CivTAK / TAK Server automation for Rocky Linux 9.
Provides Bash shell scripts and two PowerShell modules (TAKServerPS, TAKInstall) to install, configure, and manage a production TAK Server 5.7 deployment — including certificate management, XMPP chat integration, Let's Encrypt TLS, and a full REST API wrapper.
Target platform: Rocky Linux 9.5 · Hyper-V Gen 2 · TAK Server 5.7-RELEASE8
Full documentation → — Getting Started · Deployment Guide · API Reference · Troubleshooting
DigitalTAK/
├── InstallShellScripts/ ← Bash deployment scripts (run on the server)
├── TAKServerPS/ ← PowerShell module — TAK Server REST API (45 cmdlets)
├── TAKInstall/ ← PowerShell module — remote provisioning via SSH (6 cmdlets)
├── TAKDeploy/ ← PowerShell module — Hyper-V VM creation & orchestration (5 cmdlets)
├── TAKOnboarding/ ← PowerShell module — team onboarding orchestrator (4 cmdlets)
├── onboarding/ ← Team onboarding assets (roster scripts, cert batch, data package builder)
├── tests/integration/ ← Pester 5 integration tests (212 tests across 12 test files)
├── dist/ ← Per-user ATAK .zip data packages (generated; git-ignored)
├── certs/ ← Downloaded client certificates per team (generated; git-ignored)
├── Documentation/ ← Official TAK Server 5.7 & Federation Hub guides (PDF)
├── channels.zip ← ATAK client data package for device distribution
├── Invoke-TAKOnboarding.ps1 ← One-command team onboarding (certs → users → data packages)
├── Remove-CivTAK.ps1 ← Full CivTAK teardown (VM, VHDX, certs, Windows store, dist/)
└── reports/ ← Deployment and test reports
The repository also includes a general Hyper-V deployment entry point:
Deploy-TAKServer.ps1— canonical end-to-end deployment script for building a TAK Server VM from your own configurationDeploy-TAKTestServer.ps1— backward-compatible wrapper that forwards toDeploy-TAKServer.ps1
Use Deploy-TAKServer.ps1 when you want to deploy a server from this repository using your own VM sizing, credentials, RPM path, certificate subject metadata, and snapshot-resume behavior.
Detailed operator guidance is in Documentation/Deploy-TAKServer.md.
The project wiki is at github.com/BanterBoy/DigitalTAK/wiki.
Invoke-TAKOnboarding.ps1 is the single-command zero-to-team onboarding entry point. It automates the complete workflow — from certificate generation through user account creation to ATAK data package build — with no Linux experience required.
Prerequisites:
- PowerShell 7.0+, Posh-SSH (
Install-Module Posh-SSH) - JDK 11+ with
keytoolon PATH (for data packages) — Eclipse Temurin recommended admin.p12downloaded from the TAK Server
Workflow:
- Generate per-user client certificates on the TAK Server over SSH
- Download
.p12files and manifest to the Windows workstation over SFTP - Delete certificates from the server (security hygiene)
- Create TAK Server user accounts via
UserManager.jarover SSH - Assign group memberships (
<team>for all users,<team>-Leadfor leads) - Build per-user ATAK data packages (
.zip) ready to distribute
# Auto-roster: 10-person template
.\Invoke-TAKOnboarding.ps1 -ServerHost 10.10.0.154 -TeamName alpha -TeamSize 10
# Custom roster from CSV
.\Invoke-TAKOnboarding.ps1 -ServerHost 10.10.0.154 -TeamName bravo `
-RosterPath .\onboarding\rosters\sample-roster-10.csv -AdminPfxPath .\certs\admin.p12
# Skip data package build (no JDK required)
.\Invoke-TAKOnboarding.ps1 -ServerHost 10.10.0.154 -TeamName charlie -TeamSize 10 -SkipDataPackagesOutput: dist\<TeamName>\<username>.zip — one file per team member, ready for distribution.
See onboarding/README.md for the manual step-by-step workflow and onboarding/rosters/ for CSV roster examples.
Remove-CivTAK.ps1 performs a full idempotent teardown of a CivTAK deployment. Run it from the repo root with Administrator privileges.
