Skip to main content
  1. Main/
  2. How-To/

Tang server on Turris Omnia

Security By following these steps you will provide a service via network. This might lead to a vulnerable systems. Therefore make sure to restrict the access to the service for example by configuring your firewall accordingly.

Warranty There is no warranty that this setup works for any system which provide the dependencies listed below. I'm just providing these information because it worked for me. If you have questions you can leave a message here but I decide whether I'll answer and help or not.

I’m using Turris Omnia as router.

My server is storing its data on encrypted ZFS while the encryption key is a random blob file stored on a cryptsetup volume. The cryptsetup is decrypted automatically upon boot using Clevis & Tang approach. As the router is always running I choose it as system running Tang.

The tang version provided by Turris is to old for latest Clevis setups. That is why installing the package from repository does not work. Due to that I decided to run Tang within LXC.

Here are the steps for that:

  1. login to router via SSH

  2. update templates and create container:

    lxc-create -n tang -t download -- --no-validate -a "$(uname -m)" -r latest -d ArchLinux

  3. connect to LXC container: lxc-attach tang

  4. install updates: pacman -Syu

  5. install Tang: pacman -Sy tang

  6. change hostname: hostnamectl hostname tang

  7. disable unnecessary services:

    systemctl stop container-getty@{0..3}.service console-getty.service man-db.timer shadow.timer
systemctl mask container-getty@{0..3}.service console-getty.service man-db.timer shadow.timer

  8. configure tangd port as default 80 is already used by TurrisOS:

    mkdir /etc/systemd/system/tangd.socket.d
cat > /etc/systemd/system/tangd.socket.d/socket.conf <<EOF
[Socket]
ListenStream=8888
Accept=true
EOF

  9. start tangd

    systemctl enable tangd.socket --now

  10. force key generation

    curl localhost:8888/adv

  11. backup the files in /var/db/tang/ to a really secure place (e.g. password safe) as you will not be able to decrypt any data without them

  12. leave container via Ctrl+d or exit-command

  13. get IP address of container: lxc-ls -f

  14. when DHCP clients may not push hostnames, configure your DNS to point to this IP address

  15. configure your clients to connect to the DNS

🎉 Congratulations you are running Tang on your Turris router. 🎉