feat: add hetzner hel1 cluster

k8s/hel1/.envrc

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+watch_file nix/sources.json
+
+# Load .env file if it exists
+dotenv_if_exists
+
+# Activate development shell
+use nix

k8s/hel1/.gitignore

@@ -0,0 +1 @@
+*.xz

k8s/hel1/controlplane.yaml

@@ -0,0 +1,114 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+    type: controlplane
+    token: cxaa8t.w21f79ia229w7kff
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFvaXZpZGFzN2g5QU1FakNpYkxGem9NQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5URXhNVE14TURFek1UWmFGdzB6TlRFeE1URXhNREV6TVRaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBT0pvWFU0dVJDSGhxdlRybExza3RITlMrd3gwdS9qTEdxRmF1CkdJbldHdEtqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVZGR5VGh6dEpBM2RGWlluMwpzZWpiUDVORUFQd3dCUVlESzJWd0EwRUFpdmNqMFgyU0dTWExtYXluMlRmWU1QSWpRam5wTG1pMVRZOThtVFYvCnZpTktJL3A5WlkraEJhcmREclIrZGJZbkVyRjdBd1RtUzFMMFRZYkliVFFZQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJSmRoYk53RlVtdUIxUTdVRmJaQTNTbm9XQUVxODZzdzROVFZVN2ZWV2RxTQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+    certSANs:
+        - 10.0.1.100
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.33.0
+        defaultRuntimeSeccompProfileEnabled: true
+        disableManifestsDirectory: true
+    network:
+        interfaces:
+            - interface: enp1s0
+              routes:
+                - network: 0.0.0.0/0
+                  gateway: 10.0.1.1
+                - network: 10.0.0.1/32
+                  gateway: ""
+              dhcp: true
+              vip:
+                ip: 10.0.1.100
+    install:
+        disk: /dev/sda
+        image: ghcr.io/siderolabs/installer:v1.10.1
+        wipe: false
+    features:
+        rbac: true
+        stableHostname: true
+        apidCheckExtKeyUsage: true
+        diskQuotaSupport: true
+        kubePrism:
+            enabled: true
+            port: 7445
+        hostDNS:
+            enabled: true
+            forwardKubeDNSToHost: true
+    nodeLabels:
+        node.kubernetes.io/exclude-from-external-load-balancers: ""
+cluster:
+    id: LMtfgmaR2SUJWG7qYUZzIjg7QSCiWLlFwkqLnBaJosg=
+    secret: zkPwsia0HeeCnYaK64yhZr8Z9cGFAK7Z25K5bCdcLQw=
+    controlPlane:
+        endpoint: https://10.0.1.100:6443
+    clusterName: hel1-1
+    network:
+        cni:
+            name: none
+        dnsDomain: cluster.local
+        podSubnets:
+            - 10.244.0.0/16
+        serviceSubnets:
+            - 10.96.0.0/12
+    token: 0s7kz3.9w7y2xir483skp71
+    secretboxEncryptionSecret: NxtCgudSpwHMZM8Mw3WZ7JHxcqVbs7YIksAMuiaEnlo=
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUxMczBDcmpPWHBDTHpKSHBJQzAvYWN3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEV4TVRNeE1ERXpNVFphRncwek5URXhNVEV4TURFegpNVFphTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNuM0UwZUNUVFptd1M2RG03SnBQeVRMMFNEZXpxK2c4UU1KSkwrNXVYY29hVk0xam1XNCtBOVh3NG0KcDRlVWdYaVZ3NDFCaGpjRkd2eGhjeEhJN0duM28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGUFAwSVNMTFBEenF5ZkxITytnQm44UWpmV0lvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUVISkw4V3IKSkdQRG9WUXcxQTY0bUJWZzJTcXpzV0I2Y1UwQm14dnRRZTJOQWlFQXVjK3FhYVF2bm84S3Z0dFprWDAwUi9wdApZc3pqaGM4OEJjY0gwZUFUQTdVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUozWU5ad21hNDRQelJrUlcxSWFKb25VQURwWm10Mml1VmdOcGd3dkd3TWVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcDl4TkhnazAyWnNFdWc1dXlhVDhreTlFZzNzNnZvUEVEQ1NTL3VibDNLR2xUTlk1bHVQZwpQVjhPSnFlSGxJRjRsY09OUVlZM0JScjhZWE1SeU94cDl3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    