### Using `direnv`

The team maintains an `.envrc.sample` file (see [direnv](https://direnv.net/)), that contributors may choose to copy or symlink to their local `.envrc` file.

This provides some basic tooling and setup that is common to the team.

For example, if `nix` is installed, the `flake.nix` and `rust-toolchain.toml` files are automatically watched for updates.

_NOTE: It's suggested you don't use `source_env .envrc.sample` in your `.envrc` as [`direnv`'s security checks](https://direnv.net/man/direnv-stdlib.1.html#codesourceenv-ltfileordirpathgtcode) aren't triggered when changes are made to `.envrc.sample`._

## Using `direnv`

The team maintains an `.envrc.sample` file (see [direnv](https://direnv.net/)), that contributors may choose to copy or symlink to their local `.envrc` file.

This provides some basic tooling and setup that is common to the team.

For example, if `nix` is installed, the `flake.nix` and `rust-toolchain.toml` files are automatically watched for updates.

_NOTE: It's suggested you don't use `source_env .envrc.sample` in your `.envrc` as [`direnv`'s security checks](https://direnv.net/man/direnv-stdlib.1.html#codesourceenv-ltfileordirpathgtcode) aren't triggered when changes are made to `.envrc.sample`._

version: v1alpha1 # Indicates the schema used to decode the contents.

debug: false # Enable verbose logging to the console.

persist: true

# Provides machine specific configuration options.

machine:

    type: controlplane # Defines the role of the machine within the cluster.

    token: uc4s92.610xj5xbpqz7wpx1 # The `token` is used by a machine to join the PKI of the cluster.

    # The root certificate authority of the PKI.

    ca:

        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFxQmZpMEEvTndNQ0g2bEdzNzNHeTJNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5qQTBNakV4TVRJNU16ZGFGdzB6TmpBME1UZ3hNVEk1TXpkYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBNjdGdzNVMGk3VndVOURQeGZFbUJFQmh3VjFhdGZ1VG15Y1NCCitZUm10NDJqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVbzU4VC9hL1BoYnpUSWduTApEWndHT3YyQU5Da3dCUVlESzJWd0EwRUFnUTltdzZvS1VwYWY2NmxxYk9WbVpNbjU2VzVzMmtTUnY3cjNUM1hlCjV5N1YyeVVqYW0vazlEOXFZbmVjNnBnNUF3NUZ1cTR4YURVT0JFOU5xYnY5Q1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQUtrTkxQZURYY20wRUl0SWowL242V3RJcklUcFd6bGlGcHJLR3hrL015SAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K

    # Extra certificate subject alternative names for the machine's certificate.

    certSANs: []

    #   # Uncomment this to enable SANs.

    #   - 10.0.0.10

    #   - 172.16.0.10

    #   - 192.168.0.10

    # Used to provide additional options to the kubelet.

    kubelet:

        image: ghcr.io/siderolabs/kubelet:v1.35.0 # The `image` field is an optional reference to an alternative kubelet image.

        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.

        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.

        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.

        # clusterDNS:

        #     - 10.96.0.10

        #     - 169.254.2.53

        # # The `extraArgs` field is used to provide additional flags to the kubelet.

        # extraArgs:

        #     key: value

        # # The `extraMounts` field is used to add additional mounts to the kubelet container.

        # extraMounts:

        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.

        #       type: bind # Type specifies the mount kind.

        #       source: /var/lib/example # Source specifies the source path of the mount.

        #       # Options are fstab style mount options.

        #       options:

        #         - bind

        #         - rshared

        #         - rw

        # # The `extraConfig` field is used to provide kubelet configuration overrides.

        # extraConfig:

        #     serverTLSBootstrap: true

        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.

        # credentialProviderConfig:

        #     apiVersion: kubelet.config.k8s.io/v1

        #     kind: CredentialProviderConfig

        #     providers:

        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1

        #           defaultCacheDuration: 12h

        #           matchImages:

        #             - '*.dkr.ecr.*.amazonaws.com'

        #             - '*.dkr.ecr.*.amazonaws.com.cn'

        #             - '*.dkr.ecr-fips.*.amazonaws.com'

        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'

        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'

        #           name: ecr-credential-provider

        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.

        # nodeIP:

        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.

        #     validSubnets:

        #         - 10.0.0.0/8

        #         - '!10.0.0.3/32'

        #         - fdc7::/16

    # Provides machine specific network configuration options.

    network: {}

    # # Configures KubeSpan feature.

    # kubespan:

    #     enabled: true # Enable the KubeSpan feature.

    # Used to provide instructions for installations.

    install:

        disk: /dev/vda # The disk used for installations.

        image: factory.talos.dev/metal-installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:v1.12.4 # Allows for supplying the image used to perform the installation.

        wipe: false # Indicates if the installation disk should be wiped at installation time.

        grubUseUKICmdline: true # Indicates if legacy GRUB bootloader should use kernel cmdline from the UKI instead of building it on the host.

        # # Look up disk using disk attributes like model, size, serial and others.

        # diskSelector:

        #     size: 4GB # Disk size.

        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.

        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

    # Used to configure the machine's sysctls.

    sysctls:

        kernel.kexec_load_disabled: "1"

    # Features describe individual Talos features that can be switched on or off.

    features:

        diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.

        # KubePrism - local proxy/load balancer on defined port that will distribute

        kubePrism:

            enabled: true # Enable KubePrism support - will start local load balancing proxy.

            port: 7445 # KubePrism port.

        # Configures host DNS caching resolver.

        hostDNS:

            enabled: true # Enable host DNS caching resolver.

            forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.

