---
# yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json
clusterName: homelab
talosVersion: v1.7.1
kubernetesVersion: 1.30.0
endpoint: "https://10.1.1.57:6443"
additionalApiServerCertSans:
- 10.1.1.57
additionalMachineCertSans:
- 10.1.1.57
nodes:
- hostname: shadowfax
disableSearchDomain: true
ipAddress: 10.1.1.61
controlPlane: true
installDiskSelector:
busPath: /pci0000:20/0000:20:01.2/0000:2c:00.0/nvme/nvme4/nvme4n1
networkInterfaces:
- interface: enp37s0f1
dhcp: true
- interface: enp37s0f0
dhcp: false
kernelModules:
- name: nvidia
- name: nvidia_uvm
- name: nvidia_drm
- name: nvidia_modeset
schematic:
customization:
systemExtensions:
officialExtensions:
- siderolabs/amd-ucode
- siderolabs/nonfree-kmod-nvidia
- siderolabs/nvidia-container-toolkit
- siderolabs/zfs
patches:
- |-
machine:
sysctls:
net.core.bpf_jit_harden: 1
controlPlane:
patches:
# Disable search domain everywhere
- |-
machine:
network:
disableSearchDomain: true
# Force nameserver
- |-
machine:
network:
nameservers:
- 10.1.1.1
# Configure NTP
- |-
machine:
time:
disabled: false
servers:
- 10.1.1.1
# Enable KubePrism
- |-
machine:
features:
kubePrism:
enabled: true
port: 7445
# Cluster configuration
- |-
cluster:
allowSchedulingOnMasters: true
proxy:
disabled: true
network:
cni:
name: none
controllerManager:
extraArgs:
bind-address: 0.0.0.0
etcd:
extraArgs:
listen-metrics-urls: http://0.0.0.0:2381
scheduler:
extraArgs:
bind-address: 0.0.0.0
# ETCD configuration
- |-
cluster:
etcd:
advertisedSubnets:
- 10.1.1.0/24
# Configure containerd
- |-
machine:
files:
- op: create
path: /etc/cri/conf.d/20-customization.part
content: |
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
[plugins."io.containerd.grpc.v1.cri".containerd]
discard_unpacked_layers = false
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
discard_unpacked_layers = false
# Disable default API server admission plugins.
- |-
- op: remove
path: /cluster/apiServer/admissionControl
# Enable K8s Talos API Access
- |-
machine:
features:
kubernetesTalosAPIAccess:
enabled: true
allowedRoles:
- os:admin
allowedKubernetesNamespaces:
- system-upgrade
# Kubelet configuration
- |-
machine:
kubelet:
defaultRuntimeSeccompProfileEnabled: true
extraArgs:
rotate-server-certificates: "true"
extraConfig:
maxPods: 150
nodeIP:
validSubnets:
- 10.1.1.0/24
extraMounts:
- destination: /var/openebs/keys
options:
- bind
- rshared
- rw
source: /var/openebs/keys
type: bind
# Custom sysctls
- |-
machine:
sysctls:
fs.inotify.max_queued_events: "65536"
fs.inotify.max_user_instances: "8192"
fs.inotify.max_user_watches: "524288"
net.core.rmem_max: "2500000"
net.core.wmem_max: "2500000"