aggregatorCA:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFXZ0F3SUJBZ0lRWGpmTHV5bi9rTHVhMzIrOFh3djhSREFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMU1URXhNekV3TVRNeE5sb1hEVE0xTVRFeE1URXdNVE14Tmxvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCQmd0L2l6MlpSUlRJejk0enVxZkhWb3N4b3k5UTBMOTZ2ZlJBcXB4VXFJMVU4UXZwSEw3Clk1RTRoSEpCZXpkRjU3V2FvbWZKcENGNVYxeHp4d00xaFEyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVVVY1pVVXFuZnBTWnFZZEkyWWtWK3U1Mlk2bkl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloCkFMU3BVZDIvUGczbXlDVVprYkEyTXlzeEEzem95bExLL0VBd2F0SFhHa1E4QWlBMWZIQ0t5T2hkU3JsTWNSc1MKdEY1eUFEeW4yeGk5WThucDNoeXJsczhiV0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlUSUJHazUvZE5iRTJuSCsrdmNqaW9JcEZpTnd6SFhrUDJ1TVhONWQ0SlRvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFR0MzK0xQWmxGRk1qUDNqTzZwOGRXaXpHakwxRFF2M3E5OUVDcW5GU29qVlR4QytrY3Z0agprVGlFY2tGN04wWG50WnFpWjhta0lYbFhYSFBIQXpXRkRRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    serviceAccount:
+        key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBNHJwYlJQNHpybUk2RzZQbE1rQzUra2J5NnZjYzBiSWVZTUo1WHZiTUM1TURqTDBSCkdKVkloaFZZU3ZvdE9kQWJUeFo5QlhacUdzWEkrWENhcHpZNmVQNllqcm8yRnFOZ0thSk1SYTBTQ1h4QTJweXkKQWdPd0IxblQwd2I1Y0w4VHJ5dXpSYTAyM2ZpUGpHMFdrTFUrTndTK2M2T1NvSUl4YTRvbVNrZkdLL0c5SFZDRwptMVQzdG1oNmNTaWQyQVEyWnNMQU9MRXJmMERhd2JNdjhadlZ0RUlyYnJZUzNWU092eUtzNkYwQXVyTlVTaGdjCnRrZ1NNUHhGVmJVNEFDVG51MmJRK0lRVlNXdG9hK0RqajBGSzkwQWFYZUJ6UW4vREJzYUdFN21JMUVaOTFuRUsKOWhIYXo2UVFCUzIvbFhSNVBFMnR1OGZnK3grN0ZGay9jd0MxYzZsVGtlWjNVcFZNTVlETTVvbzFpK1pXYUl4TQp1L1BIWDkzVE83UnlvSDZ1VkoydnlscjNUaFZZS0hyU0I5UUVIQ1hnSlRwYmlLT3B6c0RYd2llUzFkTnFqakxPClRzK0lpcEdMZXZpY0xZM1hodktRbm5SQ3pDVDdQeHB6OGJjaHE2TmZZNjJBZEhmWGRRMW9YN045YzNKN0taZXkKb2F2c1RMbndGVVRlU3ZuTTRTZVJ3MU5mbFV6c0ttZEZqdHVoL0FYb2d5cWpIU3BVdW1IWHVhck1kQjJJeFpjWgp3a1dQWXM2NDZsVVNkeitOZEF6MUxZY3kvTFUvZWxBY2lZRFpkSmlZN0x6K2p6ZzFNbGFwTVhzY0VLTUdHb0xvCk5iWGxSNm9hYWIwME96Q3I0TkdUU2hSS2U0K1ZVNHBnTFJuQ2RCWFdTSXhkaitoZlhMbzk4VzAwdUZVQ0F3RUEKQVFLQ0FnQXlYRXg3bGE4ckU5eHVXVWhHa2tQOUNKZGFnNHNlTk44MGhOM3FydzBCb1NVUHRNdEFWNkJsVUFadAptUVpFcWluMnRqc001SkdLNHRYU09pWFA4R2FxaTNxZGNWVWtVQ1BDKzY3UFp6THpjbXNCWS83U0hibVMyR3dKCm1xbjdWaVhzS2R2SEpVTmpxSnRTQ01VVFhYNjFQOU9CNGhwbWxxU2RpM0VYM0x0eTlWNFpUZEtvWEFZdHVTVkIKVDFGSU14OVdVZm5hWGRnWWl2Sk1SaDNuSDhNbkorOTN4dStIeEFsMUFTSEE5eTk3U092M0RVWUxZeFRQVnFtYgo4UVhBV25JeW1STGZzSTc5NE9LdjI2TVFKZU9kNmRveGNmS0lHZExiQld1d28reDFvamEvVkJxb0w2MFhwQXgrCjZmdDlHZ0wzMXhVNCtadktpL0RGQTFIcG5JV3hBU3FSa2NFKzFzd25obDhrczRaSHdMSnNFNWMremNYOUVUeUMKZnJjcXFITWVqcHorNlZFWmVtdEtuS2JNNDVlTkR4TWZ3MmQyQXlXalcySlQvMXNIOS9KT3plRmRNU3c4Ui9ONApTT1FtRW9mMzl1OENtTjUwd0JKRGN2ZTlhN3NhakM3RCtWN0NFQlNZUWpySExVbXZhWEQwTXowdXYxNS9QV2hsCnVrT3htb1FiWEw0ZzRxeGNLWW1HWThCWSs1MWFMYkw5UURsVkVTVVVLUnhoWDF3WFUvNElLbmY0Yk5LVkVKSmoKWStsRkpTbWlyb1pBR3k3RjdDRWNkRk1zcWk2YitrZjEyTDUwKzNpNWpxRFFpZ1pyN1JFRy93QmE1TlAvWW9vcwpIc1ZtRmVxLzVwZzNDSFI5c3MxdnNvakxFYk53d2xDRS9yemZMVHpZMlZVMGVpbkVnUUtDQVFFQTh1SHJjci82Ck1zbkczb0ZYdGZKbHF6VWVlMkgxYVphNmlIc0lSRTFEbFh1dER2MnYwWWRSRWhHdlNNcVlpM1ZjSExtbzMrajMKRkYrbUE3a0NTUGhDNW82N0haOFJDMWQ5bS9Ic1F3d3pNWXpLeFhxbVM2bTR3NnZ3Q1cvMVlOSUJzSC9odjg5MgpnS2loM0htcHEvRDRyNEsrMi91cTVURmt4TnBJMi9vZ2xBOWZGa2d3SW5ROVZDUXNNanNUVHFhcEhjOUdKa21VCkZFRjBQRisrb0tZUTU4VmV1c0pOL3FXT2lvK0VOUGl2QjB3d1RKZ3lZQ0tnRVFFb0srL280WFhvYnplSlM5UXIKNEgvTEtMQ3RNaGMrY2dxTXhzVnZqN211TDk1OGkxS0ZrWXBKcmV6aVhlTjQyckNLUDN0NmpQR0syZWI5c2xqdQpLMUx3TzhBTU9Tb09JUUtDQVFFQTd2a1Z2NVhyM0U5N1VGbWJucnNRVFRTVnp4WTl4ZGgwWXpFekp4bDMzQWVqCmtmQjlYV3RkNXh0RGs1dFM1SVUrQXRudnd0Nlhva0RxNStVWWdqM05ScTd1aUFBM0JYK20rWUlnOHNvVk9GUG8KQUpOME92QnpLWGxRRUpjV0NpZUhFaEN4WkF6V0dkRGJWaWxWOUs1dEJsR0lIYnVKWFNPalNSbWN2V3VDbG5Wcwp6d082ME9DcisyeTBoRTVNajd5aUhQNlVLMjdxUForczgzWklxMFBlQXdudnh0M2R2bitUaDRJZkJROHh2dmZHCmU3VmdBRHh1UHpZSER3OWRUQWExUHB1ZEU2TStnRWpsaS9Hc1BsaEVodllyMVRtVnY4VEpxOTZqZWFRa3JBSFEKekQ3UDgyWXVhNXc4THNPL2laYSs5aXAveC9XbVpaZTlLSG85b3hOYnRRS0NBUUVBN3kwc3A4YUhRdVpTa1NCNwoyQytJa08xeFEvMDJKN0dIcFFqTEhqK2IweU9FU3lQa3RJZjFmTDZ2aHhZQzNDcEk5L3lZWVU3UHFWOTdZMlVYCjYvV1dJK2JnT280K3daVjVtMHpENVU2cFJ4MG5QUXJIb2ZEVGd0VFpQdUhpbUdLVnlWSlZZNGFRWXFndEpLa20KUGF6QnFFd3ZXUC9lelc0emxtcUNueVVVV2RrOVFQcjdjNkpXRm5xOGp3Wi92ODc4OE44QmJJaSthcWYrSjhuOQpOY1B6RjluVHJFUFZmSE5hQi9iR01VZkhUSDlwZkxQUHY3MjVOS1dZQXBSeEZ6eitGQzl6WTVuZlQyZHBEM3ZVClFtU0RXTmdzd3p6LzNGLzBPUzEySmRpd3NaNmxhY0hCTk1YaGFERzdJa0tkYnhnWkxQVjhWTm1nU0VlWFRLK1YKR2VIaElRS0NBUUVBZ053SmtTeDdhV25tZWJaSUJ2aWgycS9QVkVLTy9yOHdTMGg5WjhrQTY4R212d3dwM1pVRwpwcGI2QW44UDNLL0lkMnNqTVRZc0Y4N2ZuRG5aMUdrVTV0ZHZRaUN6aXFDQjNpc0FMMHN1MUJmU2szVHZpTlNkCmxMQ1lyc2w1bGZJb2tHSTE5VmhDbnRzVFdzdWhVUFk1VGQzckF2VmNKY0FRelZzbFBMTGJVTnh5MXRJUkM0OEsKemVHWkdYckxKL3EwZytQMjY5QzhPSXlBaXl1dUZjUGIxRkdvWE5qSU9HKzhrcVprcWFxK3pWWDRUajdJVEhoSgpqb1pJbWlOVDBLb1JVM2cvNUJYem51TXYvQjFPSHJRa0I0NTRwbHFOMkVGNTZkWjgyaHZidG5Db01XcHhZYk1vCnR0Z2hUNm8zL3k0dFBMby8rd2dJT09Id213SUhlSWI0dlFLQ0FRQkNTeFdRUGxYOFM2T0ZUaTF3ZjlteWRMUlIKRVFEaXozcThWaW9wWVlNakgvVlBOVnlmdDVOekQ4emlYd2FtTExESTE1eEkrWERnWFVSZ21RZ3U4YzZZeS9vTgpQTHR0UFNOeStYdVdmaHhGUFpwSEVFWm5XRG8vTDN5Z2E2aEdJMlIvdUpIT1RENDF1UWwvQWZCcmlZMW03Qi8vCk10RmlkUFBCMkVQeXJFcUd5WXlacCs2Y3B4d1R4QmNseTl3M09UMzBNQjY3bE1xcHZxS25yZHNFVHRKVVpSWjgKV1JMQmlFcWJJVmx3elJCWHpid2RiU3EvVW1zajhjVk5ZMzBub3N0c08xcllWTzNaN0FJRmxGa3gyUFhmRHJsbAo5R2g1T2ppVHVzclJ6VkllVWFHWnBtRFJwTEc3QUNKSnpYVnN6MXBiYmZERmk1YTI5ajRtMlNGbmpQSVUKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+    apiServer:
+        image: registry.k8s.io/kube-apiserver:v1.33.0
+        certSANs:
+            - 10.0.1.100
+        disablePodSecurityPolicy: true
+        admissionControl:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                defaults:
+                    audit: restricted
+                    audit-version: latest
+                    enforce: baseline
+                    enforce-version: latest
+                    warn: restricted
+                    warn-version: latest
+                exemptions:
+                    namespaces:
+                        - kube-system
+                    runtimeClasses: []
+                    usernames: []
+                kind: PodSecurityConfiguration
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: Metadata
+    controllerManager:
+        image: registry.k8s.io/kube-controller-manager:v1.33.0
+    proxy:
+        disabled: true
+        image: registry.k8s.io/kube-proxy:v1.33.0
+    scheduler:
+        image: registry.k8s.io/kube-scheduler:v1.33.0
+    discovery:
+        enabled: true
+        registries:
+            kubernetes:
+                disabled: true
+            service: {}
+    etcd:
+        ca:
+            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNPZ0F3SUJBZ0lRSWVoeVVLUjVGaElMd2FtQytMb0hVakFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkxTVRFeE16RXdNVE14TmxvWERUTTFNVEV4TVRFd01UTXhObG93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkh6Z2F2MWlWOHNkCk9uMVgwaVExVHJZVC9mOEpBbWhwYWV5RWVZZUdGcjhlQTMra2dKN0laOFZsQzBOV0h0aE9FQUFxSUVTWVFsQmEKbThaZ2hRY1puS3lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVT3VIeWJXUHRYOXl6CkFWSFJYcmpQeENpR3NYWXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBSVpzMWJkNEI5VktPa3grMWJRVVFuNGgKeG5Tek55b3p0TjA1ZWc5ME9OMFVBaUVBOFU2U2ZlWHVXajZpc2dQbmlaLzhjRUg2N1pML3QvT3pKbDNQL256eQpXYU09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhsT3MrNWVuR2d0REZqTUl2NUFOclRTbzcxZitVWmdlRWhxM0hhaXRyZTlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFZk9CcS9XSlh5eDA2ZlZmU0pEVk90aFA5L3drQ2FHbHA3SVI1aDRZV3Z4NERmNlNBbnNobgp4V1VMUTFZZTJFNFFBQ29nUkpoQ1VGcWJ4bUNGQnhtY3JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    externalCloudProvider:
+        enabled: false
+    allowSchedulingOnControlPlanes: false

