--- # yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json clusterName: theshire # renovate: datasource=github-releases depName=siderolabs/talos talosVersion: v1.9.0 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet kubernetesVersion: 1.31.4 endpoint: "https://10.1.1.57:6444" additionalApiServerCertSans: - 10.1.1.57 additionalMachineCertSans: - 10.1.1.57 nodes: - hostname: bilbo disableSearchDomain: true ipAddress: 10.1.1.62 controlPlane: true installDiskSelector: wwid: naa.55cd2e4150654449 networkInterfaces: - interface: eno1 dhcp: true schematic: customization: systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode - hostname: frodo disableSearchDomain: true ipAddress: 10.1.1.63 controlPlane: true installDiskSelector: wwid: naa.55cd2e4150650b54 networkInterfaces: - interface: eno1 dhcp: true schematic: customization: systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode - hostname: sam disableSearchDomain: true ipAddress: 10.1.1.64 controlPlane: true installDiskSelector: wwid: naa.55cd2e41521a8480 networkInterfaces: - interface: eno1 dhcp: true schematic: customization: systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode - hostname: pippin disableSearchDomain: true ipAddress: 10.1.1.65 controlPlane: false installDiskSelector: wwid: naa.55cd2e4150155dbf networkInterfaces: - interface: eno1 dhcp: true schematic: customization: systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode - hostname: merry disableSearchDomain: true ipAddress: 10.1.1.66 controlPlane: false installDiskSelector: wwid: eui.0025385381b04243 networkInterfaces: - interface: eno1 dhcp: true patches: - |- machine: sysctls: net.core.bpf_jit_harden: 1 kernelModules: - name: nvidia - name: nvidia_uvm - name: nvidia_drm - name: nvidia_modeset schematic: customization: systemExtensions: officialExtensions: - siderolabs/amd-ucode - siderolabs/nonfree-kmod-nvidia-production - siderolabs/nvidia-container-toolkit-production - hostname: rosie disableSearchDomain: true ipAddress: 10.1.1.67 controlPlane: false installDiskSelector: wwid: naa.55cd2e4150a6183a networkInterfaces: - interface: eno1 dhcp: true schematic: customization: systemExtensions: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode worker: schematic: customization: extraKernelArgs: - net.ifnames=1 patches: # hugepages - &hugepages |- machine: sysctls: vm.nr_hugepages: "1024" # Kubelet local mount - &kubelet_extra_mounts |- machine: kubelet: extraMounts: - destination: /var/openebs/local type: bind source: /var/openebs/local options: - bind - rshared - rw # Configure containerd - &containerd |- machine: files: - op: create path: /etc/cri/conf.d/20-customization.part content: | [plugins] [plugins."io.containerd.grpc.v1.cri"] enable_unprivileged_ports = true enable_unprivileged_icmp = true [plugins."io.containerd.grpc.v1.cri".containerd] discard_unpacked_layers = false [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] discard_unpacked_layers = false # Kubelet configuration - &kubeletConf |- machine: kubelet: defaultRuntimeSeccompProfileEnabled: true extraArgs: rotate-server-certificates: "true" extraConfig: maxPods: 150 nodeIP: validSubnets: - 10.1.1.0/24 - &sysctls |- machine: sysctls: fs.inotify.max_queued_events: "65536" fs.inotify.max_user_instances: "8192" fs.inotify.max_user_watches: "524288" net.core.rmem_max: "7500000" net.core.wmem_max: "7500000" - &nfsMountOptions |- machine: files: - op: overwrite path: /etc/nfsmount.conf permissions: 0o644 content: | [ NFSMount_Global_Options ] nfsvers=4.1 hard=True noatime=True nodiratime=True rsize=131072 wsize=131072 nconnect=8 - &hostDNS |- machine: features: hostDNS: enabled: true resolveMemberNames: true forwardKubeDNSToHost: false - &searchDomain |- machine: network: disableSearchDomain: true - &nameservers |- machine: network: nameservers: - 10.1.1.1 controlPlane: schematic: customization: extraKernelArgs: - net.ifnames=1 patches: # hugepages - *hugepages # Kubelet local mount - *kubelet_extra_mounts # Disable search domain everywhere - *searchDomain # Force nameserver - *nameservers # Configure NTP - |- machine: time: disabled: false servers: - time.cloudflare.com # hostDNS configuration - *hostDNS # coreDNS configuration - |- cluster: coreDNS: disabled: true # Cluster configuration - |- cluster: allowSchedulingOnMasters: true proxy: disabled: true network: cni: name: none controllerManager: extraArgs: bind-address: 0.0.0.0 etcd: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 scheduler: extraArgs: bind-address: 0.0.0.0 # ETCD configuration - |- cluster: etcd: advertisedSubnets: - 10.1.1.0/24 # Configure containerd - *containerd # Disable default API server admission plugins. - |- - op: remove path: /cluster/apiServer/admissionControl # Enable K8s Talos API Access - |- machine: features: kubernetesTalosAPIAccess: enabled: true allowedRoles: - os:admin allowedKubernetesNamespaces: - system-upgrade # Kubelet configuration - *kubeletConf # Custom sysctls - *sysctls # Configure nfs mount options - *nfsMountOptions