--- # # 1. (Required) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations # # (Required) Timezone is your IANA formatted timezone (e.g. America/New_York) bootstrap_timezone: "America/New_York" # (Required) Distribution can either be k3s or talos bootstrap_distribution: k3s # (Required) The CIDR your nodes are on (e.g. 192.168.1.0/24) bootstrap_node_network: "redacted" # (Optional) The default gateway for the nodes # Default is .1 derrived from bootstrap_node_network: 'x.x.x.1' bootstrap_node_default_gateway: "redacted" # (Required) Use only 1, 3 or more ODD number of controller nodes, recommended is 3 # Worker nodes are optional bootstrap_node_inventory: [1] - name: "redacted" address: "redacted" controller: true ssh_user: "redacted" # (Optional) The DNS server to use for the cluster, this can be an existing # local DNS server or a public one. # Default is ["1.1.1.1", "1.0.0.1"] # If using a local DNS server make sure it meets the following requirements: # 1. your nodes can reach it # 2. it is configured to forward requests to a public DNS server # 3. you are not force redirecting DNS requests to it - this will break cert generation over DNS01 # If using multiple DNS servers make sure they are setup the same way, there is no # guarantee that the first DNS server will always be used for every lookup. bootstrap_dns_servers: [redacted] # (Optional) The DNS search domain to use for the nodes. # Default is "." # Use the default or leave empty to avoid possible DNS issues inside the cluster. bootstrap_search_domain: "" # (Required) The pod CIDR for the cluster, this must NOT overlap with any # existing networks and is usually a /16 (64K IPs). # If you want to use IPv6 check the advanced flags below bootstrap_pod_network: "redacted" # (Required) The service CIDR for the cluster, this must NOT overlap with any # existing networks and is usually a /16 (64K IPs). # If you want to use IPv6 check the advanced flags below bootstrap_service_network: "redacted" # (Required) The IP address of the Kube API, choose an available IP in # your nodes host network that is NOT being used. This is announced over L2. # For k3s kube-vip is used, built-in functionality is used with Talos bootstrap_controllers_vip: "redacted" # (Optional) Add additional SANs to the Kube API cert, this is useful # if you want to call the Kube API by hostname rather than IP bootstrap_tls_sans: [] # (Required) Age Public Key (e.g. age1...) # 1. Generate a new key with the following command: # > task sops:age-keygen # 2. Copy the public key and paste it below bootstrap_sops_age_pubkey: "redacted" # (Optional) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments. # Needs a BGP capable router setup with the node IPs as peers. # See: https://docs.cilium.io/en/latest/network/bgp-control-plane/ bootstrap_bgp: enabled: false # (Optional) If using multiple BGP peers add them here. # Default is .1 derrived from host_network: ['x.x.x.1'] peers: [] # (Required) Set the BGP Autonomous System Number for the router(s) and nodes. # If these match, iBGP will be used. If not, eBGP will be used. peer_asn: "" # Router(s) AS local_asn: "" # Node(s) AS # (Required) The advertised CIDR for the cluster, this must NOT overlap with any # existing networks and is usually a /16 (64K IPs). # If you want to use IPv6 check the advanced flags below advertised_network: "" # # 2. (Required) Flux details - Flux is used to manage the cluster configuration. # # (Required) GitHub repository URL (for private repos use the ssh:// URL) bootstrap_github_address: "redacted" # (Required) GitHub repository branch bootstrap_github_branch: "main" # (Required) Token for GitHub push-based sync # 1. Generate a new token with the following command: # > openssl rand -hex 16 # 2. Copy the token and paste it below bootstrap_github_webhook_token: "redacted" # (Optional) Private key for Flux to access the GitHub repository # 1. Generate a new key with the following command: # > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P "" # 2. Make sure to paste public key from "github-deploy.key.pub" into # the deploy keys section of your repository settings. # 3. Uncomment and paste the private key below # 4. Optionally set your repository on GitHub to private bootstrap_github_private_key: | -----BEGIN OPENSSH PRIVATE KEY----- redacted -----END OPENSSH PRIVATE KEY----- # # 3. (Optional) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling. # bootstrap_cloudflare: # (Required) Disable to use a different DNS provider enabled: true # (Required) Cloudflare Domain domain: "redacted" # (Required) Cloudflare API Token (NOT API Key) # 1. Head over to Cloudflare and create a API Token by going to # https://dash.cloudflare.com/profile/api-tokens # 2. Under the `API Tokens` section click the blue `Create Token` button. # 3. Click the blue `Use template` button for the `Edit zone DNS` template. # 4. Name your token something like `home-kubernetes` # 5. Under `Permissions`, click `+ Add More` and add each permission below: # `Zone - DNS - Edit` # `Account - Cloudflare Tunnel - Read` # 6. Limit the permissions to a specific account and zone resources. # 7. Click the blue `Continue to Summary` button and then the blue `Create Token` button. # 8. Copy the token and paste it below. token: "redacted" # (Required) Optionals for Cloudflare Acme acme: # (Required) Any email you want to be associated with the ACME account (used for TLS certs via letsencrypt.org) email: "redacted" # (Required) Use the ACME production server when requesting the wildcard certificate. # By default the ACME staging server is used. This is to prevent being rate-limited. # Update this option to `true` when you have verified the staging certificate # works and then re-run `task configure` and push your changes to Github. production: false # (Required) Provide LAN access to the cluster ingresses for internal ingress classes # The Load balancer IP for internal ingress, choose an available IP # in your nodes host network that is NOT being used. This is announced over L2. ingress_vip: "redacted" # (Required) Gateway is used for providing DNS to your cluster on LAN # The Load balancer IP for k8s_gateway, choose an available IP # in your nodes host network that is NOT being used. This is announced over L2. gateway_vip: "redacted" # (Required) Options for Cloudflare Tunnel # 1. Authenticate cloudflared to your domain # > cloudflared tunnel login # 2. Create the tunnel # > cloudflared tunnel create k8s # 3. Copy the AccountTag, TunnelID, and TunnelSecret from the tunnel configuration file and paste them below tunnel: # (Required) Cloudflare Account ID (cat ~/.cloudflared/*.json | jq -r .AccountTag) account_id: "redacted" # (Required) Cloudflared Tunnel ID (cat ~/.cloudflared/*.json | jq -r .TunnelID) id: "redacted" # (Required) Cloudflared Tunnel Secret (cat ~/.cloudflared/*.json | jq -r .TunnelSecret) secret: "redacted" # (Required) Provide WAN access to the cluster ingresses for external ingress classes # The Load balancer IP for external ingress, choose an available IP # in your nodes host network that is NOT being used. This is announced over L2. ingress_vip: "redacted" # (Optional) Feature gates are used to enable experimental features # bootstrap_feature_gates: # # Enable Dual Stack IPv4 first # # IMPORTANT: I am looking for people to help maintain IPv6 support since I cannot test it. # # Ref: https://github.com/onedr0p/cluster-template/issues/1148 # # Keep in mind that Cilium does not currently support IPv6 L2 announcements. # # Make sure you set cluster.pod_cidr and cluster.service_cidr # # to a valid dual stack CIDRs, e.g. "10.42.0.0/16,fd00:10:244::/64" # dual_stack_ipv4_first: false