chore: add barebones compose file

This PR starts the process of trying to improve our on-prem setup. A barebones compose file that I'll be working into the docs. Signed-off-by: Spencer Smith <[email protected]>
siderolabs · Apr 5, 2024 · 7fb5d2b · 7fb5d2b
1 parent 9d35dfe
commit 7fb5d2b
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/deploy/README.md b/deploy/README.md
@@ -0,0 +1,4 @@
+## Omni On-Prem Compose File
+
+- Copy `env.template` and edit all fields necessary to match local paths to keys, domain names, etc.
+- Run docker compose, supplying the environment file edited above: `docker compose --env-file <path-to-env> up -d`
diff --git a/deploy/compose.yaml b/deploy/compose.yaml
@@ -0,0 +1,32 @@
+name: omni-on-prem
+version: '3'
+services:
+  omni:
+    container_name: omni
+    image: "ghcr.io/siderolabs/omni:${OMNI_IMG_TAG}"
+    volumes:
+            - ${ETCD_VOLUME_PATH}:/_out/etcd
+            - ${ETCD_ENCRYPTION_KEY}:/omni.asc
+            - ${TLS_CERT}:/tls.crt
+            - ${TLS_KEY}:/tls.key
+    network_mode: "host"
+    cap_add:
+      - NET_ADMIN
+    command: >
+      --account-id=${OMNI_ACCOUNT_UUID} 
+      --name=${NAME} 
+      --cert=/tls.crt
+      --key=/tls.key
+      --machine-api-cert=/tls.crt
+      --machine-api-key=/tls.key
+      --private-key-source='file:///omni.asc' 
+      --event-sink-port=${EVENT_SINK_PORT}
+      --bind-addr=${BIND_ADDR}
+      --machine-api-bind-addr=${MACHINE_API_BIND_ADDR}
+      --k8s-proxy-bind-addr=${K8S_PROXY_BIND_ADDR}
+      --advertised-api-url=${ADVERTISED_API_URL}
+      --advertised-kubernetes-proxy-url=${ADVERTISED_K8S_PROXY_URL}
+      --siderolink-api-advertised-url=${SIDEROLINK_ADVERTISED_API_URL}
+      --siderolink-wireguard-advertised-addr=${SIDEROLINK_WIREGUARD_ADVERTRISED_ADDR}
+      --initial-users=${INITIAL_USER_EMAILS}
+      ${AUTH}
diff --git a/deploy/env.template b/deploy/env.template
@@ -0,0 +1,36 @@
+# Omni
+OMNI_IMG_TAG=<latest-stable-omni-release>
+OMNI_ACCOUNT_UUID=<generated-uuid>
+NAME=omni
+EVENT_SINK_PORT=8091
+
+## Keys and Certs
+TLS_CERT=<full-path-to-fullchain-cert>
+TLS_KEY=<full-path-to-private-key>
+ETCD_VOLUME_PATH=<full-path-to-etcd-directory>
+ETCD_ENCRYPTION_KEY=<full-path-to-etcd-encryption-key>
+
+## Binding
+BIND_ADDR=0.0.0.0:443
+SIDEROLINK_API_BIND_ADDR=0.0.0.0:8090
+K8S_PROXY_BIND_ADDR=0.0.0.0:8100
+
+## Domains and Advertisements
+OMNI_DOMAIN_NAME="<omni-host-domain-name>"
+ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}"
+SIDEROLINK_ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}:8090/"
+ADVERTISED_K8S_PROXY_URL="https://${OMNI_DOMAIN_NAME}:8100/"
+SIDEROLINK_WIREGUARD_ADVERTRISED_ADDR="<omni-host-ip>:50180"
+
+## Users
+INITIAL_USER_EMAILS='<initial-emails>'
+
+## Authentication
+#Auth0
+AUTH='--auth-auth0-enabled=true \
+      --auth-auth0-domain=<auth0-domain> \
+      --auth-auth0-client-id=<auth0-client-id>'
+# Or, when using SAML:
+# AUTH='--auth-saml-enabled=true \
+#       --auth-saml-url=<saml-url>'
+#Only one AUTH version can be used at a time, so ensure to remove the one you don't use.