        # # Configure Talos API access from Kubernetes pods.

        # kubernetesTalosAPIAccess:

        #     enabled: true # Enable Talos API access from Kubernetes pods.

        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.

        #     allowedRoles:

        #         - os:reader

        #     # The list of Kubernetes namespaces Talos API access is available from.

        #     allowedKubernetesNamespaces:

        #         - kube-system

    # Configures the node labels for the machine.

    nodeLabels:

        node.kubernetes.io/exclude-from-external-load-balancers: ""

    # # Provides machine specific control plane configuration options.

    # # ControlPlane definition example.

    # controlPlane:

    #     # Controller manager machine specific configuration options.

    #     controllerManager:

    #         disabled: false # Disable kube-controller-manager on the node.

    #     # Scheduler machine specific configuration options.

    #     scheduler:

    #         disabled: true # Disable kube-scheduler on the node.

    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.

    # # nginx static pod.

    # pods:

    #     - apiVersion: v1

    #       kind: pod

    #       metadata:

    #         name: nginx

    #       spec:

    #         containers:

    #             - image: nginx

    #               name: nginx

    # # Allows the addition of user specified files.

    # # MachineFiles usage example.

    # files:

    #     - content: '...' # The contents of the file.

    #       permissions: 0o666 # The file's permissions in octal.

    #       path: /tmp/file.txt # The path of the file.

    #       op: append # The operation to use

    # # The `env` field allows for the addition of environment variables.

    # # Environment variables definition examples.

    # env:

    #     GRPC_GO_LOG_SEVERITY_LEVEL: info

    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"

    #     https_proxy: http://SERVER:PORT/

    # env:

    #     GRPC_GO_LOG_SEVERITY_LEVEL: error

    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/

    # env:

    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/

    # # Used to configure the machine's sysfs.

    # # MachineSysfs usage example.

    # sysfs:

    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance

    # # Configures the udev system.

    # udev:

    #     # List of udev rules to apply to the udev system

    #     rules:

    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"

    # # Configures the logging system.

    # logging:

    #     # Logging destination.

    #     destinations:

    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".

    #           format: json_lines # Logs format.

    # # Configures the kernel.

    # kernel:

    #     # Kernel modules to load.

    #     modules:

    #         - name: btrfs # Module name.

    # # Configures the seccomp profiles for the machine.

    # seccompProfiles:

    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.

    #       # The `value` field is used to provide the seccomp profile.

    #       value:

    #         defaultAction: SCMP_ACT_LOG

    # # Override (patch) settings in the default OCI runtime spec for CRI containers.

    # # override default open file limit

    # baseRuntimeSpecOverrides:

    #     process:

    #         rlimits:

    #             - hard: 1024

    #               soft: 1024

    #               type: RLIMIT_NOFILE

    # # Configures the node annotations for the machine.

    # # node annotations example.

    # nodeAnnotations:

    #     customer.io/rack: r13a25

    # # Configures the node taints for the machine. Effect is optional.

    # # node taints example.

    # nodeTaints:

    #     exampleTaint: exampleTaintValue:NoSchedule

# Provides cluster specific configuration options.

cluster:

    id: zExcuoVPe_mZbTzLcF5RRCkRc1FPvWM_MNB_E2BrveE= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).

    secret: dS92BC2f2OPNNB8XJ1mrBqAPeTKmYl/iQS6lBipIXO4= # Shared secret of cluster (base64 encoded random 32 bytes).

    # Provides control plane specific configuration options.

    controlPlane:

        endpoint: https://10.5.0.1:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.

    clusterName: radicle-qemu # Configures the cluster's name.

    # Provides cluster specific network configuration options.

    network:

        dnsDomain: cluster.local # The domain used by Kubernetes DNS.

        # The pod subnet CIDR.

        podSubnets:

            - 10.244.0.0/16

        # The service subnet CIDR.

        serviceSubnets:

            - 10.96.0.0/12

        # # The CNI used.

        # cni:

        #     name: custom # Name of CNI to use.

        #     # URLs containing manifests to apply for the CNI.

        #     urls:

        #         - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml

    token: e4p5sv.fb918204kbiyv3wp # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.

    secretboxEncryptionSecret: DtFj3gWDG1QcW8KQIhlQ6KtqtunugmMrOtneYaDNhoE= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

    # The base64 encoded root certificate authority used by Kubernetes.

    ca:

        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVRDZ0F3SUJBZ0lSQUxvMVFwZDZkN1pqSnpsak1oRHQwZEl3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOakEwTWpFeE1USTVNemRhRncwek5qQTBNVGd4TVRJNQpNemRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVJ3TmlpQldQRVZMUkhoK3V4SGRzWkQveEhoSjhwSnpQZjY3RDF2ZE1IU3VFUGtkelVWeWFKM21RNVUKRGJRcGVhaHZvNGtXMktHeUJUanlIUkM3bnRQNG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGUGxlYS9NZlVobk5uSit0aG1PU2hoWElDMGlZTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSUdoWWcvMG0KQUsxdm1OQXFzS3QrZ3FyZlZQbjlWTGRBUUtQYWxpVVNqd01UQWlBUHU2UUdqbjF4ZGZhcXFIOGNmajZOY1V1OQpybDRvazNBY2Z2VmlydDErYWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU85NE5tTzlCK3BPRVNPSnYwQTJEWEQ2WUljYkp1Y2F0ODNzUWxLaDZDWHNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFY0RZb2dWanhGUzBSNGZyc1IzYkdRLzhSNFNmS1NjejMrdXc5YjNUQjByaEQ1SGMxRmNtaQpkNWtPVkEyMEtYbW9iNk9KRnRpaHNnVTQ4aDBRdTU3VCtBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=

    # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.

