From 3d60cb6706072793099f81a01f91829675c2ac4b Mon Sep 17 00:00:00 2001
From: William P <me@williamtpeebles.com>
Date: Thu, 9 Apr 2026 18:02:06 +0000
Subject: [PATCH] add omni

---
 kubernetes/charts/default.nix             |  1 +
 kubernetes/charts/omni.nix                | 88 +++++++++++++++++++++++
 kubernetes/secrets/default.nix            |  1 +
 kubernetes/secrets/omni/omni-etcd-key.nix | 17 +++++
 security/sops.nix                         |  2 +
 security/sops_nix.yaml                    |  5 +-
 6 files changed, 112 insertions(+), 2 deletions(-)
 create mode 100644 kubernetes/charts/omni.nix
 create mode 100644 kubernetes/secrets/omni/omni-etcd-key.nix

diff --git a/kubernetes/charts/default.nix b/kubernetes/charts/default.nix
index 675f863..2048d99 100644
--- a/kubernetes/charts/default.nix
+++ b/kubernetes/charts/default.nix
@@ -3,5 +3,6 @@
         ./cloudnativepg.nix
         ./cert-manager.nix
         ./authentik.nix
+        ./omni.nix
     ];
 }
\ No newline at end of file
diff --git a/kubernetes/charts/omni.nix b/kubernetes/charts/omni.nix
new file mode 100644
index 0000000..bdb4150
--- /dev/null
+++ b/kubernetes/charts/omni.nix
@@ -0,0 +1,88 @@
+{ pkgs, ... }:
+let
+    omniSrc = pkgs.fetchFromGitHub {
+        owner = "siderolabs";
+        repo = "omni";
+        rev = "v1.6.5";
+        hash = "sha256-FV0aPZaEejNBY/ajjdo3dURwDFu+8RInKOmeV5SVMXw=";
+    };
+
+    omniChartTarball = pkgs.runCommand "omni-chart.tgz" {
+        nativeBuildInputs = [ pkgs.gnutar ];
+    } ''
+        tar czf "$out" -C "${omniSrc}/deploy/helm" omni
+    '';
+
+    omniManifest = pkgs.runCommand "omni-manifest.yaml" {
+        nativeBuildInputs = [ pkgs.coreutils ];
+    } ''
+        chart_content=$(base64 -w 0 < "${omniChartTarball}")
+        cat > "$out" <<EOF
+        apiVersion: helm.cattle.io/v1
+        kind: HelmChart
+        metadata:
+          name: omni
+          namespace: kube-system
+        spec:
+          targetNamespace: omni
+          createNamespace: true
+          chartContent: $chart_content
+          valuesContent: |-
+            etcdEncryptionKey:
+              existingSecret: omni-etcd-key
+
+            ingress:
+              main:
+                enabled: true
+                host: weyma-omni.infra.dubyatp.xyz
+                tls:
+                  - hosts:
+                      - weyma-omni.infra.dubyatp.xyz
+                    secretName: cert-dubyatp-xyz
+              kubernetesProxy:
+                enabled: true
+                host: weyma-omni-k8s.infra.dubyatp.xyz
+                tls:
+                  - hosts:
+                      - weyma-omni-k8s.infra.dubyatp.xyz
+                    secretName: cert-dubyatp-xyz
+              siderolinkApi:
+                enabled: true
+                host: weyma-omni-siderolink.infra.dubyatp.xyz
+                tls:
+                  - hosts:
+                      - weyma-omni-siderolink.infra.dubyatp.xyz
+                    secretName: cert-dubyatp-xyz
+
+            service:
+              wireguard:
+                type: LoadBalancer
+
+            config:
+              account:
+                name: weyma-omni
+                id: a0a43f2a-d838-4fe0-96fb-ab9e60695e0b
+              auth:
+                auth0:
+                  enabled: false
+                saml:
+                  enabled: true
+                  url: https://auth.dubyatp.xyz/application/saml/omni/metadata/
+                initialUsers:
+                  - me@williamtpeebles.com
+              services:
+                api:
+                  advertisedURL: https://weyma-omni.infra.dubyatp.xyz
+                kubernetesProxy:
+                  advertisedURL: https://weyma-omni-k8s.infra.dubyatp.xyz
+                machineAPI:
+                  advertisedURL: https://weyma-omni-siderolink.infra.dubyatp.xyz
+                siderolink:
+                  wireGuard:
+                    advertisedEndpoint: 10.105.6.198:50180
+        EOF
+    '';
+in
+{
+    services.k3s.manifests."omni-chart.yaml".source = omniManifest;
+}
\ No newline at end of file
diff --git a/kubernetes/secrets/default.nix b/kubernetes/secrets/default.nix
index bf61af5..cd871cb 100644
--- a/kubernetes/secrets/default.nix
+++ b/kubernetes/secrets/default.nix
@@ -4,5 +4,6 @@
     ./cloudnativepg/weyma-pgsql-replication.nix
     ./cert-manager/cloudflare-api-token.nix
     ./authentik/authentik-credentials.nix
+    ./omni/omni-etcd-key.nix
   ];
 }
\ No newline at end of file
diff --git a/kubernetes/secrets/omni/omni-etcd-key.nix b/kubernetes/secrets/omni/omni-etcd-key.nix
new file mode 100644
index 0000000..e134edc
--- /dev/null
+++ b/kubernetes/secrets/omni/omni-etcd-key.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+    sops.templates."omni-etcd-key.yaml" = {
+        mode = "0444";
+        content = ''
+            apiVersion: v1
+            kind: Secret
+            metadata:
+                name: omni-etcd-key
+                namespace: omni
+            type: Opaque
+            data:
+                omni.asc: ${config.sops.placeholder.omni_asc_base64}
+        '';
+        path = "/var/lib/rancher/k3s/server/manifests/secrets/omni-etcd-key.yaml";
+    };
+}
\ No newline at end of file
diff --git a/security/sops.nix b/security/sops.nix
index c77c984..32100e4 100644
--- a/security/sops.nix
+++ b/security/sops.nix
@@ -32,6 +32,8 @@
             authentik_db_password = {};
             authentik_files_keyid = {};
             authentik_files_keysecret = {};
+
+            omni_asc_base64 = {};
         };
     };
 }
\ No newline at end of file
diff --git a/security/sops_nix.yaml b/security/sops_nix.yaml
index 2a7ec35..89e7e8c 100644
--- a/security/sops_nix.yaml
+++ b/security/sops_nix.yaml
