Skip to main content
Omni can be configured using a configuration file passed via --config-path (repeatable). This page documents all available configuration options, their types, and corresponding CLI flags.

account

Account contains account-related configuration.
FieldTypeDescription
idstringRequired. Id is the unique UUID identifier of the account. It is used to uniquely identify the account in etcd, therefore it should never be changed after initial setup. Must not be empty.
CLI flag: --account-id
Default: edd2822a-7834-4fe0-8172-cc5581f13a8d
namestringRequired. Name is the human-readable name of the account. Must not be empty.
CLI flag: --name
Default: default
maxRegisteredMachinesintegerMaxRegisteredMachines is the maximum number of registered machines allowed. 0 means unlimited. Minimum: 0.
CLI flag: --account-max-registered-machines

account.userPilot

UserPilot contains UserPilot-related configuration.
FieldTypeDescription
appTokenstringAppToken is the UserPilot application token.
CLI flag: --user-pilot-app-token

services

Services contains configuration for various services run by Omni.

services.api

Api contains API/UI service configuration.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the service listens on. It is in the form “host:port”.
CLI flag: --bind-addr
Default: 0.0.0.0:8080
advertisedURLstringAdvertisedURL is the URL that the service advertises to clients. It is in the form http(s)://host:port. When not set, it is generated by the system based on the endpoint and TLS cert/key configuration.
CLI flag: --advertised-api-url
Default: http://localhost:8080
certFilestringCertFile is the path to the TLS certificate file for the service.
CLI flag: --cert
keyFilestringKeyFile is the path to the TLS key file for the service.
CLI flag: --key

services.devServerProxy

DevServerProxy is the node dev server proxy service configuration. It exists for the development purposes only.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the dev server proxy service listens on. It is in the form “host:port”.
CLI flag: --frontend-bind
advertisedURLstringAdvertisedURL is the URL that the dev server proxy service advertises to clients. It is in the form http(s)://host:port. When not set, it is generated by the system based on the endpoint and TLS cert/key configuration.
certFilestringCertFile is the path to the TLS certificate file for the dev server proxy service.
keyFilestringKeyFile is the path to the TLS key file for the dev server proxy service.
proxyTostringProxyTo is the address to which the dev server proxy service forwards incoming requests. It is in the form http(s)://host:port.
CLI flag: --frontend-dst

services.metrics

Metrics contains metrics service configuration.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the service listens on. It is in the form “host:port”.
CLI flag: --metrics-bind-addr
Default: 0.0.0.0:2122
advertisedURLstringAdvertisedURL is the URL that the service advertises to clients. It is in the form http(s)://host:port. When not set, it is generated by the system based on the endpoint and TLS cert/key configuration.
certFilestringCertFile is the path to the TLS certificate file for the service.
keyFilestringKeyFile is the path to the TLS key file for the service.

