From 7fb5d2b20a9372e1a0906b9384696daf93a45c51 Mon Sep 17 00:00:00 2001
From: Spencer Smith <spencer.smith@talos-systems.com>
Date: Tue, 2 Apr 2024 21:00:24 -0400
Subject: [PATCH] chore: add barebones compose file

This PR starts the process of trying to improve our on-prem setup. A
barebones compose file that I'll be working into the docs.

Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
---
 deploy/README.md    |  4 ++++
 deploy/compose.yaml | 32 ++++++++++++++++++++++++++++++++
 deploy/env.template | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 deploy/README.md
 create mode 100644 deploy/compose.yaml
 create mode 100644 deploy/env.template

diff --git a/deploy/README.md b/deploy/README.md
new file mode 100644
index 00000000..8cc11b15
--- /dev/null
+++ b/deploy/README.md
@@ -0,0 +1,4 @@
+## Omni On-Prem Compose File
+
+- Copy `env.template` and edit all fields necessary to match local paths to keys, domain names, etc.
+- Run docker compose, supplying the environment file edited above: `docker compose --env-file <path-to-env> up -d`
\ No newline at end of file
diff --git a/deploy/compose.yaml b/deploy/compose.yaml
new file mode 100644
index 00000000..6cd344ee
--- /dev/null
+++ b/deploy/compose.yaml
@@ -0,0 +1,32 @@
+name: omni-on-prem
+version: '3'
+services:
+  omni:
+    container_name: omni
+    image: "ghcr.io/siderolabs/omni:${OMNI_IMG_TAG}"
+    volumes:
+            - ${ETCD_VOLUME_PATH}:/_out/etcd
+            - ${ETCD_ENCRYPTION_KEY}:/omni.asc
+            - ${TLS_CERT}:/tls.crt
+            - ${TLS_KEY}:/tls.key
+    network_mode: "host"
+    cap_add:
+      - NET_ADMIN
+    command: >
+      --account-id=${OMNI_ACCOUNT_UUID} 
+      --name=${NAME} 
+      --cert=/tls.crt
+      --key=/tls.key
+      --machine-api-cert=/tls.crt
+      --machine-api-key=/tls.key
+      --private-key-source='file:///omni.asc' 
+      --event-sink-port=${EVENT_SINK_PORT}
+      --bind-addr=${BIND_ADDR}
+      --machine-api-bind-addr=${MACHINE_API_BIND_ADDR}
+      --k8s-proxy-bind-addr=${K8S_PROXY_BIND_ADDR}
+      --advertised-api-url=${ADVERTISED_API_URL}
+      --advertised-kubernetes-proxy-url=${ADVERTISED_K8S_PROXY_URL}
+      --siderolink-api-advertised-url=${SIDEROLINK_ADVERTISED_API_URL}
+      --siderolink-wireguard-advertised-addr=${SIDEROLINK_WIREGUARD_ADVERTRISED_ADDR}
+      --initial-users=${INITIAL_USER_EMAILS}
+      ${AUTH}
\ No newline at end of file
diff --git a/deploy/env.template b/deploy/env.template
new file mode 100644
index 00000000..75f0d7ea
--- /dev/null
+++ b/deploy/env.template
@@ -0,0 +1,36 @@
+# Omni
+OMNI_IMG_TAG=<latest-stable-omni-release>
+OMNI_ACCOUNT_UUID=<generated-uuid>
+NAME=omni
+EVENT_SINK_PORT=8091
+
+## Keys and Certs
+TLS_CERT=<full-path-to-fullchain-cert>
+TLS_KEY=<full-path-to-private-key>
+ETCD_VOLUME_PATH=<full-path-to-etcd-directory>
+ETCD_ENCRYPTION_KEY=<full-path-to-etcd-encryption-key>
+
+## Binding
+BIND_ADDR=0.0.0.0:443
+SIDEROLINK_API_BIND_ADDR=0.0.0.0:8090
+K8S_PROXY_BIND_ADDR=0.0.0.0:8100
+
+## Domains and Advertisements
+OMNI_DOMAIN_NAME="<omni-host-domain-name>"
+ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}"
+SIDEROLINK_ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}:8090/"
+ADVERTISED_K8S_PROXY_URL="https://${OMNI_DOMAIN_NAME}:8100/"
+SIDEROLINK_WIREGUARD_ADVERTRISED_ADDR="<omni-host-ip>:50180"
+
+## Users
+INITIAL_USER_EMAILS='<initial-emails>'
+
+## Authentication
+#Auth0
+AUTH='--auth-auth0-enabled=true \
+      --auth-auth0-domain=<auth0-domain> \
+      --auth-auth0-client-id=<auth0-client-id>'
+# Or, when using SAML:
+# AUTH='--auth-saml-enabled=true \
+#       --auth-saml-url=<saml-url>'
+#Only one AUTH version can be used at a time, so ensure to remove the one you don't use.
\ No newline at end of file