k8s/hel1/hetzner.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+HCLOUD_TOKEN=$(pass hetzner.com | sed -n 5p)
+PROJECT=hel1
+NETWORK=network-1
+LOAD_BALANCER=lb-1
+IMAGE_ID=332668721
+
+hcloud context create $PROJECT
+
+hcloud network create --name $NETWORK --ip-range 10.0.0.0/16
+
+hcloud network add-subnet $NETWORK \
+  --type server \
+  --ip-range 10.0.2.0/24 \
+  --network-zone eu-central
+
+hcloud network add-route $NETWORK \
+  --destination 0.0.0.0/0 \
+  --gateway 10.0.1.1
+
+hcloud load-balancer create --name $LOAD_BALANCER --location hel1 --type lb11
+hcloud load-balancer add-service $LOAD_BALANCER \
+  --listen-port 443 --destination-port 443 --protocol tcp
+hcloud load-balancer attach-to-network $LOAD_BALANCER \
+  --network $NETWORK \
+  --ip 10.0.1.10
+hcloud load-balancer add-target $LOAD_BALANCER \
+  --label-selector type=controlplane \
+  --use-private-ip
+
+for i in $(seq 1 3); do
+  hcloud server create --name controlplane-$i \
+    --image $IMAGE_ID \
+    --type cpx32 \
+    --location hel1 \
+    --label 'type=controlplane' \
+    --network $NETWORK \
+    --without-ipv4 \
+    --without-ipv6 \
+    --user-data-from-file controlplane.yaml
+done
+
+for i in $(seq 1 3); do
+  hcloud server create --name worker1 \
+    --image $IMAGE_ID \
+    --type cx43 \
+    --location hel1 \
+    --label 'type=worker' \
+    --network $PROJECT_NAME \
+    --without-ipv4 \
+    --without-ipv6 \
+    --user-data-from-file worker.yaml
+done
+