    aggregatorCA:

        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYakNDQVFXZ0F3SUJBZ0lRUHh3K1pwL0VlUEQyanVKTEIwTno1VEFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMk1EUXlNVEV4TWprek4xb1hEVE0yTURReE9ERXhNamt6TjFvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCTUhyaUdrTlloR1djUUZpcGRZWHBkU0p0OHhWdGpNUG8wVUsvVFRGOFNXSHp4YURZN1NoCnZndGh0ZHovVHkyNTA3TnpaZi9tWFZwVzNvMDQ0WHRuUFFhallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVVEdnlHNU16dXRIbVU4K2p3S01oM0V4TEM0RGN3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnCmJuR29KdCtMR3c2YjQ1KzBlNWZZWVBSVnYvS2paSXVzTXpwQ3VKUGhKczhDSUd1S1FYVzEyWWozYU1mRUJVdkQKbGhaUi92c3Awd09kdTB5N3R3VnpBYy9LCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUg3cy9ESVFmbmpNNUlONDBINFZqd3RldEluUnRGcWRrczBCMmJsWFE4aGdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFd2V1SWFRMWlFWlp4QVdLbDFoZWwxSW0zekZXMk13K2pSUXI5Tk1YeEpZZlBGb05qdEtHKwpDMkcxM1A5UExiblRzM05sLytaZFdsYmVqVGpoZTJjOUJnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=

    # The base64 encoded private key for service account token generation.

    serviceAccount:

