---
# yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json
clusterName: homelab

talosVersion: v1.7.1
kubernetesVersion: 1.30.0
endpoint: "https://10.1.1.57:6443"

additionalApiServerCertSans:
  - 10.1.1.57

additionalMachineCertSans:
  - 10.1.1.57

nodes:
  - hostname: shadowfax
    disableSearchDomain: true
    ipAddress: 10.1.1.61
    controlPlane: true
    installDiskSelector:
      busPath: /pci0000:20/0000:20:01.2/0000:2c:00.0/nvme/nvme4/nvme4n1
    networkInterfaces:
      - interface: enp37s0f1
        dhcp: true
      - interface: enp37s0f0
        dhcp: false
    kernelModules:
      - name: nvidia
      - name: nvidia_uvm
      - name: nvidia_drm
      - name: nvidia_modeset
    schematic:
      customization:
        systemExtensions:
          officialExtensions:
            - siderolabs/amd-ucode
            - siderolabs/nonfree-kmod-nvidia
            - siderolabs/nvidia-container-toolkit
            - siderolabs/zfs

    patches:
      - |-
        machine:
          sysctls:
            net.core.bpf_jit_harden: 1
controlPlane:
  patches:
     # Disable search domain everywhere
    - |-
      machine:
        network:
          disableSearchDomain: true

    # Force nameserver
    - |-
      machine:
        network:
          nameservers:
            - 10.1.1.1

    # Configure NTP
    - |-
      machine:
        time:
          disabled: false
          servers:
            - 10.1.1.1

    # Enable KubePrism
    - |-
      machine:
        features:
          kubePrism:
            enabled: true
            port: 7445

    # Cluster configuration
    - |-
      cluster:
        allowSchedulingOnMasters: true
        proxy:
          disabled: true
        network:
          cni:
            name: none
        controllerManager:
          extraArgs:
            bind-address: 0.0.0.0
        etcd:
          extraArgs:
            listen-metrics-urls: http://0.0.0.0:2381
        scheduler:
          extraArgs:
            bind-address: 0.0.0.0

    # ETCD configuration
    - |-
      cluster:
        etcd:
          advertisedSubnets:
            - 10.1.1.0/24

    # Configure containerd
    - |-
      machine:
        files:
          - op: create
            path: /etc/cri/conf.d/20-customization.part
            content: |
              [plugins]
                [plugins."io.containerd.grpc.v1.cri"]
                  enable_unprivileged_ports = true
                  enable_unprivileged_icmp = true
              [plugins."io.containerd.grpc.v1.cri".containerd]
                discard_unpacked_layers = false
              [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
                discard_unpacked_layers = false

    # Disable default API server admission plugins.
    - |-
      - op: remove
        path: /cluster/apiServer/admissionControl

    # Enable K8s Talos API Access
    - |-
      machine:
        features:
          kubernetesTalosAPIAccess:
            enabled: true
            allowedRoles:
              - os:admin
            allowedKubernetesNamespaces:
              - system-upgrade

    # Kubelet configuration
    - |-
      machine:
        kubelet:
          defaultRuntimeSeccompProfileEnabled: true
          extraArgs:
            rotate-server-certificates: "true"
          extraConfig:
            maxPods: 150
          nodeIP:
            validSubnets:
                - 10.1.1.0/24
          extraMounts:
            - destination: /var/openebs/keys
              options:
                - bind
                - rshared
                - rw
              source: /var/openebs/keys
              type: bind

    # Custom sysctls
    - |-
      machine:
        sysctls:
          fs.inotify.max_queued_events: "65536"
          fs.inotify.max_user_instances: "8192"
          fs.inotify.max_user_watches: "524288"
          net.core.rmem_max: "2500000"
          net.core.wmem_max: "2500000"