@@ -11,6 +11,7 @@ authentik_user_password: ENC[AES256_GCM,data:BJdiJouByTIoXYL3xn7zn6czVuXHheDdRKX
 authentik_db_password: ENC[AES256_GCM,data:mAYOax2eC3E4lPsseD/bjPlOnL7pFavXbfArETKy,iv:hb/VBLKNc8yU6viSWm1ds4v24kpbndbKjwf4xN5/Ha8=,tag:T22wPtEvJXWfohP/lyU9YQ==,type:str]
 authentik_files_keyid: ENC[AES256_GCM,data:342mVrO6ezaKAxDBWpnoFV2K5ZI=,iv:hCdivaMnEKl1zTC8BO+3EjdEPUDF0SHlev4N1tjprRo=,tag:zhiP0fZCW061HCyn6y8blw==,type:str]
 authentik_files_keysecret: ENC[AES256_GCM,data:KlYmsEsvINbyzoHRuru7asAysw5c9XJPdTb+YF/hb256AifG7zfp0Q==,iv:AXV6xolmQZtHzE1FmGAuLwgg3i/mMqiTWNwnXKCUNE0=,tag:frd3kvOu91hjRljUeXViNQ==,type:str]
+omni_asc_base64: ENC[AES256_GCM,data:+hZDcjfOLxyUrLC+M0tb47s71OQyJB7PzLzPwzamhooP3QZe9SOpYswHVhLeZELt1pUgm2ntIoqz9JMvoABDZZDXSob8uBsk4hLH3QJccNRxba1+laDzH3ni3OAVHZq6eSczDfX+aD+Z7JRaqp+cf4fwrb1scxE3kNL+bKcFXy0pOlqo36Ltcgr0sR5Jywf/zt8wvDGZ8GoiAMxBRIdgZL5W2/5MNqMtu1yllAPh4YU2qhrCxqKqmIKFROV/aMY3D34eW8VKOFG+3kfovNvXAA6bf9QZhkYEb1tO4ln8ULEtGmxQNyzbxnvDGmALcVgSXRCvuXK/QumxYyTGCkLrXHgC7xsqPHMU90jrLE7UVLiGsYfwuBsUVq8vmQpsQablNxzmbTSAHc+cTxBPj7ssgzJTwB4d/d2K7AJfpG4YEhv5PtyA5hYKXVunBM4N4mUiM+jqEJaJa3a9cmVxrdGfuCx3hj8sy0D2oTx6YsbX8+wg2bF+sQn+L6COH0Uw28NAFS7YBnbavLzt8PCAmi8CFgb24lYZoHwcMlbmK25etkEbEYGB6fYawqlKqhG248Ji6ACke0aylGHudX3ENfKvhOztjMQ9e5oDOetntNj3ITrjz+oMWUDlKeG8vqnZxss8aru17Mdo4/YIIVirUnO3GmqG88P1d6csJZXrglJcVHxV++CFL36a83ccGXmYFrCEmmZzxvbVCvr01L32qCEvWppw0B5jX+N2uL8gnn58PNiG+JKRMZct3ygq8Le0HI+XqxmbKRsES35KwFjeBFdEAdJ9ecFBWmUOVnGi/m6uPjgiPIrSCBBRkSFw/LdqmFPeHWAGJK6CgtLwhGfXznsy+PY1V6UkrVRoYKpX8hKVTaxPfWrSMfcWvnqw1bkPWaeicOMYRbl4Sj/hDr7UOCGnMse8LYmPcecsLYdjqsRbcDrPucgoW75EdFCIj3UXYIMcOtHa8rySItOdHnDNaf29OvWxblqd4RqTNGTwNZgkjFoMrLEwKFDQbmSjgq0PrwuZ7Lxgr4pHjYWlnAVAHLDrPaLyuY9LR+Y0jCsFcNWBtfV6E1kaiznJ2zXntlJgA5z7+KgOG1F/mJGUp4ciFqPl9FBD9XrFFgOQ4RvzMs4t8e2jUl6UJ83UlSQmGdUklmn1B+S9mF2kdHA7J3+Fh/AqYttt07ujMU/BbkUPKGIUnG7wjmG6L1bfnvj2pob5bJyi79UTma+iSH/HdoNXVt55RbkDJ5nUMxcTFCYVML3LA/w=,iv:C50Ad6hRMKKma6Ar/lS0tItjaKDQKSx1b8nS/GIUsik=,tag:w8YAfIuQHF9aPqPUAMAB1g==,type:str]
 sops:
     age:
         - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -22,7 +23,7 @@ sops:
             Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
             F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-08T14:52:06Z"
-    mac: ENC[AES256_GCM,data:vV04hhnzD7pFbTV3CRxFzg26cOlzWh8AxyjYRBxL8nwmk+v47ApNqciuVzYPaw8jjvPN9qWAZuEqbY2ZApQnzhDiSFAm7mxviZSpOFPL1AxEz40iweuFt/Q9C6pqtOR2cRDu5lti6HSsafbsKSi2rDlh6ycDn8A/dclvpJ1oMV0=,iv:oFA2uWg1opYYRoMvGuHrY8+Kz1x2AmOdYCKJl+V9bSY=,tag:dntYsHiwUHxEig+sNLxICA==,type:str]
+    lastmodified: "2026-04-08T15:30:13Z"
+    mac: ENC[AES256_GCM,data:ftM+7yM6SA96iALU6O6AqdzMsAftZeeHeajTU7fhQnU11Z9cSzBEbdrgg4jIJ9nVgoV+voHoeA3OX3NEvlC3dlnCVN+Re1xcBR8RRIptyVJxw1pEANPLUzMh3eBxtnLL/c6PFbvHogm5AOw65IwpfYLlAzSlg8agTGmHKoRVnuE=,iv:gJKXt5viHq01S28/gBaAzz3GleLz6JgNJd7vyvgWGvc=,tag:+9a2dcn3EmUhqbl7ISwuwg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2