        key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBcXRaeEdSRzN4OHZTdW1zTlA0NldsaldydTU1NFovUzRPOUhOOVhtZ1BXRTFCdmgrCm4xL2lqcGNVUmRoalhFUzhWK2VpZXdVRnVEd2w4Y1FBUlNaK0JtLzl4WXZDd25TU0lGbUw2VEROQ0RxZnQ0SkMKbzJGeTVBc1pNZDdUNjhsTVlMV0NJZXdBMkFnekgwTGtpaThVODJYditOK0VJRkFJbXk0Q2dCRitZYzFiUDlpWgpjRFlnMnJYQkUyck1rRURwNkFqRStoRStSckNMenFHZHZTOXBZTk1wcTB2anBtazROaFkzd0pDVFpoZnQwdDBxCnM3TWR1djhyUnVQVkFSbEdSNXhWZ01oR2hJSityUnRxdCt2ZzBCOFlTb2dNOGRpRGU2c2xZbDFWTlV6NnRuUXgKN2JYaURiam9Ydkw4Z3VyUUJSQndtdk1kSGdEWGZlL0Z3aHZlczBodkVyNVEyV2hPaGVNVkJpRStmV1Z6UGZxZworZC8vUnlxdjY0TmtJVGtjTktzZjhZczRnVWlZODZtVitYek9tbzVBcHFwT0NaV3RSaGFjV0diK285clcycTVSCk9mSXhPSk1BN29VMUM1d2lOMkdaWmpjbXFQdFhsR243UU50a1R2TmZvUDRMeU9YUnE3ZUZuVnJKSmJiSjJDdkkKOFpISVJ6MWFqYUcvZk9CcW53dXprVHU3ZXg4TDhIZVlvN2lNSXk3VEJMazlzNkVBcnJYOVBpNjZTZmFjeHJlagpkS2oyOVlMQW15UkZvVDBFUmlPb0QwT05IbVJ0aVRZbUpXVG9NWnFteWR6Qi9DQmZjQkNkajlOVmVQRldudWU3CllOSEhMMStwakJmRCtPV2ZZUFluZHd5YTR1ak1KanNjTlppU1R5d0xDZ3Z3aUJzeXFqbFo1bzAwWEVrQ0F3RUEKQVFLQ0FnQU5XTE45UWVVWnR0Sy92WjFMV2RocDQ4ZUc0TnFIUkpjZ0ZVUUI2WDZiVFB6WGpwSlY0U2ZSKy91WgplVTVKNXhUUHlVam9VM3dlNkpRT1QwRzJKVXV6TlF5ZVlrelU1RWFHUUhpdHZ5SkZnazc0QnpVdGptOXJZWEtXCmN0SWJtWjVkNzlBNjFqVTZxMmxUQitiUzVOcStLVGlXT09BWnBpY0YrSkk1YnlSd2Y1cWhZa3FhZWFBWGRodWYKYUxpU2pIKzVvUFhDazVaSjc0RDhvNk92SkFVWGkyZTEramZPeUdtYjBDQ0s2c0NaT1VWYk0rd2lIZHcwdjdxaAp6eXJVNnlTU2M2UTZhMnNXN3hyMmF5M3JNSUpmd0E0bHhIcythYXZiL1lMdUxGeDd6WWZJdVVzdFJ3aGlDaEFkCld0NWZXL2prYkdSZnRwNlB1WUVjVlo4ZGl3L2EwUjhHVGhrcVBKWVAxMTlEeCs0VGxTN3E4a3pEK3ZOU2hrZEMKWFRML09XVVJOSFRVMWZkckY0eUE1Unl3ZjBlUG9OeldYRWdwc1h5YnJ0SUtydFk4Zk1Fb3F4ancvRXM5ZEJHVgowOGFHV1pZQ1JXV3ZkbUlaeDZWQlk0Q2RtaFBxT00ybi8zelh4M3AyYmpxeEtXMjlaZzE1ZzRQcDh3dFhPaThjCjBaVURQbXg2cEQ2MWxBYzlhOTZSNFJKdzJ6Q04vQWlXV1U5RytEVVhVWmo3d1JzZytVN2doREtzamplUHIwSGgKMEh5NXpLK284ejk3aUtiMWFqa3I5UzRseExvMSs1Q2dmU1R1R3BoT2NxNkxIbzFObmhEUCtNaURnVjI4K2V1bwptSk9GZHR2TUpqT3dQL0llcUtjVFUrMDR5Yzk4dlViazBXT0NxODAyVkVjZ2dhVUFBUUtDQVFFQXpPemxPeVVHCkxHU1RzWk5UNFNMdkRzdk1maU5oUHNZWWg5cmpBNFM0YXNVYTkvNFBJVnNCN2wxRkNMYXFGenRENEhJcmd6MjMKN1FxUjd3cDhQeEM1ak90eWJYdzFPWW5TQ2NLMGVzbi9GQTRYS3JuUVZQZ0J0SmVzZ0pwdWJuTE8wSzIzTGhYLwp4V1ZkYTNJelVUQUhLYWtZWWY0NkFzWm9mVWFzQmtxOHlTMFBsbFlPM29CemRSY0c3eUJ3UnpVeENrcnlyeFNVCkRIZE5BVFFhNDYvVGczNEFYQnZ1eWE5bzN0R2tkRHRLZlRQeEx1WkdHMFhVWFNOT2RteDBQZkl3dkk2MHJwQ24KdjZUZzM0czZZaDdnWXB3MTdLVzlxbnUwZUczOTViamRyVkpLVDJHWHk3bS9nZDFCaGwwbFl1SHN5UXJ1SVdjMAoxWXBxdEVnTWp0MEt1UUtDQVFFQTFXcWJRWmtDSlgrNWhZMGpmWjFoWUNFSmJPZXVwTnUxV3lTWjRHZVdsaUFyCm42RnJlVUNsQVEybzhwZlVaZmorUWZ1NFMvQUZMUjdZWWhWaWd4VlpXdFpXQ2xvRHFOZTJraGRVK1FBa2hxa2kKQzBhSzRVM1lZNWtOMzYyUkYwUjhUTE41SjdmU2dyWUNxWjZsQ0EyVDlpOHJ2UjdZQXI0b0V2WHVYMTFQSG5STwpuMHczMDhvb1R2VUdXZHFCS1VUakhRREFXRWVDWis4Qlh5dXJsckpiMCsxN3pjVVYwOStuZjlybytCMEdSMWRBCkFydy9KbzNKSzF4U0NBVWxBaWwzeDEwVWZldjNtZ0liY1RqWC9NckpsczZDR2R3NUR6dVFIczBIbFhBQkdkYUoKd0dHTXEvWUNFRDhZSitzNlFoTkJ2NTVuZ0lVZlRuYUtwVEpwamhEV0VRS0NBUUFSejRVYzN0cnFnTk5WVzdpdQptSnF1Ym9nWGJudkZPUEpvM0YxZXNPcFdYVXM2d3BvT0RCcmUzTHhqUlgwREIrT2VYazNwMmpOaUpza0lQYUVPCjJpVkdXakJYMDdQTWpHMzA2emRFZE1uMnRFTFBNOWNuaTJhYWk1UXltVGwvMy9xWnFIK0RRZVk1QWRaY3dGQTEKZmpjaEo5RTJzeUhYbStiNC9HdDNJSWZIOUdLbWJsUmNnazJHbjdtNmp0Y3pXU3dwK05tZTNlc0FLbDVHL0lCWgp5YTVZZjFzSXBtVGFvcVE2dVgzUm5GV2REQ2FxTE5sckJXYXZzYUhnS1F6eFZWdG5DQUFzSytab2dhd0p3ZEFSCk54M0pkRW83aHl3MDVRdUtiQVRsTW13UjVGVVJFU3BnU29TYWhPQnREU3R5ckxBbnlRdHBXODc3d0V3RjN6MDQKTFg0QkFvSUJBRG1NTGFGYXFRR0RsM3N6dThZN2tlNWgrakNycUtRN3VvT0JNeDBYMGJ0Wm9XbkNGVUQwOVlsNwpMWHQ5QllFWnl6WHZzcHFIZGwzY1cyelhaMkVCZUw3TjNSV2RnQzhmTzlQWkJzaStDUnRtc0E5cVRqakN6UDdPClhyZGFEaTNBQWVTTTRMYWRFdDY4UmF1SFkrandBRjM2Q2tsTTcrS05kRERvc0FaM0dzYVRoai9lUlkrT2k1LysKNGwrSVZCdlV2NGtxa3JNN1ZTYkJoQlV0cVc5UldRR2tvQ1cwWjFaaWtNQWhQNERvRXJGYURhQ3ZNamdyTTN2Rgp3VGo0YWlwVEZFRm1FQWlFZ0plK3liZVdKR2UrSnUzTGNibVhjS3R5M0VIeDk0R01XaitsWWkvR0hqQ2dmWjN6CjVZZWVIbStDMGMvaDN2Y0E3cGd4enVFTTN2bTRBSUVDZ2dFQWR5SlU4QmQ4TFpicmp0bUxsY0l0VkY5WFFIN0QKUU1jWWZSSDFIWnZLNWp6MkFFcGFCOTFNSEt1RDN5QVExZGZZOGF0TTU5YkMycFYwY1Y3NFRoQVFOSGg2R0IrVgp0U1c2Y29hNDRqVGF6QTlFMG9ndlU0TldRMVlIeG00cmpzc3BlTW5ielA3bWFuR3dFcEtuaXhkTmlQTWhleVJRCmhWalc5L09tN29jOEVHRzE3eEJFWjhLekVnL2QzazlMbWlRcXlSSUFpWlQ1YWVUT0FMbHBUbjdIQ1hDcnF3bU8KTnVMUXJTS2M0WkptWHJDamhncnVzR0hIc0pWaFA4L3YxcUZDS0JxR3NNdW51RHlnSG1tUjl6WmZsTEJyV29ZQwpVNWZzWUlNMWJLd1BaNGRNL09LUU1HMk1rVG0wT1Nic2lGTXZGdXRCNW1SVko0TU4zWjZERW4va3Z3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K

    # API server specific configuration options.

    apiServer:

        image: registry.k8s.io/kube-apiserver:v1.35.0 # The container image used in the API server manifest.

