terraform_modules: misc improvements, rebuild cluster

infra/main/main.tf

@@ -10,15 +10,26 @@ resource "random_id" "suffix" {
   byte_length = 8
 }
 
+data "digitalocean_region" "provided" {
+  slug = var.region
+}
+
 resource "digitalocean_custom_image" "talos" {
   name = "talos"
   url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz"
-  # this gets reset by DigitalOcean
+  # this gets reset by DigitalOcean otherwise
   distribution = "Unknown OS"
-  regions = [var.region]
+  regions = [data.digitalocean_region.provided.slug]
 }
 
-module "digitalocean_talos_cluster-2" {
+resource "digitalocean_vpc" "main" {
+  name = "talos"
+  region = data.digitalocean_region.provided.slug
+  # Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium
+  ip_range = "192.168.0.0/16"
+}
+
+module "digitalocean_talos_cluster" {
   source = "../../terraform_modules/digitalocean_talos_cluster"
 
   talos_cluster_name = "distrust"
@@ -33,7 +44,8 @@ module "digitalocean_talos_cluster-2" {
     count = 2,
     size = "s-2vcpu-4gb",
   }]
-  digitalocean_region = var.region
+  vpc_id = digitalocean_vpc.main.id
+  digitalocean_region = data.digitalocean_region.provided.slug
 }
 
 module "digitalocean_database_cluster" {
@@ -53,8 +65,8 @@ module "digitalocean_database_cluster" {
     create_default_superuser = true,
   }]
 
-  vpc_id = module.digitalocean_talos_cluster-2.vpc_id
+  vpc_id = digitalocean_vpc.main.id
-  digitalocean_region = var.region
+  digitalocean_region = data.digitalocean_region.provided.slug
 }
 