services.kubernetesProxy

KubernetesProxy contains Kubernetes proxy service configuration. It is the service responsible for proxying Kubernetes API requests to the clusters.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the Kubernetes proxy service listens on. It is in the form “host:port”.
CLI flag: --k8s-proxy-bind-addr
Default: 0.0.0.0:8095
advertisedURLstringAdvertisedURL is the URL that the Kubernetes proxy service advertises to clients. It is in the form https://host:port. When not set, it is generated by the system based on the endpoint and TLS cert/key configuration. Format: must start with ‘https://’.
CLI flag: --advertised-kubernetes-proxy-url
Default: https://localhost:8095
certFilestringCertFile is the path to the TLS certificate file for the Kubernetes proxy service.
keyFilestringKeyFile is the path to the TLS key file for the Kubernetes proxy service.
oidcCacheBaseDirstringOidcCacheBaseDir overrides the base cache directory for kubelogin in generated kubeconfigs. When empty, kubelogin uses its default (~/.kube/cache/oidc-login).
CLI flag: --kubeconfig-oidc-cache-base-dir
oidcCacheIsolationbooleanOidcCacheIsolation isolates OIDC token caches across clusters by appending a per-context subdirectory to the cache directory in generated kubeconfigs.
CLI flag: --kubeconfig-oidc-cache-isolation
Siderolink contains SideroLink service configuration. It is the service responsible for node<>Omni connectivity via WireGuard.
FieldTypeDescription
joinTokensModestringJoinTokensMode configures how machine join tokens are generated and used. Set to strict to use the secure join tokens mode. Values: strict, legacyAllowed, legacy.
CLI flag: --join-tokens-mode
Default: legacy
disableLastEndpointbooleanDisableLastEndpoint controls whether the SideroLink service should stop using the last known endpoint of a node when it becomes unreachable via WireGuard.
CLI flag: --siderolink-disable-last-endpoint
useGRPCTunnelbooleanUseGRPCTunnel controls whether the SideroLink service should tunnel WireGuard traffic over gRPC, in setups where direct Wireguard connectivity is not possible (e.g., due to firewall restrictions). When enabled, the SideroLink connections from Talos machines will be configured to use the tunnel mode, regardless of their individual configuration.
CLI flag: --siderolink-use-grpc-tunnel
eventSinkPortintegerEventSinkPort is the port to be used by the nodes to publish their events over SideroLink to Omni.
CLI flag: --event-sink-port
Default: 8090
logServerPortintegerLogServerPort is the port to be used by the nodes to send their logs over SideroLink to Omni.
CLI flag: --log-server-port
Default: 8092
bandwidthLimitMbpsintegerBandwidthLimitMbps is the maximum total bandwidth in megabits per second through the SideroLink tunnel. Uses a token bucket algorithm: the rate controls sustained throughput while burst allows temporary spikes. Zero means unlimited. Minimum: 0.
CLI flag: --siderolink-bandwidth-limit-mbps
bandwidthLimitBurstBytesintegerBandwidthLimitBurstBytes is the maximum number of bytes that can pass through the SideroLink tunnel in a single burst (token bucket capacity). The bucket refills continuously at the rate set by bandwidthLimitMbps. When zero and bandwidthLimitMbps is set, defaults to one second worth of the rate. For example, with bandwidthLimitMbps=10 (1.25 MB/s) and burstBytes=5000000 (5 MB), up to 5 MB can transfer instantly, then throughput settles to 1.25 MB/s. Minimum: 0.
CLI flag: --siderolink-bandwidth-limit-burst-bytes
WireGuard contains WireGuard-specific configuration for the SideroLink service.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the WireGuard interface listens on. It is in the form “ip:port” (IP address is required, not hostname).
CLI flag: --siderolink-wireguard-bind-addr
Default: 0.0.0.0:50180
advertisedEndpointstringAdvertisedEndpoint is the endpoint that the SideroLink service advertises to nodes for WireGuard connectivity. It is in the form “ip:port” (IP address is required, not hostname). When not set, it is generated by the system based on the WireGuard endpoint.
CLI flag: --siderolink-wireguard-advertised-addr

services.machineAPI

MachineAPI contains SideroLink API service configuration. It is responsible for provisioning SideroLink connections by validating node join requests and issuing machine join tokens.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the service listens on. It is in the form “host:port”.
CLI flag: --machine-api-bind-addr
advertisedURLstringAdvertisedURL is the URL that the service advertises to clients. It is in the form http(s)://host:port. When not set, it is generated by the system based on the endpoint and TLS cert/key configuration.
CLI flag: --machine-api-advertised-url
certFilestringCertFile is the path to the TLS certificate file for the service.
CLI flag: --machine-api-cert
keyFilestringKeyFile is the path to the TLS key file for the service.
CLI flag: --machine-api-key

services.localResourceService

LocalResourceService contains local resource service configuration. Omni runs a local service to allow access to its resources without authorization checks. It is primarily used by infra providers (e.g., sidecars).
FieldTypeDescription
enabledbooleanEnabled controls whether the local resource service is enabled.
CLI flag: --local-resource-server-enabled
Default: true
portintegerPort is the network port the local resource service listens on.
CLI flag: --local-resource-server-port
Default: 8081

services.embeddedDiscoveryService

EmbeddedDiscoveryService contains embedded discovery service configuration. Omni can run an embedded discovery service to allow nodes to discover each other, instead of them resorting to discovery.talos.dev.
FieldTypeDescription
enabledbooleanEnabled controls whether the embedded discovery service is enabled. It binds only to the SideroLink WireGuard address.
CLI flag: --embedded-discovery-service-enabled
Default: true
portintegerPort is the network port the embedded discovery service listens on.
CLI flag: --embedded-discovery-service-port
Default: 8093
snapshotsEnabledbooleanSnapshotsEnabled controls whether the embedded discovery service periodically persists snapshots of its state to disk.
CLI flag: --embedded-discovery-service-snapshots-enabled
Default: true
snapshotsIntervaldurationSnapshotsInterval is the interval at which the embedded discovery service persists snapshots of its state. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --embedded-discovery-service-snapshot-interval
Default: 10m0s
logLevelstringLogLevel is the logging level used by the embedded discovery service.
CLI flag: --embedded-discovery-service-log-level
Default: warn
sqliteTimeoutdurationSqliteTimeout is the timeout for SQLite operations used by the embedded discovery service. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --embedded-discovery-service-sqlite-timeout
Default: 30s