        # Configure the API server admission plugins.

        admissionControl:

            - name: PodSecurity # Name is the name of the admission controller.

              # Configuration is an embedded configuration object to be used as the plugin's

              configuration:

                apiVersion: pod-security.admission.config.k8s.io/v1alpha1

                defaults:

                    audit: restricted

                    audit-version: latest

                    enforce: baseline

                    enforce-version: latest

                    warn: restricted

                    warn-version: latest

                exemptions:

                    namespaces:

                        - kube-system

                    runtimeClasses: []

                    usernames: []

                kind: PodSecurityConfiguration

        # Configure the API server audit policy.

        auditPolicy:

            apiVersion: audit.k8s.io/v1

            kind: Policy

            rules:

                - level: Metadata

        # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.

        # authorizationConfig:

        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.

        #       name: webhook # Name is used to describe the authorizer.

        #       # webhook is the configuration for the webhook authorizer.

        #       webhook:

        #         connectionInfo:

        #             type: InClusterConfig

        #         failurePolicy: Deny

        #         matchConditionSubjectAccessReviewVersion: v1

        #         matchConditions:

        #             - expression: has(request.resourceAttributes)

        #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'

        #         subjectAccessReviewVersion: v1

        #         timeout: 3s

        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.

        #       name: in-cluster-authorizer # Name is used to describe the authorizer.

        #       # webhook is the configuration for the webhook authorizer.

        #       webhook:

        #         connectionInfo:

        #             type: InClusterConfig

        #         failurePolicy: NoOpinion

        #         matchConditionSubjectAccessReviewVersion: v1

        #         subjectAccessReviewVersion: v1

        #         timeout: 3s

    # Controller manager server specific configuration options.

    controllerManager:

        image: registry.k8s.io/kube-controller-manager:v1.35.0 # The container image used in the controller manager manifest.

    # Kube-proxy server-specific configuration options

    proxy:

        image: registry.k8s.io/kube-proxy:v1.35.0 # The container image used in the kube-proxy manifest.

        # # Disable kube-proxy deployment on cluster bootstrap.

        # disabled: false

    # Scheduler server specific configuration options.

    scheduler:

        image: registry.k8s.io/kube-scheduler:v1.35.0 # The container image used in the scheduler manifest.

    # Configures cluster member discovery.

    discovery:

        enabled: true # Enable the cluster membership discovery feature.

        # Configure registries used for cluster member discovery.

        registries:

            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information

            kubernetes:

                disabled: true # Disable Kubernetes discovery registry.

            # Service registry is using an external service to push and pull information about cluster members.

            service: {}

            # # External service endpoint.

            # endpoint: https://discovery.talos.dev/

    # Etcd specific configuration options.

    etcd:

        # The `ca` is the root certificate authority of the PKI.

        ca:

            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmRENDQVNPZ0F3SUJBZ0lRZDArb3RFd0dWUUpyRFgvd1U2L05UREFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkyTURReU1URXhNamt6TjFvWERUTTJNRFF4T0RFeE1qa3pOMW93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQklDbFl5azMycG9VCjF6alBqNWl5eWJHKzMrckt3YS81WmRUNVVGNjhIMjAzODJ5Sk81Z1hvMm83MUNUZ2E4SERmUktMRVpmQWdIa1UKZWN5YTJWdHRXZ0dqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVQmVQOGtGQUk3cGNFCjNrNkN5ckpJcDZaa0dRTXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdMWm53bVM3MFdieGNzb1YyMUNONENkT3YKUWp3VE1mYk5hQVJBZ2M3cDNXb0NJSCtEeUxMVUZDVXFpQWRFeHRpVU9lWXFTd0VPalFBVFppRUJxbk5KN0ZMcQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhINitCOFduQUhnU2JlNUFEcXk4TkpiVUFWc2NJdGJtMTVPMXpWbkJIbDhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFZ0tWaktUZmFtaFRYT00rUG1MTEpzYjdmNnNyQnIvbGwxUGxRWHJ3ZmJUZnpiSWs3bUJlagphanZVSk9CcndjTjlFb3NSbDhDQWVSUjV6SnJaVzIxYUFRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=

        # # The container image used to create the etcd service.

        # image: registry.k8s.io/etcd:v3.6.7

        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.

        # advertisedSubnets:

        #     - 10.0.0.0/8

    # A list of urls that point to additional manifests.

    extraManifests: []

    #   - https://www.example.com/manifest1.yaml

    #   - https://www.example.com/manifest2.yaml

    # A list of inline Kubernetes manifests.

    inlineManifests: []

    #   - name: namespace-ci # Name of the manifest.

    #     contents: |- # Manifest contents as a string.

    #       apiVersion: v1

    #       kind: Namespace

    #       metadata:

    #       	name: ci

    allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.