 locals {

infra/main/talos/controlplane.yaml

@@ -0,0 +1,505 @@
+version: v1alpha1 # Indicates the schema used to decode the contents.
+debug: false # Enable verbose logging to the console.
+persist: true # Indicates whether to pull the machine config upon every boot.
+# Provides machine specific configuration options.
+machine:
+    type: controlplane # Defines the role of the machine within the cluster.
+    token: ukp3y7.ojx633zx5whc4kxc # The `token` is used by a machine to join the PKI of the cluster.
+    # The root certificate authority of the PKI.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBMDc5N0NWOEdUSUdYVFg5bmVkcWd6ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXdOVEV6TURRMU1USTNXaGNOTXpNd05URXdNRFExTVRJM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQURSRXFBbXI3MFcyNDlHS3JpbVlxSUpTTlhaS2xUNXBURXpPCkpqZEd5K0llbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkRDU01oREN5L1ZqVEwrWQpvZFFhZ2EyVEZzYm1NQVVHQXl0bGNBTkJBTzRnYnZzMzJQQTZBcnRRVHpxb1RUS2QybjJydjM4RlkzQ0dIVDFKCm9xMlE5ajZER1hwMHhaYm9mTnFleWJYeHJBZUx0MjlWRDgxWXRXWUMzYWNoUndrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRlZGQnFmcERkMW1seGhYbWFTL3pqYUp6bzV6TzNhcTVJSDRMZkVqSjRNdwotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+    # Extra certificate subject alternative names for the machine's certificate.
+    certSANs: []
+    #   # Uncomment this to enable SANs.
+    #   - 10.0.0.10
+    #   - 172.16.0.10
+    #   - 192.168.0.10
+
+    # Used to provide additional options to the kubelet.
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.27.1 # The `image` field is an optional reference to an alternative kubelet image.
+        # The `extraArgs` field is used to provide additional flags to the kubelet.
+        extraArgs:
+            node-labels: node.kubernetes.io/exclude-from-external-load-balancers=true
+        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
+        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
+        
+        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
+        # clusterDNS:
+        #     - 10.96.0.10
+        #     - 169.254.2.53
+
+        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        # extraMounts:
+        #     - destination: /var/lib/example
+        #       type: bind
+        #       source: /var/lib/example
+        #       options:
+        #         - bind
+        #         - rshared
+        #         - rw
+
+        # # The `extraConfig` field is used to provide kubelet configuration overrides.
+        # extraConfig:
+        #     serverTLSBootstrap: true
+
+        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
+        # nodeIP:
+        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
+        #     validSubnets:
+        #         - 10.0.0.0/8
+        #         - '!10.0.0.3/32'
+        #         - fdc7::/16
+    # Provides machine specific network configuration options.
+    network: {}
+    # # `interfaces` is used to define the network interface configuration.
+    # interfaces:
+    #     - interface: eth0 # The interface name.
+    #       # Assigns static IP addresses to the interface.
+    #       addresses:
+    #         - 192.168.2.0/24
+    #       # A list of routes associated with the interface.
+    #       routes:
+    #         - network: 0.0.0.0/0 # The route's network (destination).
+    #           gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
+    #           metric: 1024 # The optional metric for the route.
+    #       mtu: 1500 # The interface's MTU.
+    #       
+    #       # # Picks a network device using the selector.
+
+    #       # # select a device with bus prefix 00:*.
+    #       # deviceSelector:
+    #       #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+    #       # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+    #       # deviceSelector:
+    #       #     hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
+    #       #     driver: virtio # Kernel driver, supports matching by wildcard.
+    #       # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+    #       # deviceSelector:
+    #       #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+    #       #     - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
+    #       #       driver: virtio # Kernel driver, supports matching by wildcard.
+
+    #       # # Bond specific options.
+    #       # bond:
+    #       #     # The interfaces that make up the bond.
+    #       #     interfaces:
+    #       #         - eth0
+    #       #         - eth1
+    #       #     # Picks a network device using the selector.
+    #       #     deviceSelectors:
+    #       #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+    #       #         - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
+    #       #           driver: virtio # Kernel driver, supports matching by wildcard.
+    #       #     mode: 802.3ad # A bond option.
+    #       #     lacpRate: fast # A bond option.
+
+    #       # # Bridge specific options.
+    #       # bridge:
+    #       #     # The interfaces that make up the bridge.
+    #       #     interfaces:
+    #       #         - eth0
+    #       #         - eth1
+    #       #     # A bridge option.
+    #       #     stp:
+    #       #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
+
+    #       # # Indicates if DHCP should be used to configure the interface.
+    #       # dhcp: true
+
+    #       # # DHCP specific options.
+    #       # dhcpOptions:
+    #       #     routeMetric: 1024 # The priority of all routes received via DHCP.
+
+    #       # # Wireguard specific configuration.
+
+    #       # # wireguard server example
+    #       # wireguard:
+    #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+    #       #     listenPort: 51111 # Specifies a device's listening port.
+    #       #     # Specifies a list of peer configurations to apply to a device.
+    #       #     peers:
+    #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+    #       #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
+    #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+    #       #           allowedIPs:
+    #       #             - 192.168.1.0/24
+    #       # # wireguard peer example
+    #       # wireguard:
+    #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+    #       #     # Specifies a list of peer configurations to apply to a device.
+    #       #     peers:
+    #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+    #       #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
+    #       #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
+    #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+    #       #           allowedIPs:
+    #       #             - 192.168.1.0/24
+
+    #       # # Virtual (shared) IP address configuration.
+
+    #       # # layer2 vip example
+    #       # vip:
+    #       #     ip: 172.16.199.55 # Specifies the IP address to be used.
+
+    # # Used to statically set the nameservers for the machine.
+    # nameservers:
+    #     - 8.8.8.8
+    #     - 1.1.1.1
+
+    # # Allows for extra entries to be added to the `/etc/hosts` file
+    # extraHostEntries:
+    #     - ip: 192.168.1.100 # The IP of the host.
+    #       # The host alias.
+    #       aliases:
+    #         - example
+    #         - example.domain.tld
+
+    # # Configures KubeSpan feature.
+    # kubespan:
+    #     enabled: true # Enable the KubeSpan feature.
+
+    # Used to provide instructions for installations.
+    install:
+        disk: /dev/sda # The disk used for installations.
+        image: ghcr.io/siderolabs/installer:v1.4.4 # Allows for supplying the image used to perform the installation.
+        bootloader: true # Indicates if a bootloader should be installed.
+        wipe: false # Indicates if the installation disk should be wiped at installation time.
+        
+        # # Look up disk using disk attributes like model, size, serial and others.
+        # diskSelector:
+        #     size: 4GB # Disk size.
+        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
+        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
+
+        # # Allows for supplying extra kernel args via the bootloader.
+        # extraKernelArgs:
+        #     - talos.platform=metal
+        #     - reboot=k
+
+        # # Allows for supplying additional system extension images to install on top of base Talos image.
+        # extensions:
+        #     - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
+    # Features describe individual Talos features that can be switched on or off.
+    features:
+        rbac: true # Enable role-based access control (RBAC).
+        stableHostname: true # Enable stable default hostname.
+        apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
+        
+        # # Configure Talos API access from Kubernetes pods.
+        # kubernetesTalosAPIAccess:
+        #     enabled: true # Enable Talos API access from Kubernetes pods.
+        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
+        #     allowedRoles:
+        #         - os:reader
+        #     # The list of Kubernetes namespaces Talos API access is available from.
+        #     allowedKubernetesNamespaces:
+        #         - kube-system
+    
+    # # Provides machine specific control plane configuration options.
+
+    # # ControlPlane definition example.
+    # controlPlane:
+    #     # Controller manager machine specific configuration options.
+    #     controllerManager:
+    #         disabled: false # Disable kube-controller-manager on the node.
+    #     # Scheduler machine specific configuration options.
+    #     scheduler:
+    #         disabled: true # Disable kube-scheduler on the node.
+
+    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
+
+    # # nginx static pod.
+    # pods:
+    #     - apiVersion: v1
+    #       kind: pod
+    #       metadata:
+    #         name: nginx
+    #       spec:
+    #         containers:
+    #             - image: nginx
+    #               name: nginx
+
+    # # Used to partition, format and mount additional disks.
+
+    # # MachineDisks list example.
+    # disks:
+    #     - device: /dev/sdb # The name of the disk to use.
+    #       # A list of partitions to create on the disk.
+    #       partitions:
+    #         - mountpoint: /var/mnt/extra # Where to mount the partition.
+    #           
+    #           # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
+
+    #           # # Human readable representation.
+    #           # size: 100 MB
+    #           # # Precise value in bytes.
+    #           # size: 1073741824
+
+    # # Allows the addition of user specified files.
+
+    # # MachineFiles usage example.
+    # files:
+    #     - content: '...' # The contents of the file.
+    #       permissions: 0o666 # The file's permissions in octal.
+    #       path: /tmp/file.txt # The path of the file.
+    #       op: append # The operation to use
+
+    # # The `env` field allows for the addition of environment variables.
+
+    # # Environment variables definition examples.
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: info
+    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
+    #     https_proxy: http://SERVER:PORT/
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: error
+    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
+    # env:
+    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
+
+    # # Used to configure the machine's time settings.
+
+    # # Example configuration for cloudflare ntp server.
+    # time:
+    #     disabled: false # Indicates if the time service is disabled for the machine.
+    #     # Specifies time (NTP) servers to use for setting the system time.
+    #     servers:
+    #         - time.cloudflare.com
+    #     bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
+
+    # # Used to configure the machine's sysctls.
+
+    # # MachineSysctls usage example.
+    # sysctls:
+    #     kernel.domainname: talos.dev
+    #     net.ipv4.ip_forward: "0"
+
+    # # Used to configure the machine's sysfs.
+
+    # # MachineSysfs usage example.
+    # sysfs:
+    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
+
+    # # Used to configure the machine's container image registry mirrors.
+    # registries:
+    #     # Specifies mirror configuration for each registry host namespace.
+    #     mirrors:
+    #         ghcr.io:
+    #             # List of endpoints (URLs) for registry mirrors to use.
+    #             endpoints:
+    #                 - https://registry.insecure
+    #                 - https://ghcr.io/v2/
+    #     # Specifies TLS & auth configuration for HTTPS image registries.
+    #     config:
+    #         registry.insecure:
+    #             # The TLS configuration for the registry.
+    #             tls:
+    #                 insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
+    #                 
+    #                 # # Enable mutual TLS authentication with the registry.
+    #                 # clientIdentity:
+    #                 #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #                 #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+    #             
+    #             # # The auth configuration for this registry.
+    #             # auth:
+    #             #     username: username # Optional registry authentication.
+    #             #     password: password # Optional registry authentication.
+
+    # # Machine system disk encryption configuration.
+    # systemDiskEncryption:
+    #     # Ephemeral partition encryption.
+    #     ephemeral:
+    #         provider: luks2 # Encryption provider to use for the encryption.
+    #         # Defines the encryption keys generation and storage method.
+    #         keys:
+    #             - # Deterministically generated key from the node UUID and PartitionLabel.
+    #               nodeID: {}
+    #               slot: 0 # Key slot number for LUKS2 encryption.
+    #         
+    #         # # Cipher kind to use for the encryption. Depends on the encryption provider.
+    #         # cipher: aes-xts-plain64
+
+    #         # # Defines the encryption sector size.
+    #         # blockSize: 4096
+
+    #         # # Additional --perf parameters for the LUKS2 encryption.
+    #         # options:
+    #         #     - no_read_workqueue
+    #         #     - no_write_workqueue
+
+    # # Configures the udev system.
+    # udev:
+    #     # List of udev rules to apply to the udev system
+    #     rules:
+    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
+
+    # # Configures the logging system.
+    # logging:
+    #     # Logging destination.
+    #     destinations:
+    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
+    #           format: json_lines # Logs format.
+
+    # # Configures the kernel.
+    # kernel:
+    #     # Kernel modules to load.
+    #     modules:
+    #         - name: brtfs # Module name.
+
+    # # Configures the seccomp profiles for the machine.
+    # seccompProfiles:
+    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
+    #       # The `value` field is used to provide the seccomp profile.
+    #       value:
+    #         defaultAction: SCMP_ACT_LOG
+
+    # # Configures the node labels for the machine.
+
+    # # node labels example.
+    # nodeLabels:
+    #     exampleLabel: exampleLabelValue
+# Provides cluster specific configuration options.
+cluster:
+    id: AomznMVjQrZCD-Bm1a6DORI8GLZOVYwikdQEr0qI31g= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
+    secret: O/0Q2iNvQ8HYaET+D/4/tw4KJaFIIWo5UYn98vbHGUE= # Shared secret of cluster (base64 encoded random 32 bytes).
+    # Provides control plane specific configuration options.
+    controlPlane:
+        endpoint: https://24.199.76.219:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
+    clusterName: distrust # Configures the cluster's name.
+    # Provides cluster specific network configuration options.
+    network:
+        # The CNI used.
+        cni:
+            name: none # Name of CNI to use.
+        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
+        # The pod subnet CIDR.
+        podSubnets:
+            - 10.244.0.0/16
+        # The service subnet CIDR.
+        serviceSubnets:
+            - 10.96.0.0/12
+    token: pye8s4.xbsov4gw0wvrshzm # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
+    secretboxEncryptionSecret: yW/XHbD87zaf+5JFwT5/YqadB26ZGU9gBrlDEREiFYA= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+    # The base64 encoded root certificate authority used by Kubernetes.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpxcC9saTRpVW5mMmtUWEF6ZkRBb1F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlNekExTVRNd05EVXhNamRhRncwek16QTFNVEF3TkRVeApNamRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVQ2QjMxRDR4bU44Q1hMVWQ5SWkvc3JBSnBobkpQWXMxd2Q4SXU0QTBxTHVxL0VxbXVjZHQ5L0dzODAKMmZyUTFPd3V4WDdXNytBWld6YzNOK01FdytkZW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQmlUeDBOSHlTaG5pMHY4S1NOMmMwOUF1SlN3TUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNOMHhDK2MKOFdNL1JHM0ZBQW9Md3BWaThPRmZjaFZoSTJXdFE4QmlTd1QxQWlFQXRvclZLajZPeDJsQUEzSUhtU3hsRjhGYgpoZ2pBVm9jWWlVdk9EKzN2OFpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUk4cGJ3ZXR6YkRlNU1LeTk5NHJTT3ZSTmJnSzFlQnZYaFBLd2pXY1RuNkVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFK2dkOVErTVpqZkFseTFIZlNJdjdLd0NhWVp5VDJMTmNIZkNMdUFOS2k3cXZ4S3BybkhiZgpmeHJQTk5uNjBOVHNMc1YrMXUvZ0dWczNOemZqQk1QblhnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
+    aggregatorCA:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZRENDQVFhZ0F3SUJBZ0lSQUxnTUx4citpZFNCeVEvczdvREVKUTR3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU16QTFNVE13TkRVeE1qZGFGdzB6TXpBMU1UQXdORFV4TWpkYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVE1R2JZT2oxV0VvTUdlNVEwYmlyaTljdndxVGhqZ1ZreHhiNmpGdW8xNk0wbFR5cWE3ClIvOW1DQ2hqdlZqRmgwYVl0QUpkZ2ZZM1B5Z1FmSHM1MzBRVW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGS1VtTVZWanhNWWNJQU1vV2xINTJTdlVXdUxhTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDCklCMkwvTmdscHNPa0s0ak9WSXNkR3dSaEJocG9EMWh0TGQxSkFXcHNsNXJmQWlFQW9VNU4yeEd4c1JsT2tTOU4KTEFUbUtKajVUQS96UHhDcnUvUTIvVFNITDkwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdiZUVPRURJQ2lIM292dTNTQWdqNHd6SHhqK0oxWWl2SHd0MzFPc0lCQUtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFT1JtMkRvOVZoS0RCbnVVTkc0cTR2WEw4S2s0WTRGWk1jVytveGJxTmVqTkpVOHFtdTBmLwpaZ2dvWTcxWXhZZEdtTFFDWFlIMk56OG9FSHg3T2Q5RUZBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded private key for service account token generation.
+    serviceAccount:
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUNSNmJBV1hlUWVYUTBYRTlnT1RzdTZ3REh1aHNHMDFGUnExQmZydzRNR05vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWXRmaVlqUitFQUlka2R3dVhMMXA5OTl3VjNQa3Q5bDl5SUhPKzFSR0ZEY1ZNU2RvV01XMgp3YTNhZVovMS81eS9jdFFHVmxlVzJXcUs2RnNFQnZNeGp3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # API server specific configuration options.
+    apiServer:
+        image: registry.k8s.io/kube-apiserver:v1.27.1 # The container image used in the API server manifest.
+        # Extra certificate subject alternative names for the API server's certificate.
+        certSANs:
+            - 24.199.76.219
+        disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
+        # Configure the API server admission plugins.
+        admissionControl:
+            - name: PodSecurity # Name is the name of the admission controller.
+              # Configuration is an embedded configuration object to be used as the plugin's
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                defaults:
+                    audit: restricted
+                    audit-version: latest
+                    enforce: baseline
+                    enforce-version: latest
+                    warn: restricted
+                    warn-version: latest
+                exemptions:
+                    namespaces:
+                        - kube-system
+                    runtimeClasses: []
+                    usernames: []
+                kind: PodSecurityConfiguration
+        # Configure the API server audit policy.
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: Metadata
+    # Controller manager server specific configuration options.
+    controllerManager:
+        image: registry.k8s.io/kube-controller-manager:v1.27.1 # The container image used in the controller manager manifest.
+    # Kube-proxy server-specific configuration options
+    proxy:
+        image: registry.k8s.io/kube-proxy:v1.27.1 # The container image used in the kube-proxy manifest.
+        
+        # # Disable kube-proxy deployment on cluster bootstrap.
+        # disabled: false
+    # Scheduler server specific configuration options.
+    scheduler:
+        image: registry.k8s.io/kube-scheduler:v1.27.1 # The container image used in the scheduler manifest.
+    # Configures cluster member discovery.
+    discovery:
+        enabled: true # Enable the cluster membership discovery feature.
+        # Configure registries used for cluster member discovery.
+        registries:
+            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
+            kubernetes:
+                disabled: true # Disable Kubernetes discovery registry.
+            # Service registry is using an external service to push and pull information about cluster members.
+            service: {}
+            # # External service endpoint.
+            # endpoint: https://discovery.talos.dev/
+    # Etcd specific configuration options.
+    etcd:
+        # The `ca` is the root certificate authority of the PKI.
+        ca:
+            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU8yVUZxZFIyVXpuTnBEQ2duUGs0dG93Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TXpBMU1UTXdORFV4TWpkYUZ3MHpNekExTVRBd05EVXhNamRhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFUSS9XV3dPZXg1ClYyYi9OZk9XNFNHVU9vYVRvM0lXMk9hcUdmQk5zNGx0alNmZW1SMjZCMDc3VmVuMmVuRU5qUUo0VjRJbnIybmwKeGxQNnBqaXBWU3ZLbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk8wSVNLM3h1OURmClVRVTF6ZDBXZG02WWdEWVdNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUNsemh5MmFHL0lQR1pnV0JkbnE3NnQKTVJGMXVTWE53ZmRQYnpiajljaEJSQUlnT3VyZHFEcHg5OStzRnZ5QTFRM2ZhVXJaUERNdHh1b0ZuOXROVDQ0Two3OUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5TNDJhd3gyazdnYk5JN3Rmam84MnFqTXc5N2ZobW5GY2oySFJMYnY1TXBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFeVAxbHNEbnNlVmRtL3pYemx1RWhsRHFHazZOeUZ0am1xaG53VGJPSmJZMG4zcGtkdWdkTworMVhwOW5weERZMENlRmVDSjY5cDVjWlQrcVk0cVZVcnlnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+        
+        # # The container image used to create the etcd service.
+        # image: gcr.io/etcd-development/etcd:v3.5.8
+
+        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
+        # advertisedSubnets:
+        #     - 10.0.0.0/8
+    
+    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+
+    # # Decryption secret example (do not use in production!).
+    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
+
+    # # Core DNS specific configuration options.
+    # coreDNS:
+    #     image: docker.io/coredns/coredns:1.10.1 # The `image` field is an override to the default coredns image.
+
+    # # External cloud provider configuration.
+    # externalCloudProvider:
+    #     enabled: true # Enable external cloud provider.
+    #     # A list of urls that point to additional manifests for an external cloud provider.
+    #     manifests:
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
+
+    # # A list of urls that point to additional manifests.
+    # extraManifests:
+    #     - https://www.example.com/manifest1.yaml
+    #     - https://www.example.com/manifest2.yaml
+
+    # # A map of key value pairs that will be added while fetching the extraManifests.
+    # extraManifestHeaders:
+    #     Token: "1234567"
+    #     X-ExtraInfo: info
+
+    # # A list of inline Kubernetes manifests.
+    # inlineManifests:
+    #     - name: namespace-ci # Name of the manifest.
+    #       contents: |- # Manifest contents as a string.
+    #         apiVersion: v1
+    #         kind: Namespace
+    #         metadata:
+    #         	name: ci
+
+    # # Settings for admin kubeconfig generation.
+    # adminKubeconfig:
+    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

