--- # yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json clusterName: homelab talosVersion: v1.7.1 kubernetesVersion: 1.28.4 endpoint: "https://10.1.1.57:6443" cniConfig: name: none additionalApiServerCertSans: - 10.1.1.57 additionalMachineCertSans: - 10.1.1.57 nodes: - hostname: shadowfax disableSearchDomain: true ipAddress: 10.1.1.61 controlPlane: true installDiskSelector: busPath: /dev/nvme0n1 networkInterfaces: - interface: eth0 dhcp: true kernelModules: - name: nvidia - name: nvidia_uvm - name: nvidia_drm - name: nvidia_modeset schematic: customization: systemExtensions: officialExtensions: - "siderolabs/amd-ucode" - "siderolabs/nonfree-kmod-nvidia" - "siderolabs/nvidia-container-toolkit" patches: - |- machine: sysctls: net.core.bpf_jit_harden: 1 controlPlane: patches: # Disable search domain everywhere - |- machine: network: disableSearchDomain: true # Force nameserver - |- machine: network: nameservers: - 10.1.1.11 # Configure NTP - |- machine: time: disabled: false servers: - 10.1.1.1 # Enable KubePrism - |- machine: features: kubePrism: enabled: true port: 7445 # Cluster configuration - |- cluster: allowSchedulingOnMasters: true proxy: disabled: true # ETCD configuration - |- cluster: etcd: advertisedSubnets: - 10.1.1.0/24 # Configure containerd - |- machine: files: - op: create path: /etc/cri/conf.d/20-customization.part content: | [plugins] [plugins."io.containerd.grpc.v1.cri"] enable_unprivileged_ports = true enable_unprivileged_icmp = true [plugins."io.containerd.grpc.v1.cri".containerd] discard_unpacked_layers = false [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] discard_unpacked_layers = false # Disable default API server admission plugins. - |- - op: remove path: /cluster/apiServer/admissionControl # Enable K8s Talos API Access - |- machine: features: kubernetesTalosAPIAccess: enabled: true allowedRoles: - os:admin allowedKubernetesNamespaces: - system-upgrade # Kubelet configuration - |- machine: kubelet: defaultRuntimeSeccompProfileEnabled: true extraArgs: rotate-server-certificates: "true" extraConfig: maxPods: 150 nodeIP: validSubnets: - 10.1.1.0/24 extraMounts: - destination: /var/openebs/local options: - bind - rshared - rw source: /var/openebs/local type: bind # Custom sysctls - |- machine: sysctls: fs.inotify.max_queued_events: "65536" fs.inotify.max_user_instances: "8192" fs.inotify.max_user_watches: "524288" net.core.rmem_max: "2500000" net.core.wmem_max: "2500000"