name: omni-on-prem
services:
  omni:
    container_name: omni
    image: "ghcr.io/siderolabs/omni:${OMNI_IMG_TAG}"
    devices:
      - /dev/net/tun
    volumes:
      - ${ETCD_VOLUME_PATH}:/_out/etcd
      - ${ETCD_ENCRYPTION_KEY}:/omni.asc
      - ${TLS_CERT}:/tls.crt
      - ${TLS_KEY}:/tls.key
    network_mode: "host"
    cap_add:
      - NET_ADMIN
    command: >
      --account-id=${OMNI_ACCOUNT_UUID} 
      --name=${NAME} 
      --cert=/tls.crt
      --key=/tls.key
      --machine-api-cert=/tls.crt
      --machine-api-key=/tls.key
      --private-key-source='file:///omni.asc' 
      --event-sink-port=${EVENT_SINK_PORT}
      --bind-addr=${BIND_ADDR}
      --machine-api-bind-addr=${MACHINE_API_BIND_ADDR}
      --k8s-proxy-bind-addr=${K8S_PROXY_BIND_ADDR}
      --advertised-api-url=${ADVERTISED_API_URL}
      --advertised-kubernetes-proxy-url=${ADVERTISED_K8S_PROXY_URL}
      --siderolink-api-advertised-url=${SIDEROLINK_ADVERTISED_API_URL}
      --siderolink-wireguard-advertised-addr=${SIDEROLINK_WIREGUARD_ADVERTISED_ADDR}
      --initial-users=${INITIAL_USER_EMAILS}
      ${AUTH}