SERVER | https://nginx:8443/api/packages | TAK Update Server URL prefilled into each EUD's ATAK preferences. |
FLEET_ENROLLMENT_URL | https://nginx:8446 | Certificate enrollment endpoint. |
FLEET_ATAK_APK | ATAK-5.7.0.4-cc9eab57-civSmall-release.apk | Which ATAK core APK to sideload on each EUD. civSmall boots faster; use the full civ-release.apk for feature-parity testing. |
FLEET_PLUGIN_SKIPLIST | ATAK-Plugin-taktalk-1.0.0-…-civ-release.apk | Space-separated APK filenames to skip during fleet provisioning even though they are still published to real EUDs by the TAK Update Server. Default excludes the oversized taktalk download. |
FLEET_DEVICE_PROFILE | Samsung Galaxy S10 | Emulator device model, passed to budtmo/docker-android as its DEVICE env. |
Note
Ten parallel emulators require roughly 20 vCPU and 30 GB RAM with /dev/kvm available on the host. Reduce FLEET_SIZE and FLEET_BOOT_BATCH to scale down on smaller hosts. The Appium-driven smoke tests assume at most four concurrent sessions (scripts/eud-fleet.sh probe --max-parallel N).
Elevation Service¶
Optional integration with an Open Topo Data instance. Used by the tactical map's elevation-profile tool to look up terrain altitudes along drawn routes.
| Variable | Default | Description |
|---|---|---|
MAGK_ELEVATION_API_URL | http://opentopodata:5000 | Base URL for the Open Topo Data elevation API. Leave the default if you ship the bundled opentopodata compose service; override to point at any compatible endpoint. |
Feature Flags¶
Toggle in-development capabilities without redeploying compose changes.
| Variable | Default | Description |
|---|---|---|
MAGK_NATIVE_AUTHORING | false | Enables the native tactical authoring tools (Phase 1–5) when set to true. Leave disabled in production until Phase 5 ships. |
MAGK_TAK_UI | false | Enables TAK-style UI components (toolbar, detail panel, map controls, radial menu, self-position readout) on tactical surfaces. Set to true to activate the TAK UI overhaul (Spec 27). |
TAK UI OVERHAUL (Spec 27)¶
The MAGK_TAK_UI flag controls the TAK-style UI overhaul. When enabled, tactical surfaces (/admin/tactical, /map, /player/tactical) render TAK-native-style components:
- TakToolbar — Compact icon-only toolbar matching ATAK's top bar
- TakDetailPanel — Right-side sliding panel for item details, chat, and contacts
- TakMapControls — Left-side compass, GPS lock, and zoom controls
- SelfPositionReadout — Bottom-left position overlay (callsign, MGRS, altitude, speed)
- RadialMenu — Circular context menu on feature right-click/long-press
- Player WebTAK — Browser-based tactical surface at
/player/tacticalfor players without ATAK/iTAK
| Variable | Default | Description |
|---|---|---|
MAGK_TAK_UI | false | Master toggle for the TAK UI overhaul. Set to true in production after validation. |
ADS-B Pipeline¶
Activates ADSBCoTPipeline (apps/tak-service/tak/adsbxcot_pipeline.py) when at least one feed source is configured. Manned-aircraft transponder hits and any 1090 ES Remote ID drone broadcasts are converted into CoT events on the magk.cot exchange and rendered on every connected ATAK plus the MAGK web map.
| Variable | Default | Description |
|---|---|---|
ADSB_API_URL | empty | Hosted ADS-B feed (ADSBexchange-style endpoint). Leave blank when consuming from DUMP1090_URL instead. |
ADSB_API_KEY | empty | Sent in the api-auth header when calling ADSB_API_URL. |
DUMP1090_URL | empty | Local dump1090 receiver, e.g. http://dump1090.local:8080/data/aircraft.json. |
SENSOR_POLL_INTERVAL | 5 | Seconds between polls of the configured feed source. Shared with the AIS pipeline. |
Note
The pipeline emits a-n-A-C-F (neutral, air, civil, fixed-wing) by default. Drone Remote ID broadcasts that arrive over 1090 ES will be tagged with the same type — for dedicated Remote ID feeds (Bluetooth/WiFi), see the separate DRONECOT_FEED_URL.