infra/main/talos/kubeconfig

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: distrust
+  cluster:
+    server: https://24.199.76.219:6443
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpxcC9saTRpVW5mMmtUWEF6ZkRBb1F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlNekExTVRNd05EVXhNamRhRncwek16QTFNVEF3TkRVeApNamRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVQ2QjMxRDR4bU44Q1hMVWQ5SWkvc3JBSnBobkpQWXMxd2Q4SXU0QTBxTHVxL0VxbXVjZHQ5L0dzODAKMmZyUTFPd3V4WDdXNytBWld6YzNOK01FdytkZW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQmlUeDBOSHlTaG5pMHY4S1NOMmMwOUF1SlN3TUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNOMHhDK2MKOFdNL1JHM0ZBQW9Md3BWaThPRmZjaFZoSTJXdFE4QmlTd1QxQWlFQXRvclZLajZPeDJsQUEzSUhtU3hsRjhGYgpoZ2pBVm9jWWlVdk9EKzN2OFpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+users:
+- name: admin@distrust
+  user:
+    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoVENDQVN1Z0F3SUJBZ0lSQUxaS1NZOGFVRGo4MEc5aFNicUtuQ1F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlNekExTVRNd05EVXpNREZhRncweU5EQTFNVEl3TkRVegpNREZhTUNreEZ6QVZCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE0d0RBWURWUVFERXdWaFpHMXBiakJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkFMSCtPd2d2Y2lkN3BjSFdUcHNLUEJSOGRzV2hsRG8KL1VPaHpVU1VFNnZmZ2YwcUV2bExVcnE5OEppQWNUQkxORGtPc0NPSG00QnNyVGc0Q3JxS3lpMmpTREJHTUE0RwpBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQWZCZ05WSFNNRUdEQVdnQlFZCms4ZERSOGtvWjR0TC9Da2pkbk5QUUxpVXNEQUtCZ2dxaGtqT1BRUURBZ05JQURCRkFpRUFoR3pPRXNMK3JwbWYKTUY1TzJXWXV0bUdTWElOVlpqRnlEdFQ1V3haZHJqRUNJQUhrN1E0akkwRU9QU01KaTdQS0FEZjlwYlhEeFBRcQpYUzFjN2tETUhneksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUswTzR4TzBJZHNLZS84ZWNXT09iM2tON21QTDJYcm1zQmhUSHVNQlJEbUZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFQXNmNDdDQzl5SjN1bHdkWk9td284Rkh4MnhhR1VPajlRNkhOUkpRVHE5K0IvU29TK1V0Uwp1cjN3bUlCeE1FczBPUTZ3STRlYmdHeXRPRGdLdW9yS0xRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+contexts:
+- context:
+    cluster: distrust
+    namespace: default
+    user: admin@distrust
+  name: admin@distrust
+current-context: admin@distrust