What it removes:
| Step | Action |
|---|---|
| 1 | Stop and remove the Hyper-V VM (all snapshots included) |
| 2 | Delete the VHDX disk file |
| 3 | Remove all cert/key files from certs\ recursively (*.p12, *.pfx, *.jks, *.pem, *.key, *.crt, *.cer) — covers all team subdirectories |
| 3b | Remove all ATAK data packages from dist\ |
| 4 | Remove imported TAK certificates from the Windows certificate store (root CA, intermediate CA, admin cert) |
| 5 | Remove any leftover OEMDRV temp VHDXs |
# Standard teardown
.\Remove-CivTAK.ps1
# Custom CA name / organisation (must match deployment parameters)
.\Remove-CivTAK.ps1 -Organization 'MYORG' -CAName 'TAK-CA'
# Clean guest uninstall before VM destruction
$cred = Get-Credential -UserName 'atak'
.\Remove-CivTAK.ps1 -UninstallGuest -Credential $credSecurity note: The
certs\anddist\directories contain.p12certificate material and embedded credentials.Remove-CivTAK.ps1removes these automatically. The root.gitignoreis configured to prevent any cert or key file from being accidentally committed.
Quick start:
Set-Location .
$cred = Get-Credential -UserName 'atak'
$rootPw = Read-Host -AsSecureString -Prompt 'Root password'
$ksPw = Read-Host -AsSecureString -Prompt 'TAK keystore password'
.\Deploy-TAKServer.ps1 `
-Credential $cred `
-RootPassword $rootPw `
-KeystorePassword $ksPw `
-Confirm:$falseIf you do not pass -State, -City, -Organization, -OrganizationalUnit, or -CAName, the script now prompts for them instead of silently applying fixed lab metadata.
Scripts live in InstallShellScripts/.
1. RL9_tak5.7r8_install.sh ← run as root — main TAK Server install
2. createTakCerts.sh ← interactive CA + server cert creation
└── takUserCreateCerts_doNotRunAsRoot.sh ← called automatically as the tak user
3. promoteAdmin.sh ← promote the admin cert to administrator role
[Optional]
openfire_takChat_install.sh ← Openfire XMPP / TAK Chat integration
takserver_createLECerts.sh ← one-time Let's Encrypt cert issuance
└── takserver_renewLECerts.sh ← renewal (schedule with cron)
| Script | Purpose |
|---|---|
RL9_tak5.7r8_install.sh |
Installs PostgreSQL (pgdg), OpenJDK 17, TAK Server RPM + GPG key, configures SELinux policy and firewalld rules. |
createTakCerts.sh |
Prompts for STATE / CITY / ORG / OU and keystore password; creates Root CA, Intermediate CA, server cert, admin cert; patches CoreConfig.xml for x509 TLS + cert enrollment. |
takUserCreateCerts_doNotRunAsRoot.sh |
Called by createTakCerts.sh as the tak user; generates per-user client certificates. |
promoteAdmin.sh |
Promotes admin.pem to the TAK Server administrator role via the UserManager utility. |
openfire_takChat_install.sh |
Installs Openfire XMPP server, the TAK Server chat plugin, and configures firewalld for XMPP ports. |
takserver_createLECerts.sh |
Issues a Let's Encrypt certificate via Certbot and configures TAK Server to use it. |
takserver_renewLECerts.sh |
Renews the Let's Encrypt certificate and restarts TAK Server; designed to run from cron. |
- Rocky Linux 9 (fresh install recommended)
takserver-5.7-RELEASE8.noarch.rpm— downloaded from tak.gov into the same directory as the scripts. Requires a TAK.gov account with MFA enforced. This file is.gitignored and must not be committed.takserver-public-gpg.key— from tak.gov (optional — used for GPG signature verification)
Both modules require PowerShell 7.0+ and follow Microsoft best practices — CmdletBinding, approved verbs, ShouldProcess on destructive operations, SecureString for passwords, and PSScriptAnalyzer-clean source.
✅ Validated — April 2026. TAKServerPS has been tested end-to-end against a live TAK Server 5.7-RELEASE8 instance: 39 of 46 tests pass (85%). All GET cmdlets,
Connect-TAKServer, user and mission lifecycle are operational.New-TAKUserREST andSet-TAKUserGrouphave a known server-side ESAPI bug — workaround documented. See the Validation Report for full results.