services.loadBalancer

LoadBalancer contains load balancer service configuration. It is responsible for creating and managing load balancers of the clusters’ control planes.
FieldTypeDescription
minPortintegerMinPort is the minimum port number that can be picked by the load balancer service when allocating a new LB port to a cluster.
CLI flag: --lb-min-port
Default: 10000
maxPortintegerMaxPort is the maximum port number that can be picked by the load balancer service when allocating a new LB port to a cluster.
CLI flag: --lb-max-port
Default: 35000
dialTimeoutdurationDialTimeout is the timeout used by the load balancer service when dialing backend control plane nodes. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
Default: 15s
keepAlivePerioddurationKeepAlivePeriod is the period used by the load balancer service for keep-alive pings to backend control plane nodes. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
Default: 30s
tcpUserTimeoutdurationTCPUserTimeout is the TCP user timeout value set on connections between the load balancer and backend control plane nodes. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
Default: 30s
healthCheckIntervaldurationHealthCheckInterval is the interval between health checks performed by the load balancer service on backend control plane nodes. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
Default: 20s
healthCheckTimeoutdurationHealthCheckTimeout is the timeout for health checks performed by the load balancer service on backend control plane nodes. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
Default: 15s

services.workloadProxy

WorkloadProxy contains workload proxy service configuration. It is responsible for exposing workloads run on the clusters via Omni to the outside world.
FieldTypeDescription
subdomainstringSubdomain is the subdomain used by the workload proxy service to expose workloads. By default, it lives at the same level as Omni (e.g., “omni-apps.example.com” for Omni at “omni.example.com”). When useOmniSubdomain is true, it is placed under Omni’s domain instead (e.g., “proxy.omni.example.com”). When useOmniSubdomain is true and subdomain is empty, services are exposed directly as subdomains of Omni (e.g., “grafana.omni.example.com”). Format: must be a valid DNS subdomain (lowercase alphanumeric, dots, hyphens).
CLI flag: --workload-proxying-subdomain
Default: proxy-us
enabledbooleanEnabled controls whether the workload proxy service is enabled.
CLI flag: --workload-proxying-enabled
Default: true
stopLBsAfterdurationStopLBsAfter is the duration after which the workload proxy service stops load balancers for workloads that have not received any traffic. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --workload-proxying-stop-lbs-after
Default: 5m0s
useOmniSubdomainbooleanUseOmniSubdomain controls whether the workload proxy subdomain is placed under Omni’s own domain (as a subdomain) rather than as a sibling. When true, the proxy domain becomes ‘<subdomain>.<omni-domain>’ instead of ‘<subdomain>.<parent-of-omni-domain>’. This also simplifies exposed service URLs to ‘<alias>.<proxy-domain>’ (without the instance name) and allows dashes in service aliases. When true and subdomain is empty, services are exposed directly as subdomains of Omni (e.g., ‘<alias>.<omni-domain>’).
CLI flag: --workload-proxying-use-omni-subdomain

auth

Auth contains authentication-related configuration.
FieldTypeDescription
initialUsersstring[]InitialUsers is a list of emails which should be created as admins when Omni is run for the first time.
CLI flag: --initial-users
suspendedbooleanSuspended is whether the Omni account is suspended. If true, Omni will run on read-only mode with a warning banner displayed in the UI.
CLI flag: --suspended

auth.auth0

Auth0 contains Auth0 authentication provider configuration.
FieldTypeDescription
initialUsersstring[]Deprecated. InitialUsers is a list of emails which should be created as admins when Omni is run for the first time. DEPRECATED: use params.auth.initialUsers instead, this will be removed.
domainstringDomain is the Auth0 domain.
CLI flag: --auth-auth0-domain
clientIDstringClientID is the Auth0 client ID.
CLI flag: --auth-auth0-client-id
useFormDatabooleanUseFormData controls whether the Auth0 provider should use form data for authentication requests. When true, data to the token endpoint is transmitted as x-www-form-urlencoded data instead of JSON.
CLI flag: --auth-auth0-use-form-data
enabledbooleanEnabled controls whether the Auth0 authentication provider is enabled. Once set to true, it cannot be set back to false.
CLI flag: --auth-auth0-enabled