infra/main/talos/talosconfig

@@ -0,0 +1,12 @@
+context: distrust
+contexts:
+    distrust:
+        endpoints:
+            - 164.92.92.199
+        nodes:
+            - 164.92.92.199
+            - 143.198.227.143
+            - 143.198.227.174
+        ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBMDc5N0NWOEdUSUdYVFg5bmVkcWd6ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXdOVEV6TURRMU1USTNXaGNOTXpNd05URXdNRFExTVRJM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQURSRXFBbXI3MFcyNDlHS3JpbVlxSUpTTlhaS2xUNXBURXpPCkpqZEd5K0llbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkRDU01oREN5L1ZqVEwrWQpvZFFhZ2EyVEZzYm1NQVVHQXl0bGNBTkJBTzRnYnZzMzJQQTZBcnRRVHpxb1RUS2QybjJydjM4RlkzQ0dIVDFKCm9xMlE5ajZER1hwMHhaYm9mTnFleWJYeHJBZUx0MjlWRDgxWXRXWUMzYWNoUndrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBOVpnKzlLZ3Vpa1d4TmN0ek56V21aekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXdOVEV6TURRMU1USTNXaGNOTXpNd05URXdNRFExTVRJM1dqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFEUEtjNEY1NmVuK3JwR0Q0WUpkWDB4L0g1UExGVlRYCnlQcEQ0czlCVkJWd28wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVNSkl5RU1MTDlXTk12NWloMUJxQnJaTVd4dVl3QlFZREsyVndBMEVBOFJRQQpsRkcvMDJBcjBWcDJUNXZ1TWhGQWgyRFZMaWFUN2syczF1N05xUUdVY1V1U25UNnhvZmFPVHRPQUMrVXBKb2lzCndFM09nS1F4YVFwN1lTZWNDdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJSzZleDY5eDZVb3FBWTRjZmxqa1JUV2JTZEREdnkvVVpWUG9pRkg1Z1ZRUQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K