    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

    # # Decryption secret example (do not use in production!).

    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=

    # # Core DNS specific configuration options.

    # coreDNS:

    #     image: registry.k8s.io/coredns/coredns:v1.13.2 # The `image` field is an override to the default coredns image.

    # # External cloud provider configuration.

    # externalCloudProvider:

    #     enabled: true # Enable external cloud provider.

    #     # A list of urls that point to additional manifests for an external cloud provider.

    #     manifests:

    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml

    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml

    # # A map of key value pairs that will be added while fetching the extraManifests.

    # extraManifestHeaders:

    #     Token: "1234567"

    #     X-ExtraInfo: info

    # # Settings for admin kubeconfig generation.

    # adminKubeconfig:

    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

---

apiVersion: v1alpha1

kind: HostnameConfig

auto: stable # A method to automatically generate a hostname for the machine.

# # A static hostname to set for the machine.

# hostname: controlplane1

# hostname: controlplane1.example.org

---

apiVersion: v1alpha1

kind: LinkAliasConfig

name: net0 # Alias for the link.

# Selector to match the link to alias.

selector:

    match: link.driver == "virtio_net" # The Common Expression Language (CEL) expression to match the link.

---

apiVersion: v1alpha1

kind: DHCPv4Config

name: net0 # Name of the link (interface).

# # Raw value of the DUID to use as client identifier.

# duidRaw: 00:01:00:01:23:45:67:89:ab:cd:ef:01:23:45

version: v1alpha1 # Indicates the schema used to decode the contents.

debug: false # Enable verbose logging to the console.

persist: true

# Provides machine specific configuration options.

machine:

    type: worker # Defines the role of the machine within the cluster.

    token: uc4s92.610xj5xbpqz7wpx1 # The `token` is used by a machine to join the PKI of the cluster.

    # The root certificate authority of the PKI.

    ca:

        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFxQmZpMEEvTndNQ0g2bEdzNzNHeTJNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5qQTBNakV4TVRJNU16ZGFGdzB6TmpBME1UZ3hNVEk1TXpkYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBNjdGdzNVMGk3VndVOURQeGZFbUJFQmh3VjFhdGZ1VG15Y1NCCitZUm10NDJqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVbzU4VC9hL1BoYnpUSWduTApEWndHT3YyQU5Da3dCUVlESzJWd0EwRUFnUTltdzZvS1VwYWY2NmxxYk9WbVpNbjU2VzVzMmtTUnY3cjNUM1hlCjV5N1YyeVVqYW0vazlEOXFZbmVjNnBnNUF3NUZ1cTR4YURVT0JFOU5xYnY5Q1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

        key: ""

    # Extra certificate subject alternative names for the machine's certificate.

    certSANs: []

    #   # Uncomment this to enable SANs.

    #   - 10.0.0.10

    #   - 172.16.0.10

    #   - 192.168.0.10

    # Used to provide additional options to the kubelet.

    kubelet:

        image: ghcr.io/siderolabs/kubelet:v1.35.0 # The `image` field is an optional reference to an alternative kubelet image.

        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.

        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.

        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.

        # clusterDNS:

        #     - 10.96.0.10

        #     - 169.254.2.53

        # # The `extraArgs` field is used to provide additional flags to the kubelet.

        # extraArgs:

        #     key: value

        # # The `extraMounts` field is used to add additional mounts to the kubelet container.

        # extraMounts:

        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.

        #       type: bind # Type specifies the mount kind.

        #       source: /var/lib/example # Source specifies the source path of the mount.

        #       # Options are fstab style mount options.

        #       options:

        #         - bind

        #         - rshared

        #         - rw

        # # The `extraConfig` field is used to provide kubelet configuration overrides.

        # extraConfig:

        #     serverTLSBootstrap: true

        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.

        # credentialProviderConfig:

        #     apiVersion: kubelet.config.k8s.io/v1

        #     kind: CredentialProviderConfig

        #     providers:

        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1

        #           defaultCacheDuration: 12h

        #           matchImages:

        #             - '*.dkr.ecr.*.amazonaws.com'

        #             - '*.dkr.ecr.*.amazonaws.com.cn'

        #             - '*.dkr.ecr-fips.*.amazonaws.com'

        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'

        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'

        #           name: ecr-credential-provider

        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.

        # nodeIP:

        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.

        #     validSubnets:

        #         - 10.0.0.0/8

        #         - '!10.0.0.3/32'

        #         - fdc7::/16

    # Provides machine specific network configuration options.

    network: {}

    # # Configures KubeSpan feature.

    # kubespan:

    #     enabled: true # Enable the KubeSpan feature.

    # Used to provide instructions for installations.

    install:

        disk: /dev/vda # The disk used for installations.

        image: factory.talos.dev/metal-installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:v1.12.4 # Allows for supplying the image used to perform the installation.

        wipe: false # Indicates if the installation disk should be wiped at installation time.

        grubUseUKICmdline: true # Indicates if legacy GRUB bootloader should use kernel cmdline from the UKI instead of building it on the host.

        # # Look up disk using disk attributes like model, size, serial and others.

        # diskSelector:

        #     size: 4GB # Disk size.

        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.

        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

    # Used to configure the machine's sysctls.

    sysctls:

        kernel.kexec_load_disabled: "1"

    registries: {}

    # Features describe individual Talos features that can be switched on or off.

    features:

        diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.

        # KubePrism - local proxy/load balancer on defined port that will distribute

        kubePrism:

            enabled: true # Enable KubePrism support - will start local load balancing proxy.

            port: 7445 # KubePrism port.

        # Configures host DNS caching resolver.

        hostDNS:

            enabled: true # Enable host DNS caching resolver.

            forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.

        # # Configure Talos API access from Kubernetes pods.

        # kubernetesTalosAPIAccess:

        #     enabled: true # Enable Talos API access from Kubernetes pods.

        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.

