# Tang Server Setup

Tang server for remote LUKS unlock. Runs on-premise with logging for future approval system integration.

## Quick Setup

```bash
# Install Tang
# Fedora/CentOS:
sudo dnf install tang
# Ubuntu:
sudo apt install tang

# Enable and start Tang service
sudo systemctl enable tangd.socket
sudo systemctl start tangd.socket

# Generate keys
sudo mkdir -p /var/db/tang
sudo tangd-keygen /var/db/tang

# Get thumbprint for Ignition config
sudo tang-show-keys /var/db/tang
```

## Security

### Connection Security
- Tang uses HTTPS for all connections
- Each connection is encrypted end-to-end
- Tang verifies client identity through challenge-response
- Client verifies Tang's identity through signed advertisements

### Request Logging
To log all unlock requests:

1. Create a wrapper script:
```bash
#!/bin/bash
# /usr/local/bin/tangd-wrapper

# Get client info
CLIENT_IP="$SOCAT_PEERADDR"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')

echo "$TIMESTAMP: Unlock request from $CLIENT_IP" >> /var/log/tang-requests.log
wall "Tang unlock request from $CLIENT_IP at $TIMESTAMP" # Notify all TTYs
exec /usr/libexec/tangd "$@"
echo "$TIMESTAMP: Request auto-approved" >> /var/log/tang-requests.log
```

Or use the wrapper provided by [raven](https://git.dominik-roth.eu/dodox/raven) to refuse unlocks upon it's activation.

2. Make it executable:
```bash
sudo chmod +x /usr/local/bin/tangd-wrapper
```

3. Configure systemd to use the wrapper:
```bash
# Create override directory
sudo mkdir -p /etc/systemd/system/tangd.socket.d/

# Create override file
sudo tee /etc/systemd/system/tangd.socket.d/override.conf << EOF
[Socket]
ExecStart=
ExecStart=/usr/local/bin/tangd-wrapper
EOF

# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart tangd.socket
```

Now when a server requests an unlock:
1. A message appears on all TTYs (including SSH sessions)
2. The request is logged to `/var/log/tang-requests.log`
3. The request is automatically approved
4. All actions are logged with timestamps

Future integration points:
- Add webhook support to notify Slack/Discord
- Add approval via web interface
- Add rate limiting
- Add client whitelisting

## Backup
```bash
# Backup keys
sudo tar -czf tang-keys-$(date +%Y%m%d).tar.gz /var/db/tang/
```

## Recovery
If keys are lost:
1. Generate new keys
2. Update all client configurations
3. Re-encrypt all client systems