APRS-IS Gateway¶
Activates APRSGateway (apps/tak-service/tak/aprs_gateway.py) when APRS_ENABLED=true. The gateway connects read-only to APRS-IS, parses position beacons from radios that uplink GPS via APRS, and republishes them as friendly-ground CoT on magk.cot. Operators carrying these radios appear on the MAGK map and inside every connected ATAK alongside other tactical icons.
Compatible radios include (but are not limited to):
- BTECH UV-Pro — built-in APRS, plus the BTECH UV-Pro relay ATAK plugin for full CoT-over-RF bridging on the device side.
- Anytone AT-D878 / AT-D578UV — DMR + APRS.
- Baofeng DM-32 / DM-1701 — DMR with APRS gateway integrations.
- Any other rig that beacons to APRS-IS.
| Variable | Default | Description |
|---|---|---|
APRS_ENABLED | false | Master switch for the gateway. |
APRS_IS_HOST | rotate.aprs2.net | APRS-IS pool hostname. |
APRS_IS_PORT | 14580 | TCP port for filtered server-side feeds. |
APRS_CALLSIGN | MAGK-RO | Login callsign — use one you own with an SSID like -RO to identify the read-only client. |
APRS_PASSCODE | -1 | APRS-IS passcode. -1 is the documented value for read-only access. |
APRS_FILTER | empty | Server-side filter, e.g. r/45.5/-122.6/100 for a 100 km radius or b/W7AB-9/KK7CD-7 for a callsign list. Leave blank for the firehose (not recommended). |
APRS_RECONNECT_DELAY | 10 | Seconds between reconnect attempts when the APRS-IS socket drops. |
Note
The gateway is receive-only — MAGK does not transmit on RF, and the radio plugins themselves run on the EUD (Bluetooth/USB to the radio). The MAGK server side is purely the APRS-IS ingestion path; pair it with the BTECH UV-Pro relay plugin for full ATAK CoT-over-RF coverage.
CLOUDTAK PLAYER PORTAL (spec 29)¶
Embeds unmodified CloudTAK (AGPL-3.0) as the browser-based player tactical portal at map.<domain>. CloudTAK runs as a peer service communicating with MAGK via standard TAK protocols. No CloudTAK source code is incorporated into MAGK's bundle.
Operational documentation (deployment runbook, AGPL compliance) is maintained in .kiro/specs/29-cloudtak-player-portal/docs/.
| Variable | Default | Description |
|---|---|---|
MAGK_CLOUDTAK_VERSION | v12.138.2 | Pinned CloudTAK image tag. Never auto-upgrade; review CHANGELOG before bumping. |
CLOUDTAK_SIGNING_SECRET | — | JWT signing secret for CloudTAK sessions. Generate with openssl rand -base64 32. |
CLOUDTAK_MINIO_USER | cloudtakadmin | MinIO access key for CloudTAK's object store. |
CLOUDTAK_MINIO_PASSWORD | — | MinIO secret key. Generate with openssl rand -base64 24. |
CLOUDTAK_ASSET_BUCKET | cloudtak | S3 bucket name for CloudTAK assets (PMTiles, uploads, attachments). |
CLOUDTAK_TAK_ADMIN_USERNAME | administrator | TAK Server admin username for CloudTAK's initial connection setup. |
CLOUDTAK_TAK_ADMIN_PASSWORD | — | TAK Server admin password. Used once during first PATCH /api/server. |
CLOUDTAK_RETENTION_SCHEDULE | 0 3 * * * | Cron schedule for CloudTAK's data retention worker. |
PRIMARY_DOMAIN | magktech.com | Base domain for CloudTAK subdomains (map.X, tiles.map.X, video.X). |