k8s/hel1/patches/patch-controlplane.yaml

@@ -0,0 +1,12 @@
+machine:
+  network:
+    interfaces:
+      - interface: enp1s0
+        vip:
+          ip: 10.0.1.100
+cluster:
+  proxy:
+    disabled: true
+  externalCloudProvider:
+    enabled: false
+  allowSchedulingOnControlPlanes: false

k8s/hel1/patches/patch.yaml

@@ -0,0 +1,17 @@
+machine:
+  certSANs:
+    - 10.0.1.100
+  network:
+    interfaces:
+      - interface: enp1s0
+        dhcp: true
+        routes:
+          - network: 0.0.0.0/0
+            gateway: 10.0.1.1
+          - network: 10.0.0.1/32
+cluster:
+  network:
+    cni:
+      name: none
+  externalCloudProvider:
+    enabled: true

k8s/hel1/secrets.yaml

@@ -0,0 +1,23 @@
+cluster:
+    id: LMtfgmaR2SUJWG7qYUZzIjg7QSCiWLlFwkqLnBaJosg=
+    secret: zkPwsia0HeeCnYaK64yhZr8Z9cGFAK7Z25K5bCdcLQw=
+secrets:
+    bootstraptoken: 0s7kz3.9w7y2xir483skp71
+    secretboxencryptionsecret: NxtCgudSpwHMZM8Mw3WZ7JHxcqVbs7YIksAMuiaEnlo=
+trustdinfo:
+    token: cxaa8t.w21f79ia229w7kff
+certs:
+    etcd:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNPZ0F3SUJBZ0lRSWVoeVVLUjVGaElMd2FtQytMb0hVakFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkxTVRFeE16RXdNVE14TmxvWERUTTFNVEV4TVRFd01UTXhObG93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkh6Z2F2MWlWOHNkCk9uMVgwaVExVHJZVC9mOEpBbWhwYWV5RWVZZUdGcjhlQTMra2dKN0laOFZsQzBOV0h0aE9FQUFxSUVTWVFsQmEKbThaZ2hRY1puS3lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVT3VIeWJXUHRYOXl6CkFWSFJYcmpQeENpR3NYWXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBSVpzMWJkNEI5VktPa3grMWJRVVFuNGgKeG5Tek55b3p0TjA1ZWc5ME9OMFVBaUVBOFU2U2ZlWHVXajZpc2dQbmlaLzhjRUg2N1pML3QvT3pKbDNQL256eQpXYU09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhsT3MrNWVuR2d0REZqTUl2NUFOclRTbzcxZitVWmdlRWhxM0hhaXRyZTlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFZk9CcS9XSlh5eDA2ZlZmU0pEVk90aFA5L3drQ2FHbHA3SVI1aDRZV3Z4NERmNlNBbnNobgp4V1VMUTFZZTJFNFFBQ29nUkpoQ1VGcWJ4bUNGQnhtY3JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    k8s:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUxMczBDcmpPWHBDTHpKSHBJQzAvYWN3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEV4TVRNeE1ERXpNVFphRncwek5URXhNVEV4TURFegpNVFphTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNuM0UwZUNUVFptd1M2RG03SnBQeVRMMFNEZXpxK2c4UU1KSkwrNXVYY29hVk0xam1XNCtBOVh3NG0KcDRlVWdYaVZ3NDFCaGpjRkd2eGhjeEhJN0duM28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGUFAwSVNMTFBEenF5ZkxITytnQm44UWpmV0lvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUVISkw4V3IKSkdQRG9WUXcxQTY0bUJWZzJTcXpzV0I2Y1UwQm14dnRRZTJOQWlFQXVjK3FhYVF2bm84S3Z0dFprWDAwUi9wdApZc3pqaGM4OEJjY0gwZUFUQTdVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUozWU5ad21hNDRQelJrUlcxSWFKb25VQURwWm10Mml1VmdOcGd3dkd3TWVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcDl4TkhnazAyWnNFdWc1dXlhVDhreTlFZzNzNnZvUEVEQ1NTL3VibDNLR2xUTlk1bHVQZwpQVjhPSnFlSGxJRjRsY09OUVlZM0JScjhZWE1SeU94cDl3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    k8saggregator:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFXZ0F3SUJBZ0lRWGpmTHV5bi9rTHVhMzIrOFh3djhSREFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMU1URXhNekV3TVRNeE5sb1hEVE0xTVRFeE1URXdNVE14Tmxvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCQmd0L2l6MlpSUlRJejk0enVxZkhWb3N4b3k5UTBMOTZ2ZlJBcXB4VXFJMVU4UXZwSEw3Clk1RTRoSEpCZXpkRjU3V2FvbWZKcENGNVYxeHp4d00xaFEyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVVVY1pVVXFuZnBTWnFZZEkyWWtWK3U1Mlk2bkl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloCkFMU3BVZDIvUGczbXlDVVprYkEyTXlzeEEzem95bExLL0VBd2F0SFhHa1E4QWlBMWZIQ0t5T2hkU3JsTWNSc1MKdEY1eUFEeW4yeGk5WThucDNoeXJsczhiV0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlUSUJHazUvZE5iRTJuSCsrdmNqaW9JcEZpTnd6SFhrUDJ1TVhONWQ0SlRvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFR0MzK0xQWmxGRk1qUDNqTzZwOGRXaXpHakwxRFF2M3E5OUVDcW5GU29qVlR4QytrY3Z0agprVGlFY2tGN04wWG50WnFpWjhta0lYbFhYSFBIQXpXRkRRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    k8sserviceaccount:
+        key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBNHJwYlJQNHpybUk2RzZQbE1rQzUra2J5NnZjYzBiSWVZTUo1WHZiTUM1TURqTDBSCkdKVkloaFZZU3ZvdE9kQWJUeFo5QlhacUdzWEkrWENhcHpZNmVQNllqcm8yRnFOZ0thSk1SYTBTQ1h4QTJweXkKQWdPd0IxblQwd2I1Y0w4VHJ5dXpSYTAyM2ZpUGpHMFdrTFUrTndTK2M2T1NvSUl4YTRvbVNrZkdLL0c5SFZDRwptMVQzdG1oNmNTaWQyQVEyWnNMQU9MRXJmMERhd2JNdjhadlZ0RUlyYnJZUzNWU092eUtzNkYwQXVyTlVTaGdjCnRrZ1NNUHhGVmJVNEFDVG51MmJRK0lRVlNXdG9hK0RqajBGSzkwQWFYZUJ6UW4vREJzYUdFN21JMUVaOTFuRUsKOWhIYXo2UVFCUzIvbFhSNVBFMnR1OGZnK3grN0ZGay9jd0MxYzZsVGtlWjNVcFZNTVlETTVvbzFpK1pXYUl4TQp1L1BIWDkzVE83UnlvSDZ1VkoydnlscjNUaFZZS0hyU0I5UUVIQ1hnSlRwYmlLT3B6c0RYd2llUzFkTnFqakxPClRzK0lpcEdMZXZpY0xZM1hodktRbm5SQ3pDVDdQeHB6OGJjaHE2TmZZNjJBZEhmWGRRMW9YN045YzNKN0taZXkKb2F2c1RMbndGVVRlU3ZuTTRTZVJ3MU5mbFV6c0ttZEZqdHVoL0FYb2d5cWpIU3BVdW1IWHVhck1kQjJJeFpjWgp3a1dQWXM2NDZsVVNkeitOZEF6MUxZY3kvTFUvZWxBY2lZRFpkSmlZN0x6K2p6ZzFNbGFwTVhzY0VLTUdHb0xvCk5iWGxSNm9hYWIwME96Q3I0TkdUU2hSS2U0K1ZVNHBnTFJuQ2RCWFdTSXhkaitoZlhMbzk4VzAwdUZVQ0F3RUEKQVFLQ0FnQXlYRXg3bGE4ckU5eHVXVWhHa2tQOUNKZGFnNHNlTk44MGhOM3FydzBCb1NVUHRNdEFWNkJsVUFadAptUVpFcWluMnRqc001SkdLNHRYU09pWFA4R2FxaTNxZGNWVWtVQ1BDKzY3UFp6THpjbXNCWS83U0hibVMyR3dKCm1xbjdWaVhzS2R2SEpVTmpxSnRTQ01VVFhYNjFQOU9CNGhwbWxxU2RpM0VYM0x0eTlWNFpUZEtvWEFZdHVTVkIKVDFGSU14OVdVZm5hWGRnWWl2Sk1SaDNuSDhNbkorOTN4dStIeEFsMUFTSEE5eTk3U092M0RVWUxZeFRQVnFtYgo4UVhBV25JeW1STGZzSTc5NE9LdjI2TVFKZU9kNmRveGNmS0lHZExiQld1d28reDFvamEvVkJxb0w2MFhwQXgrCjZmdDlHZ0wzMXhVNCtadktpL0RGQTFIcG5JV3hBU3FSa2NFKzFzd25obDhrczRaSHdMSnNFNWMremNYOUVUeUMKZnJjcXFITWVqcHorNlZFWmVtdEtuS2JNNDVlTkR4TWZ3MmQyQXlXalcySlQvMXNIOS9KT3plRmRNU3c4Ui9ONApTT1FtRW9mMzl1OENtTjUwd0JKRGN2ZTlhN3NhakM3RCtWN0NFQlNZUWpySExVbXZhWEQwTXowdXYxNS9QV2hsCnVrT3htb1FiWEw0ZzRxeGNLWW1HWThCWSs1MWFMYkw5UURsVkVTVVVLUnhoWDF3WFUvNElLbmY0Yk5LVkVKSmoKWStsRkpTbWlyb1pBR3k3RjdDRWNkRk1zcWk2YitrZjEyTDUwKzNpNWpxRFFpZ1pyN1JFRy93QmE1TlAvWW9vcwpIc1ZtRmVxLzVwZzNDSFI5c3MxdnNvakxFYk53d2xDRS9yemZMVHpZMlZVMGVpbkVnUUtDQVFFQTh1SHJjci82Ck1zbkczb0ZYdGZKbHF6VWVlMkgxYVphNmlIc0lSRTFEbFh1dER2MnYwWWRSRWhHdlNNcVlpM1ZjSExtbzMrajMKRkYrbUE3a0NTUGhDNW82N0haOFJDMWQ5bS9Ic1F3d3pNWXpLeFhxbVM2bTR3NnZ3Q1cvMVlOSUJzSC9odjg5MgpnS2loM0htcHEvRDRyNEsrMi91cTVURmt4TnBJMi9vZ2xBOWZGa2d3SW5ROVZDUXNNanNUVHFhcEhjOUdKa21VCkZFRjBQRisrb0tZUTU4VmV1c0pOL3FXT2lvK0VOUGl2QjB3d1RKZ3lZQ0tnRVFFb0srL280WFhvYnplSlM5UXIKNEgvTEtMQ3RNaGMrY2dxTXhzVnZqN211TDk1OGkxS0ZrWXBKcmV6aVhlTjQyckNLUDN0NmpQR0syZWI5c2xqdQpLMUx3TzhBTU9Tb09JUUtDQVFFQTd2a1Z2NVhyM0U5N1VGbWJucnNRVFRTVnp4WTl4ZGgwWXpFekp4bDMzQWVqCmtmQjlYV3RkNXh0RGs1dFM1SVUrQXRudnd0Nlhva0RxNStVWWdqM05ScTd1aUFBM0JYK20rWUlnOHNvVk9GUG8KQUpOME92QnpLWGxRRUpjV0NpZUhFaEN4WkF6V0dkRGJWaWxWOUs1dEJsR0lIYnVKWFNPalNSbWN2V3VDbG5Wcwp6d082ME9DcisyeTBoRTVNajd5aUhQNlVLMjdxUForczgzWklxMFBlQXdudnh0M2R2bitUaDRJZkJROHh2dmZHCmU3VmdBRHh1UHpZSER3OWRUQWExUHB1ZEU2TStnRWpsaS9Hc1BsaEVodllyMVRtVnY4VEpxOTZqZWFRa3JBSFEKekQ3UDgyWXVhNXc4THNPL2laYSs5aXAveC9XbVpaZTlLSG85b3hOYnRRS0NBUUVBN3kwc3A4YUhRdVpTa1NCNwoyQytJa08xeFEvMDJKN0dIcFFqTEhqK2IweU9FU3lQa3RJZjFmTDZ2aHhZQzNDcEk5L3lZWVU3UHFWOTdZMlVYCjYvV1dJK2JnT280K3daVjVtMHpENVU2cFJ4MG5QUXJIb2ZEVGd0VFpQdUhpbUdLVnlWSlZZNGFRWXFndEpLa20KUGF6QnFFd3ZXUC9lelc0emxtcUNueVVVV2RrOVFQcjdjNkpXRm5xOGp3Wi92ODc4OE44QmJJaSthcWYrSjhuOQpOY1B6RjluVHJFUFZmSE5hQi9iR01VZkhUSDlwZkxQUHY3MjVOS1dZQXBSeEZ6eitGQzl6WTVuZlQyZHBEM3ZVClFtU0RXTmdzd3p6LzNGLzBPUzEySmRpd3NaNmxhY0hCTk1YaGFERzdJa0tkYnhnWkxQVjhWTm1nU0VlWFRLK1YKR2VIaElRS0NBUUVBZ053SmtTeDdhV25tZWJaSUJ2aWgycS9QVkVLTy9yOHdTMGg5WjhrQTY4R212d3dwM1pVRwpwcGI2QW44UDNLL0lkMnNqTVRZc0Y4N2ZuRG5aMUdrVTV0ZHZRaUN6aXFDQjNpc0FMMHN1MUJmU2szVHZpTlNkCmxMQ1lyc2w1bGZJb2tHSTE5VmhDbnRzVFdzdWhVUFk1VGQzckF2VmNKY0FRelZzbFBMTGJVTnh5MXRJUkM0OEsKemVHWkdYckxKL3EwZytQMjY5QzhPSXlBaXl1dUZjUGIxRkdvWE5qSU9HKzhrcVprcWFxK3pWWDRUajdJVEhoSgpqb1pJbWlOVDBLb1JVM2cvNUJYem51TXYvQjFPSHJRa0I0NTRwbHFOMkVGNTZkWjgyaHZidG5Db01XcHhZYk1vCnR0Z2hUNm8zL3k0dFBMby8rd2dJT09Id213SUhlSWI0dlFLQ0FRQkNTeFdRUGxYOFM2T0ZUaTF3ZjlteWRMUlIKRVFEaXozcThWaW9wWVlNakgvVlBOVnlmdDVOekQ4emlYd2FtTExESTE1eEkrWERnWFVSZ21RZ3U4YzZZeS9vTgpQTHR0UFNOeStYdVdmaHhGUFpwSEVFWm5XRG8vTDN5Z2E2aEdJMlIvdUpIT1RENDF1UWwvQWZCcmlZMW03Qi8vCk10RmlkUFBCMkVQeXJFcUd5WXlacCs2Y3B4d1R4QmNseTl3M09UMzBNQjY3bE1xcHZxS25yZHNFVHRKVVpSWjgKV1JMQmlFcWJJVmx3elJCWHpid2RiU3EvVW1zajhjVk5ZMzBub3N0c08xcllWTzNaN0FJRmxGa3gyUFhmRHJsbAo5R2g1T2ppVHVzclJ6VkllVWFHWnBtRFJwTEc3QUNKSnpYVnN6MXBiYmZERmk1YTI5ajRtMlNGbmpQSVUKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+    os:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFvaXZpZGFzN2g5QU1FakNpYkxGem9NQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5URXhNVE14TURFek1UWmFGdzB6TlRFeE1URXhNREV6TVRaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBT0pvWFU0dVJDSGhxdlRybExza3RITlMrd3gwdS9qTEdxRmF1CkdJbldHdEtqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVZGR5VGh6dEpBM2RGWlluMwpzZWpiUDVORUFQd3dCUVlESzJWd0EwRUFpdmNqMFgyU0dTWExtYXluMlRmWU1QSWpRam5wTG1pMVRZOThtVFYvCnZpTktJL3A5WlkraEJhcmREclIrZGJZbkVyRjdBd1RtUzFMMFRZYkliVFFZQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJSmRoYk53RlVtdUIxUTdVRmJaQTNTbm9XQUVxODZzdzROVFZVN2ZWV2RxTQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K