infra/main/talos/worker.yaml

@@ -0,0 +1,537 @@
+version: v1alpha1 # Indicates the schema used to decode the contents.
+debug: false # Enable verbose logging to the console.
+persist: true # Indicates whether to pull the machine config upon every boot.
+# Provides machine specific configuration options.
+machine:
+    type: worker # Defines the role of the machine within the cluster.
+    token: ukp3y7.ojx633zx5whc4kxc # The `token` is used by a machine to join the PKI of the cluster.
+    # The root certificate authority of the PKI.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBMDc5N0NWOEdUSUdYVFg5bmVkcWd6ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXdOVEV6TURRMU1USTNXaGNOTXpNd05URXdNRFExTVRJM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQURSRXFBbXI3MFcyNDlHS3JpbVlxSUpTTlhaS2xUNXBURXpPCkpqZEd5K0llbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkRDU01oREN5L1ZqVEwrWQpvZFFhZ2EyVEZzYm1NQVVHQXl0bGNBTkJBTzRnYnZzMzJQQTZBcnRRVHpxb1RUS2QybjJydjM4RlkzQ0dIVDFKCm9xMlE5ajZER1hwMHhaYm9mTnFleWJYeHJBZUx0MjlWRDgxWXRXWUMzYWNoUndrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: ""
+    # Extra certificate subject alternative names for the machine's certificate.
+    certSANs: []
+    #   # Uncomment this to enable SANs.
+    #   - 10.0.0.10
+    #   - 172.16.0.10
+    #   - 192.168.0.10
+
+    # Used to provide additional options to the kubelet.
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.27.1 # The `image` field is an optional reference to an alternative kubelet image.
+        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
+        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
+        
+        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
+        # clusterDNS:
+        #     - 10.96.0.10
+        #     - 169.254.2.53
+
+        # # The `extraArgs` field is used to provide additional flags to the kubelet.
+        # extraArgs:
+        #     key: value
+
+        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        # extraMounts:
+        #     - destination: /var/lib/example
+        #       type: bind
+        #       source: /var/lib/example
+        #       options:
+        #         - bind
+        #         - rshared
+        #         - rw
+
+        # # The `extraConfig` field is used to provide kubelet configuration overrides.
+        # extraConfig:
+        #     serverTLSBootstrap: true
+
+        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
+        # nodeIP:
+        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
+        #     validSubnets:
+        #         - 10.0.0.0/8
+        #         - '!10.0.0.3/32'
+        #         - fdc7::/16
+    # Provides machine specific network configuration options.
+    network: {}
+    # # `interfaces` is used to define the network interface configuration.
+    # interfaces:
+    #     - interface: eth0 # The interface name.
+    #       # Assigns static IP addresses to the interface.
+    #       addresses:
+    #         - 192.168.2.0/24
+    #       # A list of routes associated with the interface.
+    #       routes:
+    #         - network: 0.0.0.0/0 # The route's network (destination).
+    #           gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
+    #           metric: 1024 # The optional metric for the route.
+    #       mtu: 1500 # The interface's MTU.
+    #       
+    #       # # Picks a network device using the selector.
+
+    #       # # select a device with bus prefix 00:*.
+    #       # deviceSelector:
+    #       #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+    #       # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+    #       # deviceSelector:
+    #       #     hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
+    #       #     driver: virtio # Kernel driver, supports matching by wildcard.
+    #       # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+    #       # deviceSelector:
+    #       #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+    #       #     - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
+    #       #       driver: virtio # Kernel driver, supports matching by wildcard.
+
+    #       # # Bond specific options.
+    #       # bond:
+    #       #     # The interfaces that make up the bond.
+    #       #     interfaces:
+    #       #         - eth0
+    #       #         - eth1
+    #       #     # Picks a network device using the selector.
+    #       #     deviceSelectors:
+    #       #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+    #       #         - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
+    #       #           driver: virtio # Kernel driver, supports matching by wildcard.
+    #       #     mode: 802.3ad # A bond option.
+    #       #     lacpRate: fast # A bond option.
+
+    #       # # Bridge specific options.
+    #       # bridge:
+    #       #     # The interfaces that make up the bridge.
+    #       #     interfaces:
+    #       #         - eth0
+    #       #         - eth1
+    #       #     # A bridge option.
+    #       #     stp:
+    #       #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
+
+    #       # # Indicates if DHCP should be used to configure the interface.
+    #       # dhcp: true
+
+    #       # # DHCP specific options.
+    #       # dhcpOptions:
+    #       #     routeMetric: 1024 # The priority of all routes received via DHCP.
+
+    #       # # Wireguard specific configuration.
+
+    #       # # wireguard server example
+    #       # wireguard:
+    #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+    #       #     listenPort: 51111 # Specifies a device's listening port.
+    #       #     # Specifies a list of peer configurations to apply to a device.
+    #       #     peers:
+    #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+    #       #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
+    #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+    #       #           allowedIPs:
+    #       #             - 192.168.1.0/24
+    #       # # wireguard peer example
+    #       # wireguard:
+    #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+    #       #     # Specifies a list of peer configurations to apply to a device.
+    #       #     peers:
+    #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+    #       #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
+    #       #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
+    #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+    #       #           allowedIPs:
+    #       #             - 192.168.1.0/24
+
+    #       # # Virtual (shared) IP address configuration.
+
+    #       # # layer2 vip example
+    #       # vip:
+    #       #     ip: 172.16.199.55 # Specifies the IP address to be used.
+
+    # # Used to statically set the nameservers for the machine.
+    # nameservers:
+    #     - 8.8.8.8
+    #     - 1.1.1.1
+
+    # # Allows for extra entries to be added to the `/etc/hosts` file
+    # extraHostEntries:
+    #     - ip: 192.168.1.100 # The IP of the host.
+    #       # The host alias.
+    #       aliases:
+    #         - example
+    #         - example.domain.tld
+
+    # # Configures KubeSpan feature.
+    # kubespan:
+    #     enabled: true # Enable the KubeSpan feature.
+
+    # Used to provide instructions for installations.
+    install:
+        disk: /dev/sda # The disk used for installations.
+        image: ghcr.io/siderolabs/installer:v1.4.4 # Allows for supplying the image used to perform the installation.
+        bootloader: true # Indicates if a bootloader should be installed.
+        wipe: false # Indicates if the installation disk should be wiped at installation time.
+        
+        # # Look up disk using disk attributes like model, size, serial and others.
+        # diskSelector:
+        #     size: 4GB # Disk size.
+        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
+        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
+
+        # # Allows for supplying extra kernel args via the bootloader.
+        # extraKernelArgs:
+        #     - talos.platform=metal
+        #     - reboot=k
+
+        # # Allows for supplying additional system extension images to install on top of base Talos image.
+        # extensions:
+        #     - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
+    # Used to configure the machine's container image registry mirrors.
+    registries: {}
+    # # Specifies mirror configuration for each registry host namespace.
+    # mirrors:
+    #     ghcr.io:
+    #         # List of endpoints (URLs) for registry mirrors to use.
+    #         endpoints:
+    #             - https://registry.insecure
+    #             - https://ghcr.io/v2/
+
+    # # Specifies TLS & auth configuration for HTTPS image registries.
+    # config:
+    #     registry.insecure:
+    #         # The TLS configuration for the registry.
+    #         tls:
+    #             insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
+    #             
+    #             # # Enable mutual TLS authentication with the registry.
+    #             # clientIdentity:
+    #             #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #             #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+    #         
+    #         # # The auth configuration for this registry.
+    #         # auth:
+    #         #     username: username # Optional registry authentication.
+    #         #     password: password # Optional registry authentication.
+
+    # Features describe individual Talos features that can be switched on or off.
+    features:
+        rbac: true # Enable role-based access control (RBAC).
+        stableHostname: true # Enable stable default hostname.
+        apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
+        
+        # # Configure Talos API access from Kubernetes pods.
+        # kubernetesTalosAPIAccess:
+        #     enabled: true # Enable Talos API access from Kubernetes pods.
+        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
+        #     allowedRoles:
+        #         - os:reader
+        #     # The list of Kubernetes namespaces Talos API access is available from.
+        #     allowedKubernetesNamespaces:
+        #         - kube-system
+    
+    # # Provides machine specific control plane configuration options.
+
+    # # ControlPlane definition example.
+    # controlPlane:
+    #     # Controller manager machine specific configuration options.
+    #     controllerManager:
+    #         disabled: false # Disable kube-controller-manager on the node.
+    #     # Scheduler machine specific configuration options.
+    #     scheduler:
+    #         disabled: true # Disable kube-scheduler on the node.
+
+    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
+
+    # # nginx static pod.
+    # pods:
+    #     - apiVersion: v1
+    #       kind: pod
+    #       metadata:
+    #         name: nginx
+    #       spec:
+    #         containers:
+    #             - image: nginx
+    #               name: nginx
+
+    # # Used to partition, format and mount additional disks.
+
+    # # MachineDisks list example.
+    # disks:
+    #     - device: /dev/sdb # The name of the disk to use.
+    #       # A list of partitions to create on the disk.
+    #       partitions:
+    #         - mountpoint: /var/mnt/extra # Where to mount the partition.
+    #           
+    #           # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
+
+    #           # # Human readable representation.
+    #           # size: 100 MB
+    #           # # Precise value in bytes.
+    #           # size: 1073741824
+
+    # # Allows the addition of user specified files.
+
+    # # MachineFiles usage example.
+    # files:
+    #     - content: '...' # The contents of the file.
+    #       permissions: 0o666 # The file's permissions in octal.
+    #       path: /tmp/file.txt # The path of the file.
+    #       op: append # The operation to use
+
+    # # The `env` field allows for the addition of environment variables.
+
+    # # Environment variables definition examples.
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: info
+    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
+    #     https_proxy: http://SERVER:PORT/
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: error
+    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
+    # env:
+    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
+
+    # # Used to configure the machine's time settings.
+
+    # # Example configuration for cloudflare ntp server.
+    # time:
+    #     disabled: false # Indicates if the time service is disabled for the machine.
+    #     # Specifies time (NTP) servers to use for setting the system time.
+    #     servers:
+    #         - time.cloudflare.com
+    #     bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
+
+    # # Used to configure the machine's sysctls.
+
+    # # MachineSysctls usage example.
+    # sysctls:
+    #     kernel.domainname: talos.dev
+    #     net.ipv4.ip_forward: "0"
+
+    # # Used to configure the machine's sysfs.
+
+    # # MachineSysfs usage example.
+    # sysfs:
+    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
+
+    # # Machine system disk encryption configuration.
+    # systemDiskEncryption:
+    #     # Ephemeral partition encryption.
+    #     ephemeral:
+    #         provider: luks2 # Encryption provider to use for the encryption.
+    #         # Defines the encryption keys generation and storage method.
+    #         keys:
+    #             - # Deterministically generated key from the node UUID and PartitionLabel.
+    #               nodeID: {}
+    #               slot: 0 # Key slot number for LUKS2 encryption.
+    #         
+    #         # # Cipher kind to use for the encryption. Depends on the encryption provider.
+    #         # cipher: aes-xts-plain64
+
+    #         # # Defines the encryption sector size.
+    #         # blockSize: 4096
+
+    #         # # Additional --perf parameters for the LUKS2 encryption.
+    #         # options:
+    #         #     - no_read_workqueue
+    #         #     - no_write_workqueue
+
+    # # Configures the udev system.
+    # udev:
+    #     # List of udev rules to apply to the udev system
+    #     rules:
+    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
+
+    # # Configures the logging system.
+    # logging:
+    #     # Logging destination.
+    #     destinations:
+    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
+    #           format: json_lines # Logs format.
+
+    # # Configures the kernel.
+    # kernel:
+    #     # Kernel modules to load.
+    #     modules:
+    #         - name: brtfs # Module name.
+
+    # # Configures the seccomp profiles for the machine.
+    # seccompProfiles:
+    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
+    #       # The `value` field is used to provide the seccomp profile.
+    #       value:
+    #         defaultAction: SCMP_ACT_LOG
+
+    # # Configures the node labels for the machine.
+
+    # # node labels example.
+    # nodeLabels:
+    #     exampleLabel: exampleLabelValue
+# Provides cluster specific configuration options.
+cluster:
+    id: AomznMVjQrZCD-Bm1a6DORI8GLZOVYwikdQEr0qI31g= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
+    secret: O/0Q2iNvQ8HYaET+D/4/tw4KJaFIIWo5UYn98vbHGUE= # Shared secret of cluster (base64 encoded random 32 bytes).
+    # Provides control plane specific configuration options.
+    controlPlane:
+        endpoint: https://24.199.76.219:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
+    # Provides cluster specific network configuration options.
+    network:
+        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
+        # The pod subnet CIDR.
+        podSubnets:
+            - 10.244.0.0/16
+        # The service subnet CIDR.
+        serviceSubnets:
+            - 10.96.0.0/12
+        
+        # # The CNI used.
+        # cni:
+        #     name: custom # Name of CNI to use.
+        #     # URLs containing manifests to apply for the CNI.
+        #     urls:
+        #         - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
+    token: pye8s4.xbsov4gw0wvrshzm # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
+    # The base64 encoded root certificate authority used by Kubernetes.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpxcC9saTRpVW5mMmtUWEF6ZkRBb1F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlNekExTVRNd05EVXhNamRhRncwek16QTFNVEF3TkRVeApNamRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVQ2QjMxRDR4bU44Q1hMVWQ5SWkvc3JBSnBobkpQWXMxd2Q4SXU0QTBxTHVxL0VxbXVjZHQ5L0dzODAKMmZyUTFPd3V4WDdXNytBWld6YzNOK01FdytkZW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQmlUeDBOSHlTaG5pMHY4S1NOMmMwOUF1SlN3TUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNOMHhDK2MKOFdNL1JHM0ZBQW9Md3BWaThPRmZjaFZoSTJXdFE4QmlTd1QxQWlFQXRvclZLajZPeDJsQUEzSUhtU3hsRjhGYgpoZ2pBVm9jWWlVdk9EKzN2OFpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: ""
+    # Configures cluster member discovery.
+    discovery:
+        enabled: true # Enable the cluster membership discovery feature.
+        # Configure registries used for cluster member discovery.
+        registries:
+            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
+            kubernetes:
+                disabled: true # Disable Kubernetes discovery registry.
+            # Service registry is using an external service to push and pull information about cluster members.
+            service: {}
+            # # External service endpoint.
+            # endpoint: https://discovery.talos.dev/
+    
+    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+
+    # # Decryption secret example (do not use in production!).
+    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
+
+    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+
+    # # Decryption secret example (do not use in production!).
+    # secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
+
+    # # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
+
+    # # AggregatorCA example.
+    # aggregatorCA:
+    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+
+    # # The base64 encoded private key for service account token generation.
+
+    # # AggregatorCA example.
+    # serviceAccount:
+    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+
+    # # API server specific configuration options.
+    # apiServer:
+    #     image: registry.k8s.io/kube-apiserver:v1.27.1 # The container image used in the API server manifest.
+    #     # Extra arguments to supply to the API server.
+    #     extraArgs:
+    #         feature-gates: ServerSideApply=true
+    #         http2-max-streams-per-connection: "32"
+    #     # Extra certificate subject alternative names for the API server's certificate.
+    #     certSANs:
+    #         - 1.2.3.4
+    #         - 4.5.6.7
+    #     # Configure the API server admission plugins.
+    #     admissionControl:
+    #         - name: PodSecurity # Name is the name of the admission controller.
+    #           # Configuration is an embedded configuration object to be used as the plugin's
+    #           configuration:
+    #             apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+    #             defaults:
+    #                 audit: restricted
+    #                 audit-version: latest
+    #                 enforce: baseline
+    #                 enforce-version: latest
+    #                 warn: restricted
+    #                 warn-version: latest
+    #             exemptions:
+    #                 namespaces:
+    #                     - kube-system
+    #                 runtimeClasses: []
+    #                 usernames: []
+    #             kind: PodSecurityConfiguration
+    #     # Configure the API server audit policy.
+    #     auditPolicy:
+    #         apiVersion: audit.k8s.io/v1
+    #         kind: Policy
+    #         rules:
+    #             - level: Metadata
+
+    # # Controller manager server specific configuration options.
+    # controllerManager:
+    #     image: registry.k8s.io/kube-controller-manager:v1.27.1 # The container image used in the controller manager manifest.
+    #     # Extra arguments to supply to the controller manager.
+    #     extraArgs:
+    #         feature-gates: ServerSideApply=true
+
+    # # Kube-proxy server-specific configuration options
+    # proxy:
+    #     disabled: false # Disable kube-proxy deployment on cluster bootstrap.
+    #     image: registry.k8s.io/kube-proxy:v1.27.1 # The container image used in the kube-proxy manifest.
+    #     mode: ipvs # proxy mode of kube-proxy.
+    #     # Extra arguments to supply to kube-proxy.
+    #     extraArgs:
+    #         proxy-mode: iptables
+
+    # # Scheduler server specific configuration options.
+    # scheduler:
+    #     image: registry.k8s.io/kube-scheduler:v1.27.1 # The container image used in the scheduler manifest.
+    #     # Extra arguments to supply to the scheduler.
+    #     extraArgs:
+    #         feature-gates: AllBeta=true
+
+    # # Etcd specific configuration options.
+    # etcd:
+    #     image: gcr.io/etcd-development/etcd:v3.5.8 # The container image used to create the etcd service.
+    #     # The `ca` is the root certificate authority of the PKI.
+    #     ca:
+    #         crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #         key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+    #     # Extra arguments to supply to etcd.
+    #     extraArgs:
+    #         election-timeout: "5000"
+    #     # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
+    #     advertisedSubnets:
+    #         - 10.0.0.0/8
+
+    # # Core DNS specific configuration options.
+    # coreDNS:
+    #     image: docker.io/coredns/coredns:1.10.1 # The `image` field is an override to the default coredns image.
+
+    # # External cloud provider configuration.
+    # externalCloudProvider:
+    #     enabled: true # Enable external cloud provider.
+    #     # A list of urls that point to additional manifests for an external cloud provider.
+    #     manifests:
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
+
+    # # A list of urls that point to additional manifests.
+    # extraManifests:
+    #     - https://www.example.com/manifest1.yaml
+    #     - https://www.example.com/manifest2.yaml
+
+    # # A map of key value pairs that will be added while fetching the extraManifests.
+    # extraManifestHeaders:
+    #     Token: "1234567"
+    #     X-ExtraInfo: info
+
+    # # A list of inline Kubernetes manifests.
+    # inlineManifests:
+    #     - name: namespace-ci # Name of the manifest.
+    #       contents: |- # Manifest contents as a string.
+    #         apiVersion: v1
+    #         kind: Namespace
+    #         metadata:
+    #         	name: ci
+
+    # # Settings for admin kubeconfig generation.
+    # adminKubeconfig:
+    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

