--- # yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json clusterName: theshire # renovate: datasource=github-releases depName=siderolabs/talos talosVersion: v1.8.1 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet kubernetesVersion: 1.31.2 endpoint: "https://10.1.1.57:6444" additionalApiServerCertSans: - 10.1.1.57 additionalMachineCertSans: - 10.1.1.57 nodes: - hostname: bilbo disableSearchDomain: true ipAddress: 10.1.1.62 controlPlane: true installDiskSelector: busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - interface: eno1 dhcp: true - hostname: frodo disableSearchDomain: true ipAddress: 10.1.1.63 controlPlane: true installDiskSelector: busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - interface: eno1 dhcp: true - hostname: sam disableSearchDomain: true ipAddress: 10.1.1.64 controlPlane: true installDiskSelector: busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - interface: eno1 dhcp: true - hostname: pippin disableSearchDomain: true ipAddress: 10.1.1.65 controlPlane: false installDiskSelector: busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - interface: eno1 dhcp: true - hostname: merry disableSearchDomain: true ipAddress: 10.1.1.66 controlPlane: false installDiskSelector: busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - interface: eno1 dhcp: true - hostname: rosie disableSearchDomain: true ipAddress: 10.1.1.67 controlPlane: false installDiskSelector: busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - interface: eno1 dhcp: true - hostname: gandalf-01 disableSearchDomain: true ipAddress: 10.1.1.68 controlPlane: false installDisk: /dev/sda networkInterfaces: - interface: enp5s0 dhcp: true - hostname: shadowfax-01 disableSearchDomain: true ipAddress: 10.1.1.69 controlPlane: false installDiskSelector: busPath: /pci0000:00/0000:00:01.1/0000:02:00.0/virtio6/host0/target0:0:0/0:0:0:1/ networkInterfaces: - interface: enp5s0 dhcp: true patches: - |- machine: sysctls: net.core.bpf_jit_harden: 1 kernelModules: - name: nvidia - name: nvidia_uvm - name: nvidia_drm - name: nvidia_modeset schematic: customization: systemExtensions: officialExtensions: - siderolabs/amd-ucode - siderolabs/nonfree-kmod-nvidia-production - siderolabs/nvidia-container-toolkit-production worker: schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode patches: # hugepages - &hugepages |- machine: sysctls: vm.nr_hugepages: "1024" # Kubelet local mount - &kubelet_extra_mounts |- machine: kubelet: extraMounts: - destination: /var/openebs/local type: bind source: /var/openebs/local options: - bind - rshared - rw # Configure containerd - &containerd |- machine: files: - op: create path: /etc/cri/conf.d/20-customization.part content: | [plugins] [plugins."io.containerd.grpc.v1.cri"] enable_unprivileged_ports = true enable_unprivileged_icmp = true [plugins."io.containerd.grpc.v1.cri".containerd] discard_unpacked_layers = false [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] discard_unpacked_layers = false # Kubelet configuration - &kubeletConf |- machine: kubelet: defaultRuntimeSeccompProfileEnabled: true extraArgs: rotate-server-certificates: "true" extraConfig: maxPods: 150 nodeIP: validSubnets: - 10.1.1.0/24 - &sysctls |- machine: sysctls: fs.inotify.max_queued_events: "65536" fs.inotify.max_user_instances: "8192" fs.inotify.max_user_watches: "524288" net.core.rmem_max: "7500000" net.core.wmem_max: "7500000" - &nfsMountOptions |- machine: files: - op: overwrite path: /etc/nfsmount.conf permissions: 0o644 content: | [ NFSMount_Global_Options ] nfsvers=4.1 hard=True noatime=True nodiratime=True rsize=131072 wsize=131072 nconnect=8 - &hostDNS |- machine: features: hostDNS: enabled: true resolveMemberNames: true forwardKubeDNSToHost: false - &searchDomain |- machine: network: disableSearchDomain: true - &nameservers |- machine: network: nameservers: - 10.1.1.1 controlPlane: schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode patches: # hugepages - *hugepages # Kubelet local mount - *kubelet_extra_mounts # Disable search domain everywhere - *searchDomain # Force nameserver - *nameservers # Configure NTP - |- machine: time: disabled: false servers: - time.cloudflare.com # hostDNS configuration - *hostDNS # coreDNS configuration - |- cluster: coreDNS: disabled: true # Cluster configuration - |- cluster: allowSchedulingOnMasters: true proxy: disabled: true network: cni: name: none controllerManager: extraArgs: bind-address: 0.0.0.0 etcd: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 scheduler: extraArgs: bind-address: 0.0.0.0 # ETCD configuration - |- cluster: etcd: advertisedSubnets: - 10.1.1.0/24 # Configure containerd - *containerd # Disable default API server admission plugins. - |- - op: remove path: /cluster/apiServer/admissionControl # Enable K8s Talos API Access - |- machine: features: kubernetesTalosAPIAccess: enabled: true allowedRoles: - os:admin allowedKubernetesNamespaces: - system-upgrade # Kubelet configuration - *kubeletConf # Custom sysctls - *sysctls # Configure nfs mount options - *nfsMountOptions