        #     allowedRoles:

        #         - os:reader

        #     # The list of Kubernetes namespaces Talos API access is available from.

        #     allowedKubernetesNamespaces:

        #         - kube-system

    # # Provides machine specific control plane configuration options.

    # # ControlPlane definition example.

    # controlPlane:

    #     # Controller manager machine specific configuration options.

    #     controllerManager:

    #         disabled: false # Disable kube-controller-manager on the node.

    #     # Scheduler machine specific configuration options.

    #     scheduler:

    #         disabled: true # Disable kube-scheduler on the node.

    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.

    # # nginx static pod.

    # pods:

    #     - apiVersion: v1

    #       kind: pod

    #       metadata:

    #         name: nginx

    #       spec:

    #         containers:

    #             - image: nginx

    #               name: nginx

    # # Allows the addition of user specified files.

    # # MachineFiles usage example.

    # files:

    #     - content: '...' # The contents of the file.

    #       permissions: 0o666 # The file's permissions in octal.

    #       path: /tmp/file.txt # The path of the file.

    #       op: append # The operation to use

    # # The `env` field allows for the addition of environment variables.

    # # Environment variables definition examples.

    # env:

    #     GRPC_GO_LOG_SEVERITY_LEVEL: info

    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"

    #     https_proxy: http://SERVER:PORT/

    # env:

    #     GRPC_GO_LOG_SEVERITY_LEVEL: error

    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/

    # env:

    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/

    # # Used to configure the machine's sysfs.

    # # MachineSysfs usage example.

    # sysfs:

    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance

    # # Configures the udev system.

    # udev:

    #     # List of udev rules to apply to the udev system

    #     rules:

    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"

    # # Configures the logging system.

    # logging:

    #     # Logging destination.

    #     destinations:

    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".

    #           format: json_lines # Logs format.

    # # Configures the kernel.

    # kernel:

    #     # Kernel modules to load.

    #     modules:

    #         - name: btrfs # Module name.

    # # Configures the seccomp profiles for the machine.

    # seccompProfiles:

    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.

    #       # The `value` field is used to provide the seccomp profile.

    #       value:

    #         defaultAction: SCMP_ACT_LOG

    # # Override (patch) settings in the default OCI runtime spec for CRI containers.

    # # override default open file limit

    # baseRuntimeSpecOverrides:

    #     process:

    #         rlimits:

    #             - hard: 1024

    #               soft: 1024

    #               type: RLIMIT_NOFILE

    # # Configures the node labels for the machine.

    # # node labels example.

    # nodeLabels:

    #     exampleLabel: exampleLabelValue

    # # Configures the node annotations for the machine.

    # # node annotations example.

    # nodeAnnotations:

    #     customer.io/rack: r13a25

    # # Configures the node taints for the machine. Effect is optional.

    # # node taints example.

    # nodeTaints:

    #     exampleTaint: exampleTaintValue:NoSchedule

# Provides cluster specific configuration options.

cluster:

    id: zExcuoVPe_mZbTzLcF5RRCkRc1FPvWM_MNB_E2BrveE= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).

    secret: dS92BC2f2OPNNB8XJ1mrBqAPeTKmYl/iQS6lBipIXO4= # Shared secret of cluster (base64 encoded random 32 bytes).

    # Provides control plane specific configuration options.

    controlPlane:

        endpoint: https://10.5.0.1:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.

    clusterName: radicle-qemu # Configures the cluster's name.

    # Provides cluster specific network configuration options.

    network:

        dnsDomain: cluster.local # The domain used by Kubernetes DNS.

        # The pod subnet CIDR.

        podSubnets:

            - 10.244.0.0/16

        # The service subnet CIDR.

        serviceSubnets:

            - 10.96.0.0/12

        # # The CNI used.

        # cni:

        #     name: custom # Name of CNI to use.

        #     # URLs containing manifests to apply for the CNI.

        #     urls:

        #         - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml

    token: e4p5sv.fb918204kbiyv3wp # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.

    # The base64 encoded root certificate authority used by Kubernetes.

    ca:

        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVRDZ0F3SUJBZ0lSQUxvMVFwZDZkN1pqSnpsak1oRHQwZEl3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOakEwTWpFeE1USTVNemRhRncwek5qQTBNVGd4TVRJNQpNemRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVJ3TmlpQldQRVZMUkhoK3V4SGRzWkQveEhoSjhwSnpQZjY3RDF2ZE1IU3VFUGtkelVWeWFKM21RNVUKRGJRcGVhaHZvNGtXMktHeUJUanlIUkM3bnRQNG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGUGxlYS9NZlVobk5uSit0aG1PU2hoWElDMGlZTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSUdoWWcvMG0KQUsxdm1OQXFzS3QrZ3FyZlZQbjlWTGRBUUtQYWxpVVNqd01UQWlBUHU2UUdqbjF4ZGZhcXFIOGNmajZOY1V1OQpybDRvazNBY2Z2VmlydDErYWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

        key: ""

    # Configures cluster member discovery.

    discovery:

        enabled: true # Enable the cluster membership discovery feature.

        # Configure registries used for cluster member discovery.

        registries:

            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information

            kubernetes:

                disabled: true # Disable Kubernetes discovery registry.