auth.webauthn

Webauthn contains WebAuthn authentication configuration. It is NOT SUPPORTED as it is currently unimplemented.
FieldTypeDescription
enabledbooleanEnabled controls whether WebAuthn authentication is enabled. It is NOT SUPPORTED as it is currently unimplemented. Constant: false.
CLI flag: --auth-webauthn-enabled
requiredbooleanRequired controls whether WebAuthn authentication is required. It is NOT SUPPORTED as it is currently unimplemented. Constant: false.
CLI flag: --auth-webauthn-required

auth.saml

Saml contains SAML authentication provider configuration.
FieldTypeDescription
labelRulesmap[string]stringRequired. LabelRules defines mapping of SAML assertion attributes into Omni identity labels.
CLI flag: --auth-saml-label-rules
attributeRulesmap[string]stringRequired. AttributeRules defines additional identity, fullname, firstname and lastname mappings.
CLI flag: --auth-saml-attribute-rules
urlstringURL is the SAML provider URL. Mutually exclusive with metadata URL (.metadata).
CLI flag: --auth-saml-url
metadatastringMetadata is the SAML provider metadata URL. Mutually exclusive with URL (.url).
CLI flag: --auth-saml-metadata
nameIDFormatstringNameIDFormat is the SAML NameID format to be used.
CLI flag: --auth-saml-name-id-format
enabledbooleanEnabled controls whether the SAML authentication provider is enabled.
CLI flag: --auth-saml-enabled

auth.oidc

Oidc contains OIDC authentication provider configuration.
FieldTypeDescription
providerURLstringProviderURL is the OIDC provider URL.
CLI flag: --auth-oidc-provider-url
clientIDstringClientID is the OIDC client ID.
CLI flag: --auth-oidc-client-id
clientSecretstringClientSecret is the OIDC client secret.
CLI flag: --auth-oidc-client-secret
logoutURLstringLogoutURL is the OIDC logout URL.
CLI flag: --auth-oidc-logout-url
scopesstring[]Scopes is the list of OIDC scopes to request during authentication.
CLI flag: --auth-oidc-scopes
enabledbooleanEnabled controls whether the OIDC authentication provider is enabled.
CLI flag: --auth-oidc-enabled
allowUnverifiedEmailbooleanAllowUnverifiedEmail controls whether users with unverified emails (without email_verified claim) are allowed to authenticate.
CLI flag: --auth-oidc-allow-unverified-email

auth.keyPruner

KeyPruner contains configuration for the public keys pruner (cleanup of old/expired keys).
FieldTypeDescription
intervaldurationInterval is the interval at which the key pruner runs. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --public-key-pruning-interval
Default: 10m0s

auth.initialServiceAccount

InitialServiceAccount contains configuration for the initial service account created when Omni is run for the first time.
FieldTypeDescription
rolestringRole is the role assigned to the initial service account.
CLI flag: --initial-service-account-role
Default: Admin
keyPathstringKeyPath is the path where the initial service account key is stored.
CLI flag: --initial-service-account-key-path
Default: _out/initial-service-account-key
namestringName is the name of the initial service account.
Default: automation
lifetimedurationLifetime is the lifetime of the initial service account key. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --initial-service-account-lifetime
Default: 1h0m0s
enabledbooleanEnabled controls whether the initial service account is created. This happens only on the first start of Omni.
CLI flag: --create-initial-service-account
Default: false

auth.limits

Limits contains configuration for user and service account limits.
FieldTypeDescription
maxUsersintegerMaxUsers is the maximum number of users allowed. 0 means unlimited. Minimum: 0.
CLI flag: --auth-max-users
maxServiceAccountsintegerMaxServiceAccounts is the maximum number of service accounts allowed. 0 means unlimited. Minimum: 0.
CLI flag: --auth-max-service-accounts

logs

Logs contains logging-related configuration.

logs.machine

Machine contains machine logs configuration.