Path: TAKServerPS/
Manifest: TAKServer.psd1 · Version: 1.0.0
Wraps the TAK Server 5.x REST API. Authenticate once with Connect-TAKServer; all 45 cmdlets share the session automatically.
Import-Module .\TAKServerPS\TAKServer.psd1# Certificate (recommended for production)
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new('admin.p12', $pass)
Connect-TAKServer -Server 'takserver.example.com' -Port 8443 -Certificate $cert
# PFX file shorthand
Connect-TAKServer -Server 'takserver.example.com' -Port 8443 -PfxPath '.\admin.p12' -PfxPassword $pass
# Username / password
Connect-TAKServer -Server 'takserver.example.com' -Port 8443 -Credential (Get-Credential)
# Bearer token
Connect-TAKServer -Server 'takserver.example.com' -Port 8443 -Token $secureToken| Category | Cmdlets |
|---|---|
| Session | Connect-TAKServer, Disconnect-TAKServer |
| Users | Get-TAKUser, New-TAKUser, Remove-TAKUser, Set-TAKUserPassword, Set-TAKUserGroup |
| Groups | Get-TAKGroup |
| Subscriptions | Get-TAKSubscription, Remove-TAKSubscription, Get-TAKContact |
| Missions | Get-TAKMission, New-TAKMission, Remove-TAKMission, Get-TAKMissionChange, Get-TAKMissionContact, Get-TAKMissionSubscription, Register-TAKMissionSubscription, Unregister-TAKMissionSubscription |
| Certificates | Get-TAKCertificate, Remove-TAKCertificate, Invoke-TAKCertificateSign |
| Data Feeds | Get-TAKDataFeed, New-TAKDataFeed, Remove-TAKDataFeed |
| Inputs | Get-TAKInput, New-TAKInput, Remove-TAKInput |
| Outgoing Connections | Get-TAKOutgoingConnection, New-TAKOutgoingConnection, Remove-TAKOutgoingConnection |
| CoT | Get-TAKCoT |
| Device Profiles | Get-TAKDeviceProfile, Publish-TAKDeviceProfile |
| Map Layers | Get-TAKMapLayer, Remove-TAKMapLayer |
| Video | Get-TAKVideo, New-TAKVideo, Remove-TAKVideo |
| Plugins | Get-TAKPlugin |
| Federate | Get-TAKFederate |
| Security | Get-TAKSecurityConfig, Set-TAKSecurityConfig, Remove-TAKToken |
| Server | Get-TAKVersion |
# Examples
Get-TAKUser
New-TAKUser -Username 'jsmith' -Password $pass -Role 'ROLE_ANONYMOUS'
Get-TAKMission | Where-Object { $_.state -eq 'ACTIVE' }
Get-TAKCertificate | Where-Object { $_.expiration -lt (Get-Date).AddDays(30) }
Disconnect-TAKServerPath: TAKInstall/
Manifest: TAKInstall.psd1 · Version: 1.0.0
Requires: Posh-SSH
Automates the full TAK Server deployment sequence over an SSH session — no manual server interaction required after the initial SSH connection. Mirrors every step performed by the Bash scripts.
