docs: add image factory self-hosted docs

Basic guide for online and airgapped installation.

Signed-off-by: Justin Garrison <[email protected]>

Author: rothgar

docs.json

@@ -160,14 +160,14 @@
             "pages": [
               "talos/v1.10/networking/advanced-networking",
               "talos/v1.10/networking/corporate-proxies",
-              "talos/v1.10/networking/device-selector",
               "talos/v1.10/networking/egress-domains",
               "talos/v1.10/networking/ethernet-config",
               "talos/v1.10/networking/host-dns",
               "talos/v1.10/networking/ingress-firewall",
               "talos/v1.10/networking/kubespan",
               "talos/v1.10/networking/metal-network-configuration",
               "talos/v1.10/networking/multihoming",
+              "talos/v1.10/networking/device-selector",
               "talos/v1.10/networking/predictable-interface-names",
               "talos/v1.10/networking/siderolink",
               "talos/v1.10/networking/vip",
@@ -328,6 +328,7 @@
                 "pages": [
                   "omni/infrastructure-and-extensions/self-hosted/overview",
                   "omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem",
+                  "omni/infrastructure-and-extensions/self-hosted/install-image-factory-on-prem",
                   "omni/infrastructure-and-extensions/self-hosted/configure-keycloak-for-omni",
                   "omni/infrastructure-and-extensions/self-hosted/how-to-back-up-on-prem-omni-db",
                   "omni/infrastructure-and-extensions/self-hosted/expose-omni-with-nginx-https"

omni.yaml

@@ -5,7 +5,7 @@ navigation:
       groups:
         - group: "Overview"
           folder: "omni/overview"
-          pages: 
+          pages:
             - "what-is-omni.mdx"
 
         - group: "Getting Started"
@@ -24,6 +24,7 @@ navigation:
               pages:
                 - "self-hosted/overview"
                 - "self-hosted/deploy-omni-on-prem"
+                - "self-hosted/install-image-factory-on-prem"
                 - "self-hosted/configure-keycloak-for-omni"
                 - "self-hosted/how-to-back-up-on-prem-omni-db"
                 - "self-hosted/expose-omni-with-nginx-https"