logs.machine.storage

Storage contains configuration for machine logs storage.
FieldTypeDescription
sqliteTimeoutdurationSqliteTimeout is the timeout for SQLite operations used for machine logs storage. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --machine-log-sqlite-timeout
Default: 30s
cleanupIntervaldurationCleanupInterval is the interval at which old machine logs are cleaned up. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --machine-log-cleanup-interval
Default: 30m0s
cleanupOlderThandurationCleanupOlderThan is the duration after which machine logs are considered old and eligible for cleanup. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --machine-log-cleanup-older-than
Default: 720h0m0s
maxLinesPerMachineintegerMaxLinesPerMachine is the maximum number of log lines to keep per machine.
CLI flag: --machine-log-max-lines-per-machine
Default: 5000
maxSizeintegerMaxSize is the maximum allowed size (in bytes) of the machine logs table. When exceeded, the oldest entries are removed globally across all machines. 0 means unlimited. Minimum: 0.
CLI flag: --machine-log-max-size
Default: 0
cleanupProbabilitynumberCleanupProbability is the probability of triggering the cleanup on each log write for that machine.
CLI flag: --machine-log-cleanup-probability
Default: 0.01

logs.audit

Audit contains audit logs configuration.
FieldTypeDescription
enabledbooleanEnabled controls whether audit logging is enabled.
CLI flag: --audit-log-enabled
Default: true
sqliteTimeoutdurationSqliteTimeout is the timeout for SQLite operations used for audit logs storage. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --audit-log-sqlite-timeout
Default: 30s
retentionPerioddurationRetentionPeriod is the duration after which audit logs are considered old and eligible for cleanup. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --audit-log-retention-period
Default: 720h0m0s
maxSizeintegerMaxSize is the maximum allowed size (in bytes) of the audit logs. When exceeded, the oldest entries are removed. 0 means unlimited. Minimum: 0.
CLI flag: --audit-log-max-size
Default: 0
cleanupProbabilitynumberCleanupProbability is the probability of triggering size-based cleanup on each audit log write. When triggered, a best-effort cleanup removes a bounded batch of the oldest rows to reduce the table size toward maxSize; multiple cleanups may be required for the table to fall below maxSize. 0 disables size-based cleanup.
CLI flag: --audit-log-cleanup-probability
Default: 0.01

logs.resourceLogger

ResourceLogger contains resource logger configuration. It logs the diffs for the watched resources when they are updated.
FieldTypeDescription
logLevelstringLogLevel is the logging level used by the resource logger.
CLI flag: --log-resource-updates-log-level
Default: info
typesstring[]Types is the list of resource types to be logged by the resource logger.
CLI flag: --log-resource-updates-types

logs.stripe

Stripe contains Stripe logs configuration.
FieldTypeDescription
enabledbooleanEnabled controls whether Stripe logging is enabled.
CLI flag: --enable-stripe-reporting
minCommitintegerMinCommit is the minimum number of machines committed for billing purposes, reported to Stripe for the given account. Minimum: 0.
CLI flag: --stripe-minimum-commit

storage

Storage contains persistent storage related configuration.

storage.default

Default contains the default storage backend configuration.
FieldTypeDescription
kindstringKind is the kind of the default storage backend. Values: etcd, boltdb.
CLI flag: --storage-kind
Default: etcd

storage.default.boltdb

Boltdb contains BoltDB storage backend configuration.
FieldTypeDescription
pathstringPath is the path where the BoltDB database file is stored.
Default: _out/omni.db

storage.default.etcd

Etcd contains etcd storage backend configuration.
FieldTypeDescription
endpointsstring[]Endpoints is the list of etcd endpoints. Only used when external etcd is used (i.e., embedded is false).
CLI flag: --etcd-endpoints
Default: ["http://localhost:2379"]
dialKeepAliveTimedurationDialKeepAliveTime is the keep-alive time for etcd client connections. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --etcd-dial-keepalive-time
Default: 30s
dialKeepAliveTimeoutdurationDialKeepAliveTimeout is the keep-alive timeout for etcd client connections. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --etcd-dial-keepalive-timeout
Default: 5s
caFilestringCaFile is the path to the CA certificate file for etcd client connections.
CLI flag: --etcd-ca-path
Default: etcd/ca.crt
certFilestringCertFile is the path to the TLS certificate file for etcd client connections.
CLI flag: --etcd-client-cert-path
Default: etcd/client.crt
keyFilestringKeyFile is the path to the TLS key file for etcd client connections.
CLI flag: --etcd-client-key-path
Default: etcd/client.key
embeddedbooleanEmbedded controls whether to use embedded etcd server as the storage backend.
CLI flag: --etcd-embedded
Default: true
embeddedDBPathstringEmbeddedDBPath is the path where the embedded etcd database files are stored.
CLI flag: --etcd-embedded-db-path
Default: _out/etcd/
embeddedUnsafeFsyncbooleanEmbeddedUnsafeFsync controls whether the embedded etcd server should skip fsync calls for improved performance at the cost of durability.
CLI flag: --etcd-embedded-unsafe-fsync
runElectionsbooleanRunElections controls whether the embedded etcd server should run leader elections. Should be false for single-node Omni installations.
Default: false
privateKeySourcestringRequired. PrivateKeySource is the source of the private key for the embedded etcd server. It is used for decrypting master key slot. Must not be empty.
CLI flag: --private-key-source
publicKeyFilesstring[]PublicKeyFiles is the list of public key files for the embedded etcd server. They are used for encrypting keys slots.
CLI flag: --public-key-files