secrets/production.kubeconfig

@@ -1,31 +1,31 @@
 {
-	"data": "ENC[AES256_GCM,data:9nBNHtu4zq6vN9Y7pTswykY93qDHUSXkvAWt+sKkovQdEOpWVGmPPI/fiyj5oQdqqTDM8cG4ZT08G9UrwhmCunGu0ApjEBFoQNoXuXy9R5CyFFpBITtROqKBLt4Se+jI1fyjjwEk95cShuuOaCBYH6MGRXfMXXYLe1Q7mZ1OAE7+e7mByWpBP4QfFDIUcRJ2AMARLSoIdpOhjRWb6c7DwVOHf3Pxy/eZ0m83kbBeCxCQ73h7saOk6QthTWnExogoR2Rh6tijHwepOvVcwOx6hzLadcCv4w82wDLRG+mohAE4Ksd+SZAQCfdTUhckQ0CGtkDmM2m8xeeWz7meRGDVmv0/OjJoEd9jvXtuVk0KBu3UDqNRPsTl/h/OfMmubtg2QSXr8aMB1/fBSEdP9H70hNr23UvprOl16xVyzIM9+XT0sT3KoAI8i18AXFmoGDgBLI3RpqP2FrvmUvrKv/YupS801Rb29RHafQxO2KLIzElQ4AHzhBtV8Ck1CZh80h7e3fYbKW4xEdvRZd2mueNSRJbRRj9pIsmTKJZ5P+zMyQjbX79jGOpD7ExD7gqmkR0P+0VYxhsVOCCRrbD6KdrD3U7AtL6dwBfGPjtVHuncTPJrEZkBeB6y1MbbudYEBc3a2MkBZUQeERQmDsx3TsKW5Aguu1HNg95zptE6/ng5Vxgu7dQvDI7YjGyHTJPZ5GZVyIPNnRvZdF5Xk3qIQ92NhI5GGT4/+tf0S5gsOWzVsD87IiLgAa3IIUaspKcAxPQNR+bkBQU0v9uVmvZVW3C0AZk86GZg+6kPpoHAIdmIs2G2wROHjHjBHV6XGA6rEJebyKM8NYnJRWiVGE+hkqmPArhlKtpbY6YCQ3MuFitj3b/wGemZtcTWp++/Aw3/2TYpnDxiIl6u3xm36ZN3nw8Gzalf3EcUUORa8/WmQtqKTX86M463h0Ml4uhufx+q0h8f2b1DfRUw9AQS92mevzNjrD9agEFXKyGsGRW/aUvr/2pIIAb0z2rQfb+lYnLW1bdUs0TzxUCzkf61WblB26BJjGb1caEsg7Gl5YO0aF0rOmoVgAxI3dl7AJRf89eny/8v3BisthVBdK4JrYUfS7KRT2wOqG9zJiddOo+ysaurj1cQF9R+rnIs69wcCSGPnQj7xvHkooo8exoJfhZeZjszbfbb/pNBlcFiFP9MElULeGAmKXvtuSZaLtpOCu0A8QQ7aWkVsCXyBChOVtTKSDs0w1u0lohvwDlZ1bR0Nf6IUERDBEEFXk4rwTZyO4V1R3Jvp5+t3dE5ZXUtRVIzEdqQjvNAANuLRdk5WE/H1u1giHVC0nQSrav3D3kWBH3BgeqWoOjlTaUYTJPBlY5dQaCWFYLpCJuPSvd9G0aDwK/GXZJNv/BsihU/a8xJdhNw4vtqGc2Nlv5He0cRexaodTVAjAXZr0tovwVUlTV03uYe8m/hAhAQzWE0Cluhchp7trNUqT0juZ9F8CBZK0o2OoF8JaA2b4Im7J2qzr9tqq9zuI8oRu43Iqh5DjIqvgy0v2PtqoovwOCniCgSVaU5bLGVd8J/pO7OLLEwOU01coqhzjZpw5FrCNbcfDUhko4T4J/7N0h2z5tfUqe1DdA2T0LfyXJHMfgiGzXDNYmkcTn3ExEOHuzzNjfX2t4MmPuVTWuv7ULSEL+YJUPlr61qU1MlJ08MQDjdHuY61eDhrpe1u+HG1YnicgQ1NmbAAmNXl7nNhjonltYLi7oqvB8pqe9XfFLtW4nUsnzxYxpU5Io9MCWo+0Dxwyq/TuN0HHgqc8oVdTb1CdC6JWOSEQbzTKizUgBPXDxAQ3bYYTTKTO8kulvyjOCEc6bvNuVAeSQ11NKaCcCmaoiNrapjZ/rbMimuXIAJbkNA9mQcshMLSvq05x8x94I009qvMyAXR3jHFYc48gDqCroGsMOxbQSEFqrSSLjuhgjELLDh6eTJ6niYycSgcthBJUGy+6WYaUUk4Gtxod3CkCyCAHNzjGSFNHojwM0CAhFuKMZ6cYLT0NnIbYgvrODbffjFW+IkIrYgTOpyfN239XHhoJjuF9cB8mHMMvqwguCbz86sIkTwcADTOfYwcimU0sCE8yQNjiX+r4pcTRqrO4ItiHwbake2kXhGtn2XKa+WpTgc5s5enC3zel2wnz0bKzyP8pH3+PP5/tZsk2vv4Y+ILVimDmpcYeWpHOIgj34cbp58X0KQjCup3bsM+6CgGJoSq94NaZ9kAFU09/dw838YG8oVpSyM9K/3xfeLgEph45n3b19twLW404INfHP3JeWk2SX4FbRQZWzOF4A0NIjuLsqis+HTtfm+muNl29SloNOlk2wEP0g7GpVfuhBHzNg/FS+xvuN3rSYkfGWTGvKb4YNeR6UshZfivfQmb8Uyi3aujsn6RRJIX3ltGaJiZAhLVZyEUgU9rlCXJbmPgw7EYSb2tUQqi7fNip7jorJkiiza/xLD8rvbofGKGj4wgPhLUTg+nYu20gb4R7jbqq9Ig0++w7kmzwTg3FzKCyEjmI/tEGNEn7LRacNLaLcUtChGMff/dcchLsgh9Trjo7yo9AQwIWGa3qAdnseWTCD74PK48OkqflMfzp9CkJ6preIc5JTtTI2pE1tvlHytCofzZAGXmM6vSFtWhusR/tYh8Rb3yvLpzrzC6Zg6K2LtvYe4hyaynuCZYz06SKf/vc0hJbnGMPWu2GUYh63WZmnWzaACNUndUqFIXpDAEKImHnsfNXYkkfjTq6G8xronMnDu5Cz33V7rKgMppFEuqgZ3iLhnE0y/YOqTvKJlNo1rDFIQZSxbVBVvKMeI1aNV/VOnM+u8xG5bnltAbIrppS7EaQf5bReqX+Uh1ocjlcf1q/mPJw5W0naY9cZgJdpmkk8IwNe6DbgumrLvuHUDymEThHyCCuju2cjqARC0ySLsoiBGiFMHCK0F0FIciOOkyiKvIX6mTVNWw0qCKs8nU5zpGfK07kyPso7C4z+6AFPtYlSrHVkkZEtdFaEbF73d0A9ulfdILCKjI2TGBMc=,iv:pBuy5a7QeJ35PwRlG7eghaGnqJo2HSDYhM5SZ3qYPsk=,tag:19TYJiOSW3Mf7XDSVNODJQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:k2fv2V1Yvd1OxYHD0XMQhdpEM997tl6CZq2hZhaVT9jSqjNcW3EdzVShREyLXg1KxXwh8YgB7T5+APx58snsVewa6l/UwIl7ziOkHu5sNQzfi1qCfE7UA4aREAsbIeJI93nNWDoPAiKTX/5bK/wN4/bZgrboPJC30dKDNgvLgfBb3Pk0laGGVExAjJyoJ+8iDUQyt/Xk2XUrZG/lJt0yzbcCczOKTlqR8wGI3V6gZPgCLvUG3kNgf5huK8E+INDdGGyx9RUX9QdNsHcvJXVmfr54jHlfCfMZi+Bkj1oBwvyCtrYQtg8PB6bDDfG0mHgaQTr0Ih7H4IxMkPf1dA552Rzztr/pglM6Vs96fNxM/jQiM39AdMUw+KbI+rm4tg0cRQMMh5ib9OW7wNLovsqDpen2P7/Y+cOfwFeol74J9hLzL9YjosffViea9XcBJeHPqmrSgLDed8xqcZMckqis6rbnTU97wJi4rL6+dFdwmCP6A3Ovi8Fdf30B1iMCVTOshkCy7ZuNmf4qfKD+XtE9AKU7wpA8J13XioObe+ODePtKU1xuYeRIXPH7ZEPsZpmmGt9qYX1Fnjjw7lbNMnxN2OsmjHQnI3k4eqrDvaqmwFZ31Fx0Z9BODayIiqOWI2Hq7OtBqU4bwqVVBwttBYa3mfz6thd02OVBDiFiDx07r7RVRsEV0BB4ipdi1Vy6lDDDjWU0ZvqvT0e4qmXB4dGAZCrs1IthwqSdCkE9kAPWqf+aXlh2/0teFHlve/2F0OByBh6lweszKivT+exkObHKHZqFv1vtUsdgcuUNpk5iLDd4DgpcjAckxPKI66jU5QxbNeKF58lmji/TiRrk4ZYa0mEGbw5G+QLzmAYzfFQzAKOrDf3oLsIZYpD4QTXoaAVs/neZdETIc5D5YGUcCwvWozVRVT6Uezd//GXDK0n3Ef2ow3BjsjfsQ7+uJLEs+UN8TRdZbmp5TGEy4NA6tPJDHwnUSK08cVBYgh04OFSFjhmgAGyqwwHhz+WjVmEbyNxyB59ths0xI04TXepu8ntDzALXBBSTdYrDfkEfEdArO18KOKNmsYA8AzC4q5mu5xmCiPkdrpk7xOgS6rBa4mUQ53QVmaAsTDXzXy7hReBCGpEJeBp6Djyt5+