With the release of image-factory integration into Omni, we will now have to require image-factory into the on-prem environment if folks do not wish to use the service. We should publish a compose file with the following containers for on-prem users such that on-prem users have a good experience and it's easy to deploy:

- image factory
- docker registry (insecure, for factory to push to)
- discovery service
- omni

Would also like to see the entire thing baked in to a machine image. Talking to at least several of our on-prem prospects (not concerning Omni or Talos, yet), the ask for a machine image has been common.

A helm chart for an on-prem kubernetes installation of Omni would be awesome!

This would actually help me get a philosophical grip on how sidero runs omni
I'm behind on documentation reading, because I always am, but I can sounding board some of what might be considered bare minimum?

For instance, the airgap doc is confusing ~ https://omni.siderolabs.com/docs/tutorials/install-airgapped-omni/

Is a git server / keycloak required or highly recommended for running Omni airgapped? I would assume the docker-compose would need to follow a similar structure to the airgapped setup. Where do we draw the line at bare minimum?

The current config that I found - this is my best stab at starting to fill it out
https://github.com/siderolabs/omni/tree/main/deploy

# Omni
OMNI_IMG_TAG=v.0.34.0

OMNI_ACCOUNT_UUID= 

Is this any generated uuid? I don't have an omni account uuid
If I just need to generate a random uuid, I'd drop ACCOUNT from the variable declaration.
Makes me think I have to go sign up for an omni account somewhere. Dumb complaint, but I barely know what I'm doing.

NAME=omni
EVENT_SINK_PORT=8091

## Keys and Certs
TLS_CERT=t.crt
TLS_KEY=t.key

I don't just have etcd running in this test environment, I would hope to set this up after setting Omni up. This is my first chicken and egg problem. Can omni configure etcd post setup?

ETCD_VOLUME_PATH=<full-path-to-etcd-directory>
ETCD_ENCRYPTION_KEY=<full-path-to-etcd-encryption-key>

## Binding
BIND_ADDR=0.0.0.0:443
SIDEROLINK_API_BIND_ADDR=0.0.0.0:8090
K8S_PROXY_BIND_ADDR=0.0.0.0:8100

## Domains and Advertisements
OMNI_DOMAIN_NAME="<omni-host-domain-name>"
ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}"
SIDEROLINK_ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}:8090/"
ADVERTISED_K8S_PROXY_URL="https://${OMNI_DOMAIN_NAME}:8100/"
SIDEROLINK_WIREGUARD_ADVERTRISED_ADDR="<omni-host-ip>:50180"

SMTP is another thing that would be nice to setup after the fact but I'm not sure if that's what the initial user emails setup is for here.

## Users
INITIAL_USER_EMAILS='<initial-emails>'

I also don't have external auth setup, unless you count LDAP. Is auth integration also required in order to boot omni up the first time? Or a nice to have.

## Authentication
#Auth0
AUTH='--auth-auth0-enabled=true \
      --auth-auth0-domain=<auth0-domain> \
      --auth-auth0-client-id=<auth0-client-id>'
# Or, when using SAML:
# AUTH='--auth-saml-enabled=true \
#       --auth-saml-url=<saml-url>'
#Only one AUTH version can be used at a time, so ensure to remove the one you don't use.

Thanks for pushing this forward, hopefully me bumbling around behind you will help.

I should sleep more often

https://github.com/siderolabs/omni/blob/4b50d7cdc9624c4fef0ab3d22f37b9ad1d75002c/hack/compose/docker-compose.yml