storage.vault

Vault contains HashiCorp Vault storage backend configuration. It is used to store the storage encryption key, used to encrypt sensitive data at rest in etcd.
FieldTypeDescription
urlstringUrl is the URL of the Vault server.
tokenstringToken is the authentication token for the Vault server. It is read from VAULT_TOKEN env var when not set. It is recommended to be passed as env var instead of being stored in the config file.
k8sAuthMountPathstringK8sAuthMountPath is the mount path of the Kubernetes auth method in Vault. When not set, it defaults to “kubernetes”. This is useful when Vault is running on a different cluster and has multiple Kubernetes auth mounts.
CLI flag: --vault-k8s-auth-mount-path

storage.sqlite

Sqlite contains SQLite storage backend configuration. It is used to store machine logs, audit logs, discovery service state, and as the secondary storage for the frequently updated and less critical data.
FieldTypeDescription
pathstringRequired. Path is the path where the SQLite database file is stored. Must not be empty.
CLI flag: --sqlite-storage-path
experimentalBaseParamsstringExperimentalBaseParams contains the base parameters to be used when opening the SQLite database connection. This can cause data corruption if set incorrectly, modify at your own risk. This flag is experimental and may be removed in future versions. It must not start with a question mark (?). Format: must not start with ’?’.
CLI flag: --sqlite-storage-experimental-base-params
Default: _txlock=immediate&_pragma=busy_timeout(50000)&_pragma=journal_mode(WAL)&_pragma=synchronous(NORMAL)
extraParamsstringExtraParams contains the extra parameters to be used when opening the SQLite database connection. This can cause data corruption if set incorrectly, modify at your own risk. It must not start with an ampersand (&). Format: must not start with ’&’.
CLI flag: --sqlite-storage-extra-params
cachedPoolSizeintegerCachedPoolSize controls the number of cached connections in the SQLite connection pool. The overall number of connections is limited by poolSize. CachedPoolSize should be less or equal to poolSize. Minimum: 1.
Default: 4
poolSizeintegerPoolSize controls the maximum number of connections in the SQLite connection pool. Raising this value may improve performance under high load, at the cost of increased resource usage. Minimum: 1.
Default: 64

storage.sqlite.metrics

FieldTypeDescription
refreshIntervaldurationRefreshInterval is the interval at which SQLite metrics are refreshed. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --sqlite-metrics-refresh-interval
Default: 2m0s
refreshTimeoutdurationRefreshTimeout is the timeout for refreshing SQLite metrics. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --sqlite-metrics-refresh-timeout
Default: 1m0s

etcdBackup

EtcdBackup contains etcd backup configuration for the clusters on Omni.
FieldTypeDescription
localPathstringLocalPath is the local path where etcd backups are stored before being uploaded to remote storage. Mutually exclusive with s3Enabled (.s3Enabled).
CLI flag: --etcd-backup-local-path
s3EnabledbooleanS3Enabled controls whether an S3-compatible storage is used for etcd backups. Mutually exclusive with localPath (.localPath).
CLI flag: --etcd-backup-s3
tickIntervaldurationTickInterval is the interval between etcd backups ticks (controller events to check if any cluster needs to be backed up) Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --etcd-backup-tick-interval
Default: 1m0s
minIntervaldurationMinInterval is the minimum interval between two etcd backups for a cluster. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --etcd-backup-min-interval
Default: 1h0m0s
maxIntervaldurationMaxInterval is the maximum interval between two etcd backups for a cluster. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --etcd-backup-max-interval
Default: 24h0m0s
uploadLimitMbpsintegerUploadLimitMbps is the optional upload bandwidth limit for etcd backups to remote storage in megabits per second. If not specified or is set to 0, it is unlimited. Minimum: 0.
CLI flag: --etcd-backup-upload-limit-mbps
downloadLimitMbpsintegerDownloadLimitMbps is the optional download bandwidth limit for etcd backups from remote storage in megabits per second. If not specified or is set to 0, it is unlimited. Minimum: 0.
CLI flag: --etcd-backup-download-limit-mbps
jitterdurationJitter is the jitter for etcd backups, randomly added/subtracted from the interval between automatic etcd backups. Format: must be a valid Go duration (e.g., ’10s’, ‘1h30m’).
CLI flag: --etcd-backup-jitter
Default: 10m0s

