Skip to main content
TantoC2 Documentation
  1. Documentation/
  2. Getting Started/

Configuration

Table of Contents

Configuration Precedence
#

TantoC2 uses a layered configuration system. Higher precedence wins:

  1. CLI arguments (highest)
  2. Environment variables (prefixed with TANTOC2_)
  3. Config file (~/.tantoc2/config.yaml or $TANTOC2_CONFIG)
  4. Built-in defaults (lowest)

Config File
#

Default location: ~/.tantoc2/config.yaml

Override with the TANTOC2_CONFIG environment variable:

1
2

export TANTOC2_CONFIG=/path/to/my-config.yaml
tantoc2-server

Example Config
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

host: 0.0.0.0
port: 8443
data_dir: /opt/tantoc2/data
log_level: INFO

tls_enabled: true
tls_cert_file: /opt/tantoc2/certs/server.crt
tls_key_file: /opt/tantoc2/certs/server.key

bg_dead_agent_interval: 60
bg_stale_task_interval: 300
bg_key_rotation_interval: 300

key_rotation_enabled: true
key_rotation_session_ttl: 3600

task_pending_ttl: 3600
task_sent_ttl: 7200

log_redaction_enabled: true
task_archival_age: 86400
clock_drift_tolerance: 300

bg_plugin_watcher_interval: 30
plugin_inbox_dir: /opt/tantoc2/plugin_inbox

Environment Variables
#

Any configuration field can be overridden with the TANTOC2_ prefix:

1
2
3
4

export TANTOC2_PORT=9443
export TANTOC2_TLS_ENABLED=true
export TANTOC2_LOG_LEVEL=DEBUG
tantoc2-server

Configuration Reference
#

FieldTypeDefaultEnv VarDescription
hoststr0.0.0.0TANTOC2_HOSTBind address
portint8443TANTOC2_PORTAPI server port
data_dirstr./dataTANTOC2_DATA_DIRRoot data directory
log_levelstrINFOTANTOC2_LOG_LEVELLogging level (DEBUG, INFO, WARNING, ERROR)
tls_enabledboolfalseTANTOC2_TLS_ENABLEDEnable TLS on the API port
tls_cert_filestrTANTOC2_TLS_CERT_FILEPEM-encoded TLS certificate
tls_key_filestrTANTOC2_TLS_KEY_FILEPEM-encoded TLS private key
default_engagement_dirstrengagementsTANTOC2_DEFAULT_ENGAGEMENT_DIRSubdirectory for engagement databases
bg_dead_agent_intervalint60TANTOC2_BG_DEAD_AGENT_INTERVALDead agent scan interval (seconds)
bg_stale_task_intervalint300TANTOC2_BG_STALE_TASK_INTERVALStale task cleanup interval (seconds)
bg_key_rotation_intervalint300TANTOC2_BG_KEY_ROTATION_INTERVALKey rotation check interval (seconds)
key_rotation_enabledboolfalseTANTOC2_KEY_ROTATION_ENABLEDEnable automatic session key rotation
key_rotation_session_ttlint3600TANTOC2_KEY_ROTATION_SESSION_TTLMaximum session key age before rotation (seconds)
task_pending_ttlint3600TANTOC2_TASK_PENDING_TTLPending task TTL before cleanup (seconds)
task_sent_ttlint7200TANTOC2_TASK_SENT_TTLSent task TTL before cleanup (seconds)
log_redaction_enabledbooltrueTANTOC2_LOG_REDACTION_ENABLEDRedact sensitive values from logs
task_archival_ageint86400TANTOC2_TASK_ARCHIVAL_AGEAuto-archive completed tasks older than this (seconds)
clock_drift_toleranceint300TANTOC2_CLOCK_DRIFT_TOLERANCEAcceptable clock drift for crypto and agent tracking (seconds)

TLS Setup
#

Self-Signed (Automatic)
#

Set tls_enabled: true without specifying certificate files. The server generates self-signed certificates automatically.

Custom Certificates
#

Generate with OpenSSL:

1
2
3

openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout server.key -out server.crt \
  -days 365 -subj "/CN=tantoc2.local"

Configure:

1
2
3

tls_enabled: true
tls_cert_file: /path/to/server.crt
tls_key_file: /path/to/server.key

Listener TLS
#

Listeners support TLS independently of the API server. Specify per-listener certificates when creating HTTPS listeners:

1

tantoc2> listeners create http --name my-https --port 443 --tls

Log Redaction
#

Enabled by default. The server filters sensitive values from log output:

  • Credentials and secrets
  • Callback addresses
  • Cryptographic keys and tokens

Disable temporarily for debugging:

1

export TANTOC2_LOG_REDACTION_ENABLED=false
Re-enable redaction before operational use to prevent accidental exposure of sensitive data.