Install-Module Posh-SSH -Scope CurrentUser
Import-Module .\TAKInstall\TAKInstall.psd1# 1. Open an SSH session to the Rocky Linux 9 server
$ssh = New-SSHSession -ComputerName '192.168.1.50' -Credential (Get-Credential)
$pass = Read-Host -AsSecureString -Prompt 'Keystore password'
# 2. Install TAK Server
Install-TAKServer -SshSession $ssh -RpmPath '/tmp/takserver-5.7-RELEASE8.noarch.rpm'
# 3. Create certificates
New-TAKServerCertificate -SshSession $ssh `
-State 'TX' -City 'AUSTIN' -Organization 'MYORG' -OrganizationalUnit 'OPS' `
-KeystorePassword $pass
# 4. Promote admin certificate
Set-TAKAdminCertificate -SshSession $ssh
# 5. (Optional) Install Openfire XMPP
Install-TAKOpenfire -SshSession $ssh
# 6. (Optional) Issue Let's Encrypt certificate
New-TAKLetsEncryptCertificate -SshSession $ssh -Domain 'tak.example.com' -Email 'admin@example.com'| Cmdlet | Purpose |
|---|---|
Install-TAKServer |
Installs PostgreSQL, OpenJDK 17, TAK Server RPM, configures SELinux and firewalld. |
New-TAKServerCertificate |
Creates Root CA, Intermediate CA, server cert, admin + user client certs; patches CoreConfig.xml for x509 auth. |
Set-TAKAdminCertificate |
Promotes the admin client certificate to the TAK Server administrator role. |
Install-TAKOpenfire |
Installs Openfire XMPP server and the TAK Server chat plugin. |
New-TAKLetsEncryptCertificate |
Issues a Let's Encrypt certificate and configures TAK Server to use it. |
Update-TAKLetsEncryptCertificate |
Renews the Let's Encrypt certificate and restarts TAK Server. |
Path: TAKDeploy/
Manifest: TAKDeploy.psd1 · Version: 1.1.0
Requires: Posh-SSH
Automates Hyper-V VM creation and the end-to-end TAK Server deployment orchestration pipeline. Provides the building blocks consumed by Deploy-TAKServer.ps1.
Install-Module Posh-SSH -Scope CurrentUser
Import-Module .\TAKDeploy\TAKDeploy.psd1| Cmdlet | Purpose |
|---|---|
New-TAKVirtualMachine |
Creates a Hyper-V Gen 2 VM with an OEMDRV kickstart VHDX for unattended Rocky Linux 9 installation. |
Wait-TAKLinuxInstall |
Polls Hyper-V until the OS install completes and the VM reboots into the installed system. |
Start-TAKDeployment |
Orchestrates the full deployment pipeline (Phases 0–8) with snapshot-based resume. |
Remove-TAKDeployment |
Removes a CivTAK VM, all its snapshots, and its VHDX disk. |
Invoke-TAKRollback |
Restores a VM to a named Phase snapshot (Phase0, Phase2, or Phase4) for retry or re-testing. |
Path: TAKOnboarding/
Manifest: TAKOnboarding.psd1 · Version: 1.0.0
Requires: Posh-SSH, JDK 11+ with keytool on PATH (for data packages)
Orchestrates the complete zero-to-team onboarding workflow — certificate generation, user provisioning, and ATAK data package construction — as a single command. Consumed by Invoke-TAKOnboarding.ps1.
Install-Module Posh-SSH -Scope CurrentUser
Import-Module .\TAKOnboarding\TAKOnboarding.psd1| Cmdlet | Purpose |
|---|---|
Invoke-TAKOnboarding |
Full onboarding pipeline: certs → user accounts → group assignment → data packages. |
New-TAKDataPackage |
Builds a per-user ATAK data package (.zip) containing the user's .p12 cert and server connection preferences. |
New-TAKEnrollmentPackage |
Builds a team-level ATAK enrollment data package for use as a TAK Server Device Profile (password-based enrollment; no per-user cert required). |
New-TAKTeamRoster |
Generates a team roster CSV from an auto-numbered template or custom input. |
| Port | Protocol | Service |
|---|---|---|
| 8089 | TCP / TLS | Cursor-on-Target (CoT) — client connections |
| 8443 | TCP / HTTPS | WebTAK UI · REST API · admin console |
| 8446 | TCP / HTTPS | Client certificate enrollment |
| 80 | TCP / HTTP | Certbot ACME challenge (Let's Encrypt only) |
| 5222 / 5223 | TCP | Openfire XMPP client |
| 5269 | TCP | Openfire XMPP server federation |
| 7070 / 7443 | TCP | Openfire HTTP binding |
| 7777 | TCP | Openfire TAK plugin |
| 9090 / 9091 | TCP | Openfire admin console |
All four modules include Pester 5 unit tests in their Tests/ subdirectories. An integration suite covers the full deployment and teardown pipeline. All 375 unit tests pass.