k8s/hel1/shell.nix

@@ -0,0 +1,16 @@
+with import <nixpkgs> { };
+pkgs.mkShellNoCC {
+  packages = [
+    hcloud
+  ];
+
+  PROJECT = "hel1";
+  NETWORK = "network-1";
+  LOAD_BALANCER = "lb-1";
+  IMAGE_ID = "332668721";
+  HCLOUD_TOKEN = "";
+
+  shellHook = ''
+    export HCLOUD_TOKEN=$(pass hetzner.com | sed -n 5p)
+  '';
+}

k8s/hel1/talos.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+[ ! -f secrets.yaml ] && talosctl gen secrets
+
+[ ! -f controlplane.yaml ] && talosctl gen config hel1-1 https://10.0.1.100:6443 \
+  --with-secrets secrets.yaml \
+  --config-patch @patches/patch.yaml \
+  --config-patch-control-plane @patches/patch-controlplane.yaml \
+  --with-examples=false --with-docs=false \
+  --force \
+  --output .
+
+TALOS_IMAGE_VERSION=v1.11.2 
+TALOS_IMAGE_ARCH=amd64 
+TALOS_IMAGE=hcloud-amd64.raw.xz 
+
+hupload () {
+  docker run --rm -v.:/images -e HCLOUD_TOKEN="$HCLOUD_TOKEN" ghcr.io/apricote/hcloud-upload-image:latest $*
+}
+
+[ ! -f $TALOS_IMAGE ] && \
+  wget https://factory.talos.dev/image/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/${TALOS_IMAGE_VERSION}/${TALOS_IMAGE}
+
+[ -f $TALOS_IMAGE ] && \
+  hupload upload --image-path /images/$TALOS_IMAGE --architecture x86 --compression xz