omni/infrastructure-and-extensions/self-hosted/install-image-factory-on-prem.mdx

@@ -0,0 +1,204 @@
+---
+title: Run Image Factory On-prem
+---
+
+The [Image Factory](https://github.com/siderolabs/image-factory) is a way for you to dynamically create Talos Linux images. There is a public, hosted version of the Image Factory at [factory.talos.dev](https://factory.talos.dev) and it can also be run in your environment.
+
+The Image Factory is a critical component of [Omni](../overview/what-is-omni) to generate installation media and update Talos nodes, but it is not required to use Omni to use the Image Factory. It is a web interface and API for the `imager` command which is used to customize Talos from the command line.
+
+### Prerequisites
+
+* Container registry (with Talos images)
+* Machine to run Image Factory
+* Image cache signing key
+* Image cache storage (optional)
+
+Image factory can be run in a connected and disconnected or airgapped mode. The default, connected mode will pull images from the upstream Sidero Labs official container registry.
+
+The upstream Sidero Labs registry has all of the required Talos installation containers, extensions, and tools.
+
+If you are running the Image Factory in an airgapped environment you will need to provide a container registry and populate it with the required Talos images.
+
+### Run in Connected Mode
+
+To run the Image Factory connected to the Sidero Labs registry you can run the following commands.
+
+Create image cache private signing key
+
+```shell
+openssl ecparam -name prime256v1 -genkey -noout -out cache-signing-key.key
+```
+
+Run image factory
+
+```shell
+docker run -p 8080:8080 -d \
+  -v $PWD/cache-signing-key.key:/cache-signing-key.key:ro \
+  ghcr.io/siderolabs/image-factory \
+    -cache-signing-key-path /cache-signing-key.key
+```
+
+This will publish the image factory on your machine on port 8080 and pull container images from Sidero Labs ghcr.io registry. It will also validate image signatures using [`cosign`](https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/) to validate pulled images.
+
+#### Image Cache
+
+There are a variety of image cache locations to store built images. Without an image cache each asset will be built when requested which can consume a high amount of CPU on the image factory machine.
+
+Some supported cache storage options include:
+
+* CDN
+* s3 bucket (or compatable API)
+
+Please view the `--help` output for cache options.
+
+### Run in Disconnected or Airgapped Mode
+
+Running the image factory in an air airgapped environment has more requirements than running in a connected mode. In addition to the requirements above you will also need.
+
+* Certificates for web frontend and registry
+* Cosign image signing key
+
+First you will need to run a container registry in your environment. Any OCI compatable registry should work.
+
+Note: This is just an example and should not be used in a production environment. If you want to test locally on your mahcine you can also see the [developer documentation](https://github.com/siderolabs/image-factory#air-gapped-mode) in the repository.
+
+```bash
+docker run -d -p 5000:5000 --name zot \
+  ghcr.io/project-zot/zot:latest
+```
+
+Populate the registry with required images. This example uses [`skopeo`](https://github.com/containers/skopeo) because it has an easy `sync` command. Other options to copy container images such as `crane` or `docker` are also possible.
+
+Each image in the upstream registry has a lot of image tags and it is recommended that you only copy the tags for versions you need.
+
+The images you would need to copy would include the following.
+
+* siderolabs/imager
+* siderolabs/installer-base
+* siderolabs/talosctl-all
+* siderolabs/overlays (optional for SBC builds)
+* siderolabs/extensions (optional for system extensions)
+
+You can also create a config file for `skopeo` to pull specific images and tags. This example configuration pulls the required talos images and all of the core system extensions.
+
+```
+ghcr.io:
+  images:
+    siderolabs/imager: ["v1.11.0", "v1.10.0"]
+    siderolabs/installer-base: ["v1.11.0", "v1.10.0"]
+    siderolabs/talosctl-all: ["v1.11.0", "v1.10.0"]
+    siderolabs/gvisor: ["20250707.0"]
+    siderolabs/stargz-snapshotter: ["v0.17.0"]
+    siderolabs/amd-ucode: ["20250808"]
+    siderolabs/bnx2-bnx2x: ["20250808"]
+    siderolabs/intel-ice-firmware: ["20250808"]
+    siderolabs/intel-ucode: ["20250812"]
+    siderolabs/qlogic-firmware: ["20250808"]
+    siderolabs/realtek-firmware: ["20250808"]
+    siderolabs/amdgpu: ["20250808-v1.11.0"]
+    siderolabs/i915: ["20250808-v1.11.0"]
