One-Click Self-Hosted Talos Omni Deployment with Automatic TLS Trust Configuration
After spending several hours troubleshooting self-hosted Talos Omni deployments, TLS certificate chains, Dex configuration, Trusted Roots, and the dreaded:
x509: certificate signed by unknown authority
I decided to automate the entire process into a single script.
The script deploys a complete self-hosted Omni environment and automatically handles the certificate trust issues that many people encounter when onboarding Talos nodes.
What This Script Does
- Installs and configures Dex
- Deploys Omni
- Generates a self-signed internal CA
- Creates server certificates with the complete certificate chain
- Configures SideroLink
- Generates Trusted Roots configuration
- Creates the
talos.config.earlykernel argument - Produces everything needed for Talos Image Factory
- Works with Proxmox, VMware, bare metal, and cloud VMs
Why This Exists
Most self-hosted Omni installation guides require multiple manual steps:
- Generate certificates
- Configure Dex
- Configure OIDC
- Fix certificate trust issues
- Create Trusted Roots
- Generate custom Talos boot media
Missing any of these steps can prevent Talos nodes from connecting successfully.
This script automates the entire workflow from start to finish.
Prerequisites
- Linux server
- Docker installed and running
- Internet access
Required Ports
| Port | Service |
|---|---|
| 443 | Omni UI |
| 5556 | Dex |
| 8090 | SideroLink API |
| 8091 | Event Sink |
| 8100 | Kubernetes Proxy |
| 50180/UDP | WireGuard |
Quick Start
Make the script executable:
chmod +x install.sh
(Optional) Customize your environment:
export OMNI_IP=<YOUR_OMNI_SERVER_IP>
export ADMIN_EMAIL=<YOUR_ADMIN_EMAIL>
./install.sh
Example:
export OMNI_IP=192.168.1.100
export ADMIN_EMAIL=admin@example.com
./install.sh
Variables
| Variable | Description |
|---|---|
| OMNI_IP | IP address or hostname of the Omni server |
| ADMIN_EMAIL | Administrator email used for Omni login |
If not provided, the script uses built-in defaults.
Login Credentials
The installer automatically creates an administrator account in Dex.
Use the email configured in:
export ADMIN_EMAIL=<YOUR_ADMIN_EMAIL>
to authenticate.
Default Password
Admin123!
Changing the Default Password
If you prefer a different password, generate a new bcrypt hash before running the installer:
docker run --rm -it httpd:2.4-alpine htpasswd -BnC 15 admin
You will be prompted to enter the password twice.
Example output:
admin:$2y$15$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Copy only the hash portion after:
admin:
Open the script and search for:
DEX_PASSWORD_HASH=
Replace the existing hash with your newly generated one.
In the current version of the script, this variable is located near the beginning of the file (around line 46).
What Happens After Installation?
Once the installation completes:
Open Omni:
https://YOUR_OMNI_IP
Log in using:
Email: ADMIN_EMAIL
Password: Admin123!
(or your custom password)
Click:
Copy Kernel Parameters
Open Talos Image Factory:
https://factory.talos.dev
Build a Talos ISO using:
Recommended Settings
Platform
Metal
Architecture
amd64
Extensions
siderolabs/qemu-guest-agent
(for Proxmox users)
Paste the following into:
Extra kernel command line arguments
<contents of talos-config-early.arg>
<Omni Kernel Parameters>
Download the ISO and boot your nodes.
Result
After booting:
- Nodes automatically join Omni
- SideroLink connects successfully
- No TLS trust errors
- No
x509: certificate signed by unknown authority - Cluster creation works immediately
Tested On
- Talos 1.13.x
- Omni Self-Hosted
- Ubuntu Server
- Docker
- Proxmox VE
Download
You can download the script here:
https://github.com/jgilbertcastro/talosomni/blob/main/install.sh
Feedback
Feedback, bug reports, and pull requests are welcome.
Hopefully this saves someone else from spending hours debugging TLS certificate chains, Trusted Roots, and Talos onboarding. 😅