            # Service registry is using an external service to push and pull information about cluster members.

            service: {}

            # # External service endpoint.

            # endpoint: https://discovery.talos.dev/

    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

    # # Decryption secret example (do not use in production!).

    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=

    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

    # # Decryption secret example (do not use in production!).

    # secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=

    # # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.

    # # AggregatorCA example.

    # aggregatorCA:

    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t

    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

    # # The base64 encoded private key for service account token generation.

    # # AggregatorCA example.

    # serviceAccount:

    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

    # # API server specific configuration options.

    # apiServer:

    #     image: registry.k8s.io/kube-apiserver:v1.35.0 # The container image used in the API server manifest.

    #     # Extra arguments to supply to the API server.

    #     extraArgs:

    #         feature-gates: ServerSideApply=true

    #         http2-max-streams-per-connection: "32"

    #     # Extra certificate subject alternative names for the API server's certificate.

    #     certSANs:

    #         - 1.2.3.4

    #         - 4.5.6.7

    #     # Configure the API server admission plugins.

    #     admissionControl:

    #         - name: PodSecurity # Name is the name of the admission controller.

    #           # Configuration is an embedded configuration object to be used as the plugin's

    #           configuration:

    #             apiVersion: pod-security.admission.config.k8s.io/v1alpha1

    #             defaults:

    #                 audit: restricted

    #                 audit-version: latest

    #                 enforce: baseline

    #                 enforce-version: latest

    #                 warn: restricted

    #                 warn-version: latest

    #             exemptions:

    #                 namespaces:

    #                     - kube-system

    #                 runtimeClasses: []

    #                 usernames: []

    #             kind: PodSecurityConfiguration

    #     # Configure the API server audit policy.

    #     auditPolicy:

    #         apiVersion: audit.k8s.io/v1

    #         kind: Policy

    #         rules:

    #             - level: Metadata

    #     # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.

    #     authorizationConfig:

    #         - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.

    #           name: webhook # Name is used to describe the authorizer.

    #           # webhook is the configuration for the webhook authorizer.

    #           webhook:

    #             connectionInfo:

    #                 type: InClusterConfig

    #             failurePolicy: Deny

    #             matchConditionSubjectAccessReviewVersion: v1

    #             matchConditions:

    #                 - expression: has(request.resourceAttributes)

    #                 - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'

    #             subjectAccessReviewVersion: v1

    #             timeout: 3s

    #         - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.

    #           name: in-cluster-authorizer # Name is used to describe the authorizer.

    #           # webhook is the configuration for the webhook authorizer.

    #           webhook:

    #             connectionInfo:

    #                 type: InClusterConfig

    #             failurePolicy: NoOpinion

    #             matchConditionSubjectAccessReviewVersion: v1

    #             subjectAccessReviewVersion: v1

    #             timeout: 3s

    # # Controller manager server specific configuration options.

    # controllerManager:

    #     image: registry.k8s.io/kube-controller-manager:v1.35.0 # The container image used in the controller manager manifest.

    #     # Extra arguments to supply to the controller manager.

    #     extraArgs:

    #         feature-gates: ServerSideApply=true

    # # Kube-proxy server-specific configuration options

    # proxy:

    #     disabled: false # Disable kube-proxy deployment on cluster bootstrap.

    #     image: registry.k8s.io/kube-proxy:v1.35.0 # The container image used in the kube-proxy manifest.

    #     mode: ipvs # proxy mode of kube-proxy.

    #     # Extra arguments to supply to kube-proxy.

    #     extraArgs:

    #         proxy-mode: iptables

    # # Scheduler server specific configuration options.

    # scheduler:

    #     image: registry.k8s.io/kube-scheduler:v1.35.0 # The container image used in the scheduler manifest.

    #     # Extra arguments to supply to the scheduler.

    #     extraArgs:

    #         feature-gates: AllBeta=true

    # # Etcd specific configuration options.

    # etcd:

    #     image: registry.k8s.io/etcd:v3.6.7 # The container image used to create the etcd service.

    #     # The `ca` is the root certificate authority of the PKI.

    #     ca:

    #         crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t

    #         key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

    #     # Extra arguments to supply to etcd.

    #     extraArgs:

    #         election-timeout: "5000"

    #     # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.

    #     advertisedSubnets:

    #         - 10.0.0.0/8

    # # Core DNS specific configuration options.

    # coreDNS:

    #     image: registry.k8s.io/coredns/coredns:v1.13.2 # The `image` field is an override to the default coredns image.

    # # External cloud provider configuration.

    # externalCloudProvider:

    #     enabled: true # Enable external cloud provider.

    #     # A list of urls that point to additional manifests for an external cloud provider.

    #     manifests:

    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml

    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml

    # # A list of urls that point to additional manifests.

    # extraManifests:

    #     - https://www.example.com/manifest1.yaml

    #     - https://www.example.com/manifest2.yaml

    # # A map of key value pairs that will be added while fetching the extraManifests.

    # extraManifestHeaders:

    #     Token: "1234567"

    #     X-ExtraInfo: info

    # # A list of inline Kubernetes manifests.

    # inlineManifests:

    #     - name: namespace-ci # Name of the manifest.

    #       contents: |- # Manifest contents as a string.

    #         apiVersion: v1

    #         kind: Namespace

    #         metadata:

    #         	name: ci

    # # Settings for admin kubeconfig generation.

    # adminKubeconfig:

    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

    # # Allows running workload on control-plane nodes.

    # allowSchedulingOnControlPlanes: true

---

apiVersion: v1alpha1

kind: HostnameConfig

auto: stable # A method to automatically generate a hostname for the machine.

# # A static hostname to set for the machine.

# hostname: controlplane1

# hostname: controlplane1.example.org

---

apiVersion: v1alpha1

kind: LinkAliasConfig

name: net0 # Alias for the link.

# Selector to match the link to alias.

selector:

    match: link.driver == "virtio_net" # The Common Expression Language (CEL) expression to match the link.

---

apiVersion: v1alpha1

kind: DHCPv4Config

name: net0 # Name of the link (interface).

# # Raw value of the DUID to use as client identifier.

# duidRaw: 00:01:00:01:23:45:67:89:ab:cd:ef:01:23:45