TAKServerPS/Tests/ (171 tests — 8 files)
TAKServerPS.Module.Tests.ps1 ← manifest + 45-function inventory
Connect-TAKServer.Tests.ps1 ← auth parameter sets (cert, token, credential)
Invoke-TAKRequest.Tests.ps1 ← HTTP helper, retry logic, error handling
Get-TAKVersion.Tests.ps1 ← GET version endpoint
Invoke-TAKCertificateSign.Tests.ps1 ← cert signing pipeline
New-TAKUser.Tests.ps1 ← user creation + ShouldProcess
Remove-TAKUser.Tests.ps1 ← user deletion + ShouldProcess
Publish-TAKDeviceProfile.Tests.ps1 ← device profile lifecycle (create, update, upload)
TAKInstall/Tests/ (92 tests — 5 files)
TAKInstall.Module.Tests.ps1 ← manifest + 6-function inventory
ConvertTo-TAKBashArg.Tests.ps1 ← bash argument escaping
Invoke-TAKRemoteCommand.Tests.ps1 ← SSH command executor
Wait-TAKServiceReady.Tests.ps1 ← service polling helper
Wait-TAKAdminApiReady.Tests.ps1 ← admin API readiness probe
TAKDeploy/Tests/ (85 tests — 7 files)
TAKDeploy.Module.Tests.ps1 ← manifest + 5-function inventory
New-TAKVirtualMachine.Tests.ps1 ← Hyper-V VM creation
Wait-TAKLinuxInstall.Tests.ps1 ← install-completion polling
Start-TAKDeployment.Tests.ps1 ← full pipeline orchestration
Remove-TAKDeployment.Tests.ps1 ← VM and VHDX teardown
Invoke-TAKRollback.Tests.ps1 ← snapshot restore
TAKOnboarding/Tests/ (27 tests — 1 file)
TAKOnboarding.Module.Tests.ps1 ← manifest + 4-function inventory + onboarding logic
tests/integration/ (212 tests across 12 files — 72 pass without live server, 140 require TAK_INTEGRATION_HOST)
00-PreflightChecks.Tests.ps1 ← environment and prerequisites
01-VMProvisioning.Tests.ps1 ← Hyper-V VM creation
02-OSInstall.Tests.ps1 ← Rocky Linux kickstart install
03-TAKServerHealth.Tests.ps1 ← TAK service, ports, SELinux, firewall
04-Certificates.Tests.ps1 ← CA + server + client cert generation
05-UserManagement.Tests.ps1 ← user CRUD via UserManager.jar
06-CertPasswordFlow.Tests.ps1 ← cert password and SFTP download
07-LetsEncryptRenewal.Tests.ps1 ← LE cert issuance and renewal
08-GroupManagement.Tests.ps1 ← group assignment
09-RemovalVerification.Tests.ps1 ← Remove-CivTAK.ps1 Windows cert store cleanup
10-DataPackageBuild.Tests.ps1 ← New-TAKDataPackage truststore logic
11-CertDistCleanup.Tests.ps1 ← Remove-CivTAK.ps1 filesystem teardown
Note: Integration tests 09 and 11 require Administrator privileges to write to
Cert:\CurrentUser\Root. Tests in 01–08 requireTAK_INTEGRATION_HOSTto be set; they auto-skip in CI when no live server is available.
Run a single file to avoid memory pressure:
Invoke-Pester -Path .\TAKServerPS\Tests\TAKServerPS.Module.Tests.ps1 -Output Detailed
Invoke-Pester -Path .\tests\integration\10-DataPackageBuild.Tests.ps1 -Output DetailedFull results: reports/TEST-REPORT.md
Primary reference: https://digitaltak.lukeleigh.com/
| Page | Description |
|---|---|
| Getting Started | Prerequisites, repo layout, module installation, CI pipeline |
| Deployment Guide | Step-by-step Deploy-TAKServer.ps1 guide |
| API Reference | Complete cmdlet reference — TAKDeploy, TAKInstall, TAKOnboarding, TAKServerPS (60 cmdlets) |
| Troubleshooting | Common failures and fixes |
| Configuration Reference | CoreConfig.xml, certificate layout, port inventory, security gaps |
Bundled references (in-repo):
| File | Description |
|---|---|
Documentation/TAK_Server_Configuration_Guide_5.7.pdf |
Official TAK Server 5.7 configuration guide |
Documentation/Federation_Hub_Configuration_Guide.pdf |
Federation Hub configuration and setup guide |
channels.zip |
ATAK client data package — distribute to devices via TAK Server data packages |
reports/TEST-REPORT.md |
Pester test results with per-test breakdown and bug fix notes |