+    siderolabs/amazon-ena: ["2.15.0-v1.11.0"]
+    siderolabs/mei: ["v1.11.0", "v1.10.0"]
+    siderolabs/glibc: ["2.41"]
+    siderolabs/fuse3: ["3.17.4"]
+    siderolabs/iscsi-tools: ["v0.2.0"]
+    siderolabs/metal-agent: ["v0.1.3"]
+    siderolabs/nonfree-kmod-nvidia-lts:
+      ["535.247.01-v1.11.0", "535.230.02-v1.10.0"]
+    siderolabs/nonfree-kmod-nvidia-production:
+      ["570.172.08-v1.11.0", "570.124.06-v1.10.0"]
+    siderolabs/nvidia-container-toolkit-lts:
+      ["535.247.01-v1.17.8", "535.230.02-v1.17.5"]
+    siderolabs/nvidia-container-toolkit-production:
+      ["570.172.08-v1.17.8", "570.124.06-v1.17.5"]
+    siderolabs/nvidia-fabricmanager-lts: ["535.247.01", "580.82.07"]
+    siderolabs/nvidia-fabricmanager-production: ["570.158.01", "570.172.08"]
+    siderolabs/nvidia-open-gpu-kernel-modules-lts:
+      ["535.230.02-v1.10.0", "535.247.01-v1.11.1"]
+    siderolabs/nvidia-open-gpu-kernel-modules-production:
+      ["570.124.06-v1.10.0", "570.172.08-v1.11.1"]
+    siderolabs/ctr: ["v2.1.4"]
+```
+
+You can sync these files and images with
+
+Note: If your internal registry has authentication and valid TLS it is recommended to remove the options `--dest-no-creds` and `--dest-tls-verify=false`
+
+```
+skopeo sync --src yaml --dest docker \
+  --all \
+  --dest-no-creds \
+  --dest-tls-verify=false \
+  --preserve-digests \
+    sidero-images.yaml \
+    localhost:5000/siderolabs
+```
+
+### Sign Container Images
+
+The Image Factory verifies container image signatures when being used. You will need to generate a cosign singing key and sign each container we just pushed to the registry.
+
+First generate a cosign key
+```bash
+cosign generate-key-pair
+```
+
+Now sign each image and tag in your internal registry. This will allow the registry to validate images without reaching out to any external services for key validation.
+
+```bash
+#!/bin/bash
+REGISTRY="localhost:5000"
+KEY_FILE="cosign.key"
+
+curl -k -s "http://$REGISTRY/v2/_catalog" |
+  jq -r '.repositories[]' |
+  while read repo; do
+    echo "Processing repository: $repo"
+    curl -k -s "http://$REGISTRY/v2/$repo/tags/list" |
+      jq -r '.tags[]' |
+      while read tag; do
+        image="$REGISTRY/$repo:$tag"
+        digest=$(skopeo inspect --no-creds --tls-verify=false "docker://$image" 2>/dev/null | jq -r '.Digest')
+        
+        if [ "$digest" != "null" ] && [ -n "$digest" ]; then
+          digest_image="$REGISTRY/$repo@$digest"
+          echo "Signing by digest: $digest_image"
+          cosign sign --key "$KEY_FILE" --allow-insecure-registry=true "$digest_image" < /dev/tty
+        else
+          echo "Could not get digest for $image"
+          echo "Signing: $image"
+          cosign sign --key "$KEY_FILE" --allow-insecure-registry=true "$image" < /dev/tty
+        fi
+      done
+  done
+```
+
+### Run Image Factory
+
+With a populated container registry and signed images you are ready to run the Image Factory.
+
+Note: If the container registry and image factory are run on the same machine `localhost` won't be reachable unless you run each container with `--net=host` which is not recommended. An alternative approach would be to use [private Docker networking](https://docs.docker.com/engine/network/) to bridge the containers.
+
+```bash
+docker run -p 8080:8080 -d \
+  -v $PWD/cache-signing-key.key:/cache-signing-key.key:ro \
+  -v $PWD/cosign.key:/cosign.key:ro \
+  ghcr.io/siderolabs/image-factory \
+    -image-registry $REGISTRY_HOST \
+    -installer-internal-repository $REGISTRY_HOST/siderolabs \
+    -installer-internal-repository $REGISTRY_HOST/siderolabs \
+    -schematic-service-repository $REGISTRY/siderolabs/image-factory/schematic \
+    -cache-repository $REGISTRY/siderolabs/cache \
+    -cache-signing-key-path /cache-signing-key.key \
+    -insecure-image-registry \
+    -insecure-installer-internal-repository \
+    -insecure-schematic-service-repository \
+    -cache-cdn-enabled=false \
+    -cache-s3-enabled=false
+```
+
+If you are running on a server with SELinux enabled and enforcing then volumes mounted into the container will not be available unless you append `:Z` to the volume mounts.
+
+If you have an internal, private certificate authority you will need to mount that into the Image Factory image so it can trust the registry certificate. Mount it into the container by adding `-v /etc/pki/ca-trust/source/anchors:/etc/ssl/certs:ro` to the Image Factory commands.
+
+After the image factory is running you can continue to the [Omni documentation for a self-hosted installation](./self-hosted/deploy-omni-on-prem).