---
# yaml-language-server: $schema=https://ks.hsn.dev/talhelper-schema.json
clusterName: homelab

talosVersion: v1.8.0-alpha.1
kubernetesVersion: 1.30.2
endpoint: "https://${clusterEndpointIP}:6443"

additionalApiServerCertSans: &san
  - ${clusterEndpointIP}
  - "127.0.0.1" # KubePrism

additionalMachineCertSans: *san

nodes:
  - hostname: shadowfax
    disableSearchDomain: true
    ipAddress: 10.1.1.61
    controlPlane: true
    installDiskSelector:
      busPath: /pci0000:20/0000:20:01.2/0000:2c:00.0/nvme/nvme4/nvme4n1
    machineDisks:
      - device: /dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C
        partitions:
          - mountpoint: /var/mnt/nvme1
    networkInterfaces:
      - interface: bond0
        dhcp: true
        bond:
          mode: 802.3ad
          xmitHashPolicy: layer3+4
          lacpRate: fast
          miimon: 100
          deviceSelectors:
            - hardwareAddr: 04:42:1a:ef:35:74
              driver: ixgbe
            - hardwareAddr: 04:42:1a:ef:35:75
              driver: ixgbe
        vlans:
          - &vlan-iot
            vlanId: 30
            mtu: 1500
            dhcp: true
            dhcpOptions:
              routeMetric: 4096
    kernelModules:
      - name: nvidia
      - name: nvidia_uvm
      - name: nvidia_drm
      - name: nvidia_modeset
    schematic:
      customization:
        systemExtensions:
          officialExtensions:
            - siderolabs/amd-ucode
            - siderolabs/nonfree-kmod-nvidia
            - siderolabs/nvidia-container-toolkit
            # Need talos 1.8 for nvidia and zfs to coexist
            # https://github.com/siderolabs/extensions/issues/380
            - siderolabs/zfs

    patches:
      - |-
        machine:
          sysctls:
            net.core.bpf_jit_harden: 1
            vm.nr_hugepages: "1024"
      - &kubelet_extra_mounts |-
        machine:
          kubelet:
            extraMounts:
              - destination: /var/mnt/nvme1
                type: bind
                source: /var/mnt/nvme1
                options:
                  - rbind
                  - rshared
                  - rw
      # disables new feature that forwards kube-dns to host-dns 10.96.0.10 --> 10.96.0.9
      - |-
        machine:
          features:
            hostDNS:
              enabled: true
              forwardKubeDNSToHost: false

controlPlane:
  patches:
     # Disable search domain everywhere
    - |-
      machine:
        network:
          disableSearchDomain: true

    # Force nameserver
    - |-
      machine:
        network:
          nameservers:
            - 10.1.1.1

    # Configure NTP
    - |-
      machine:
        time:
          disabled: false
          servers:
            - 10.1.1.1

    # Enable KubePrism
    - |-
      machine:
        features:
          kubePrism:
            enabled: true
            port: 7445

    # Cluster configuration
    - |-
      cluster:
        allowSchedulingOnMasters: true
        proxy:
          disabled: true
        network:
          cni:
            name: none
        controllerManager:
          extraArgs:
            bind-address: 0.0.0.0
        etcd:
          extraArgs:
            listen-metrics-urls: http://0.0.0.0:2381
        scheduler:
          extraArgs:
            bind-address: 0.0.0.0

    # ETCD configuration
    - |-
      cluster:
        etcd:
          advertisedSubnets:
            - 10.1.1.0/24

    # Disable default API server admission plugins.
    - |-
      - op: remove
        path: /cluster/apiServer/admissionControl

    # Enable K8s Talos API Access
    - |-
      machine:
        features:
          kubernetesTalosAPIAccess:
            enabled: true
            allowedRoles:
              - os:admin
            allowedKubernetesNamespaces:
              - system-upgrade

    # Kubelet configuration
    - |-
      machine:
        kubelet:
          defaultRuntimeSeccompProfileEnabled: true
          extraArgs:
            rotate-server-certificates: "true"
          extraConfig:
            maxPods: 150
          nodeIP:
            validSubnets:
                - 10.1.1.0/24
          extraMounts:
            - destination: /var/openebs/keys
              type: bind
              source: /var/openebs/keys
              options:
                - bind
                - rshared
                - rw
            - destination: /var/openebs/local
              type: bind
              source: /var/openebs/local
              options:
                - bind
                - rshared
                - rw

    # Custom sysctls
    - |-
      machine:
        sysctls:
          fs.inotify.max_queued_events: "65536"
          fs.inotify.max_user_instances: "8192"
          fs.inotify.max_user_watches: "524288"
          net.core.rmem_max: "2500000"
          net.core.wmem_max: "2500000"

    # Configure nfs mount options
    - |
      machine:
        files:
          - op: overwrite
            path: /etc/nfsmount.conf
            permissions: 0o644
            content: |
              [ NFSMount_Global_Options ]
              nfsvers=4.1
              hard=True
              noatime=True
              nodiratime=True
              rsize=131072
              wsize=131072
              nconnect=8