k8s/hel1/talosconfig

@@ -0,0 +1,7 @@
+context: hel1-1
+contexts:
+    hel1-1:
+        endpoints: []
+        ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFvaXZpZGFzN2g5QU1FakNpYkxGem9NQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5URXhNVE14TURFek1UWmFGdzB6TlRFeE1URXhNREV6TVRaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBT0pvWFU0dVJDSGhxdlRybExza3RITlMrd3gwdS9qTEdxRmF1CkdJbldHdEtqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVZGR5VGh6dEpBM2RGWlluMwpzZWpiUDVORUFQd3dCUVlESzJWd0EwRUFpdmNqMFgyU0dTWExtYXluMlRmWU1QSWpRam5wTG1pMVRZOThtVFYvCnZpTktJL3A5WlkraEJhcmREclIrZGJZbkVyRjdBd1RtUzFMMFRZYkliVFFZQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBNHVyN0ZuYnNPMUxRVzZ0VUZpcTJ0VEFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXhNVEV6TVRNMU56UTNXaGNOTWpZeE1URXpNVE0xTnpRM1dqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFIZThLTnJ3M0NKOVl6Sy9NWGZja1FlZzZrcW1scnVpClNKRW5IYndRMDFuMm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVkZHlUaHp0SkEzZEZaWW4zc2VqYlA1TkVBUHd3QlFZREsyVndBMEVBRXZLMgprRkExdXdFUU1hZGpzTHZPZkl1cTVIYW02dUI2b0FKTFMrRWJpOU44OFNsclgzNEZRUXpiRkVjRldvR1Y3UjFMClRpTldqQ3dudjY2VmUzQmNDZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQW0vU1RmeC9PZFMyaEZVMlh6dStBc2hFOENCS1V3UFMvL01MMko5eEVjNgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K

k8s/hel1/worker.yaml

@@ -0,0 +1,65 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+    type: worker
+    token: cxaa8t.w21f79ia229w7kff
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFvaXZpZGFzN2g5QU1FakNpYkxGem9NQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5URXhNVE14TURFek1UWmFGdzB6TlRFeE1URXhNREV6TVRaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBT0pvWFU0dVJDSGhxdlRybExza3RITlMrd3gwdS9qTEdxRmF1CkdJbldHdEtqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVZGR5VGh6dEpBM2RGWlluMwpzZWpiUDVORUFQd3dCUVlESzJWd0EwRUFpdmNqMFgyU0dTWExtYXluMlRmWU1QSWpRam5wTG1pMVRZOThtVFYvCnZpTktJL3A5WlkraEJhcmREclIrZGJZbkVyRjdBd1RtUzFMMFRZYkliVFFZQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: ""
+    certSANs:
+        - 10.0.1.100
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.33.0
+        defaultRuntimeSeccompProfileEnabled: true
+        disableManifestsDirectory: true
+    network:
+        interfaces:
+            - interface: enp1s0
+              routes:
+                - network: 0.0.0.0/0
+                  gateway: 10.0.1.1
+                - network: 10.0.0.1/32
+                  gateway: ""
+              dhcp: true
+    install:
+        disk: /dev/sda
+        image: ghcr.io/siderolabs/installer:v1.10.1
+        wipe: false
+    features:
+        rbac: true
+        stableHostname: true
+        apidCheckExtKeyUsage: true
+        diskQuotaSupport: true
+        kubePrism:
+            enabled: true
+            port: 7445
+        hostDNS:
+            enabled: true
+            forwardKubeDNSToHost: true
+cluster:
+    id: LMtfgmaR2SUJWG7qYUZzIjg7QSCiWLlFwkqLnBaJosg=
+    secret: zkPwsia0HeeCnYaK64yhZr8Z9cGFAK7Z25K5bCdcLQw=
+    controlPlane:
+        endpoint: https://10.0.1.100:6443
+    clusterName: hel1-1
+    network:
+        cni:
+            name: none
+        dnsDomain: cluster.local
+        podSubnets:
+            - 10.244.0.0/16
+        serviceSubnets:
+            - 10.96.0.0/12
+    token: 0s7kz3.9w7y2xir483skp71
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUxMczBDcmpPWHBDTHpKSHBJQzAvYWN3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEV4TVRNeE1ERXpNVFphRncwek5URXhNVEV4TURFegpNVFphTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNuM0UwZUNUVFptd1M2RG03SnBQeVRMMFNEZXpxK2c4UU1KSkwrNXVYY29hVk0xam1XNCtBOVh3NG0KcDRlVWdYaVZ3NDFCaGpjRkd2eGhjeEhJN0duM28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGUFAwSVNMTFBEenF5ZkxITytnQm44UWpmV0lvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUVISkw4V3IKSkdQRG9WUXcxQTY0bUJWZzJTcXpzV0I2Y1UwQm14dnRRZTJOQWlFQXVjK3FhYVF2bm84S3Z0dFprWDAwUi9wdApZc3pqaGM4OEJjY0gwZUFUQTdVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: ""
+    discovery:
+        enabled: true
+        registries:
+            kubernetes:
+                disabled: true
+            service: {}
+    externalCloudProvider:
+        enabled: true

k8s/rook/.gitignore

@@ -0,0 +1,2 @@
+external-snapshotter
+pgremapper