registries

Registries contains container image registries configuration.
FieldTypeDescription
talosstringRequired. Talos is the Talos installer registry configuration. Must not be empty.
CLI flag: --talos-installer-registry
Default: ghcr.io/siderolabs/installer
kubernetesstringRequired. Kubernetes is the Kubernetes container registry configuration. Must not be empty.
CLI flag: --kubernetes-registry
Default: ghcr.io/siderolabs/kubelet
imageFactoryBaseURLstringRequired. ImageFactoryBaseURL is the base URL of the Image Factory service used to build custom machine images. Must not be empty.
CLI flag: --image-factory-address
Default: https://factory.talos.dev
imageFactoryPXEBaseURLstringImageFactoryPXEBaseURL is the base URL of the Image Factory PXE endpoint used to build custom PXE boot images.
CLI flag: --image-factory-pxe-address
mirrorsstring[]Mirrors is the list of container image registry mirrors. Used mainly for the development purposes. It must be in the format: <registry host>=<mirror URL>
CLI flag: --registry-mirror

debug

Debug contains debug-related configuration.

debug.server

Server contains debug server configuration.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the debug server listens on. It is in the form “[host]:port”.
CLI flag: --debug-server-endpoint
Default: :9988

debug.pprof

Pprof contains pprof profiling configuration.
FieldTypeDescription
endpointstringEndpoint is the network endpoint the pprof server listens on. It is in the form “[host]:port”.
CLI flag: --pprof-bind-addr

features

Features contains feature flags to enable/disable various Omni features.
FieldTypeDescription
enableTalosPreReleaseVersionsbooleanEnableTalosPreReleaseVersions controls whether pre-release Talos versions (e.g., release candidates, betas) are available for selection when creating/upgrading clusters.
CLI flag: --enable-talos-pre-release-versions
enableBreakGlassConfigsbooleanEnableBreakGlassConfigs controls whether break-glass machine configurations are enabled. Break-glass configs allow direct access to the machines without going through Omni. Recommended to be disabled.
CLI flag: --enable-break-glass-configs
enableConfigDataCompressionbooleanEnableConfigDataCompression controls whether machine configuration data stored in etcd is compressed to save space.
CLI flag: --config-data-compression-enabled
Default: true
enableClusterImportbooleanEnableClusterImport controls whether the cluster import feature is enabled. When enabled, users can import existing Talos clusters into Omni.
CLI flag: --enable-cluster-import
Default: true
disableControllerRuntimeCachebooleanDisableControllerRuntimeCache controls whether the controller-runtime cache is disabled. When disabled, etcd is accessed for all reads. Recommended to be enabled, unless debugging specific issues.
CLI flag: --disable-controller-runtime-cache

notifications

Notifications contains configuration for system notifications emitted by controllers.

notifications.nonImageFactoryDeprecation

NonImageFactoryDeprecation contains configuration for the notification shown when machines are provisioned without using ImageFactory.
FieldTypeDescription
enabledbooleanEnabled controls whether the non-ImageFactory deprecation notification is shown when machines with invalid schematics are detected.
CLI flag: --non-image-factory-deprecation-enabled
Default: false
titlestringTitle is the title of the non-ImageFactory deprecation notification.
CLI flag: --non-image-factory-deprecation-title
Default: Non-ImageFactory Machines Detected
bodystringBody is the body of the non-ImageFactory deprecation notification. Use %d as a placeholder for the number of affected machines.
CLI flag: --non-image-factory-deprecation-body
Default: %d machine(s) were provisioned without ImageFactory. Support for these machines will end after a future release. Please re-provision them using ImageFactory.