QupD4kBjS8IgrxPNH2PrhyCfMb/re/3UixTz7d4uWCF8siVbBnqwLYIEIcyusd57Vr9ICZqxKZrXvSMFhmDeKDU1XtDnwNJLkSUa7L4yD7cHXtIHK4vfHIjnTXNrg4vOxPw9IcEGOcYCsqmGAG+Ze7GSgm1es6ldrAzxBL7NLbIET1/1NbPkteIcDcLroFM8dvZwHwIIOL1LDME+rA3oryr6sNO1/u5CnP+/h56jWErGDSlpAmDHmKndEQHxwbFCnAL1kBBKMD8vU4/86fTDPsyZ7rS7LWnVvIdPluDbi81Rfml1bq14Il85uFbEoQRb/br68Km78AvMT+das6ZEQriSRjV872aLxblgX13u1Vv7ZoS/w0o6RC6Jev49+Msp0wEgZWdtPjxLjn9D4/BVrhuAxVAPicAekl+c2zAm6sz+VPIHnK4LxH815AOB4HK0MjuKTt2ywx7aq3G8xNA40Xnp1/A3D8mm9gZpfytd/esPCe52mV3KqXPgm3zoJgQeKMuox1hwOn1nq5HdsWd27ozb5e0CaXTH3XC+zfGm3hSX4ytOmdUMX7HaeOHbYvo5kqaIpNtKMKg6PX7Y/cJNirf6N5vcIvNMlJAb3d3F16QJzE4X8/eLXxGw3I1Ibydo1nseMw5nIWa8lBAlgJZTVKHtyufIMP7fKWZhGj+cY1OXlDwb1MCP+vSHVeoJtji6BG/WuhSvMDTi+//uOTjvAuHa4cAvNRTwHTwtYofnw/JIc4e+MmHPV6o5wsmk5CEFavGQ2VlHk1Bt+SMTt0YOYyVSkIuTieOnAjzKThF8kYJ1IlFOCwI9N0DYUS6jh1IRYydLlubzwUcz1ggMzxZL8JOL8MmO/iusMnVdG70fjZnMCbqvpOjzuQ2+IoLVJwUsFZJzJNPwf6GGD3B0qOVnw97z1+YDOgy1bmiG25CqUwuD1iMbZdR6gqDDAWedzTxbRQ861SU9lxoS4gbmMw07Ri0W18z/V2ZRPbhUEilRmymyCeFTW8693ojENxzc2JILvTEOOtK4XK/YdJSbaigIjwEzb5nWqKKlxNLWRaja9x6fn1boQvJpGzj+SlnU1OQT3NXsvyJsOp6jutew1rHyB6egk/0IjeruFNKZqQl0EFc2wT3wIdZiTpFvIue6iBh6wH9sMU0qk0DmIwMMgOabBpAjLGYo1sINoqMOL/TEUKu/TN4AJFlqHNVBJFcJjZ2m8SQmL3sFkQ+ESrREzStnTklKCeB1fZkAtcIAiMFCQRmjcgTzDwlbcKHWSfbyDtra7WqRIGAyx8ZiXIobVKAkAVv3PxV38tf24qO+/+zXfDKcI+GLQ2ylOYy/sbRGxGIqPH+lg8zqfwIk0ME/uyqL18Nb9ewz15Oaj3RzihNkde7ixJmp7Z+pyMx5eokSyHfr6bJ64Sx7d3WihujeEFf+U0KI84SgwEw5FUYNBfuSrtyWJyA8KtKRqlVg5u7rlqmGowBPuEnebYL5hlsL/gPqRO5AHKcTKPX/4joYnfwX+4eY1vafJo3S+TwofXi0cei6jNqq52PXNo4MCcf2rIRLb3fye6PZzu/6fvD/HhC0lFehVnxuDhlCtB72K2opMYbFlSsaiYVYFCwcG7OZeMVMpMrKn2+pj7H6Z62Z6aXIKSypDL4ZXOalPKmPT7nXjBmEqcR/vbdciGZHHNJOp6tM+e18Lwa7gAQQcnb5pqUmYKZ+LtRpfv1YjQTM4Ta5V66duoXlfca3vy+P+Nk1dMgNIwgfHLu3zedb7EiwIwm2hSc3IocZ/VMPKTDhHX2rxKRz2PZc27vRTTT/MJgMszLvlw1pjDDQy4MVIAAwQoYs9bIjBEaGzllM7O4rN47faW1D2roZpABoBboNA=,iv:VhVgrRsepAwXluyCGUMNYoVZ/keTPvkXLNHbf8wDFew=,tag:jgELpKne/BCoKBkd7fSc4Q==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2023-05-13T00:05:55Z",
+		"lastmodified": "2023-05-13T04:53:04Z",
-		"mac": "ENC[AES256_GCM,data:CncpkiLb22WHBKfUJslKsylWICY+QxN9Kk1lW95L3+hO24RKQ/PW1yiT5Vz0NKt35H9E3oJgQKXEltn0I/9H9DI6zpvHYP2gh6Y2msloSoe4TLJDhjZKeXRpTr+uTALqcwkQ1UsMfMuNmRaO/BzvZLi0w4OVlJ3Ja24h3TKS+CI=,iv:GU7xl4MR+qh+qskWVZZBIEwlGJc8EpTVsE3MFnrwL4A=,tag:aqNd+sXwTxOjWtLyAmUwfw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:H4qzeU73C+X0t+WdtJTCEhGhgIFaa+twEHlMaNK4+6NxQXN0OJcbztht9ufk6Gp6B2Q3jaFBd6QQp/2R/U3RV1R8nn/w/NvV+sAle3CoJDlaxOlwdTCZsR1u0AC76lVS5vi9B3IxOmMSu9qVPvWqeFEuGWWnZbLknEDb3mSbh+Y=,iv:oUR+ru4ns17YJmChp34lWdtcdL1vrhaxEFZie1YXJ6s=,tag:8szQe1sU+CXQPAymw0TaVg==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2023-05-13T00:05:54Z",
+				"created_at": "2023-05-13T04:53:03Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA82rPM2mSf/aARAAp9cV3QJiw+bwoWbXIlaZHodzKM9abakq3gETiGNqhIY3\nNEm0UMuw27Yde5b7yeNLZn6B8XKvURVoPbAJ+SniLwHEecIpvTbU8DtfSwGT9tiU\n8T+kyIhGzVc6XfEh7nZF0oppuov5DqheCnV/z55rB5rT0g7IJUKgB+NA0iVCJ48O\ny+MSl7+epOHioe/9fgPrnrqiu7+ZQapY0YWY8nCY6R4Nyje9HZjSx819LVHAFAA5\ncF9p/OPl6XLMTSmzIsXIRBU1QnhC2pimXzI+5evizOP+KiUjYlAqT0Q4jeMo/fe3\nZrCjToy6RY0QKr484++N6B992a/NLtDM/X20X8p+vCsMhjAcIG+ESXC3okon93rE\nBpL9eRHaagLerNfoih35QYmpwPrJs9k44d4Djl7yRVlzIhq3B75AdqmBFVumGvff\nF3tzQ4eU9ArVSvNnAlwTVjbc/RjEuYJSzybt++XZYMUZ7E+Xbc347lDQo8ZGub6P\nTSMLxZ3UDwOBw7W/A8OrfmCo6ZVuEk4YuLqZ7dRHqwxSVU+zfx+IgkVR/XsXbeZe\ne6UaUiO5vMpHyF1aUd2DP6gaFjTwN8MNJCw+Rj80ZyvcX3E8JitqoBJ5p4XPTXev\nMbb/DFQZvD/1g5xLhLBUXM7KXYDti715SpQKoGjb2S+HU2McKVydzuGagMGG5VXS\n5gGQXbLg7g9hO+Nsr+y5rQHkQS+iJh6lxGV6egYuuCtQK2ymD/2GSmqxse0TAeij\nTZvWGLu1YUJWVr9Wqy9oMn3kWN8e6wKtHprO+Y0rerEXEeKBLBXaAA==\n=OSmI\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA82rPM2mSf/aARAAtg/bee2yrWtUoqZlmFlO6IAjjtaJ3dlSsHGjpdK6wMj7\nA54XHmrMk+wlSty/MrfqXQMmcc/6vOZX5hiMfBlAwbUxTvpojDyme+m197V2EiQW\nvAeLmiFU8hldPPk8Br6BqcdKjEA/BEgB3/adbyBCQ6mT761s/32EO+0d17FIHZuH\nghOIpym9GLjPmlrTDkzauqTpTrJTXc35WjzROAE1pmmshfYPQ7MtZQPIGsWYYYwq\nqWHS6P4vclxEwpOZ6r5H01MJt0sEJOkcX0sPV7ArW3ZLu766AOC6D2RWwSa0yyRX\n1+ZQXDIpK7oouE8HYF7mOvJ4J6Xaz7wL71vZgFEKws8E1lwsxJIFVP3dABg2jMau\n0K51A1sOcIw3KHBcegPFwv0LorqzXCeZrVW9rgq5tjosmNfjUf4zJaS3atyZYYfB\n4H6/PD5LVghq0AM2I/gr0PnVLwVVE8j/Elf7C4W6iS8AwllIXePIrg1VQXEZUFZn\nkPzDPlPtpdU0BUk0yBqnIDwvJm2sKVC23WhdlDKCH+EOVHsCgei4urfYycDdpIBx\np7Qf9zS3rwMfj6C3WevcTTIkvnnRdZq2hcwzeiND+gG7VM4SXS0zn7TOz2OYZGTN\nmlMXPMyAo2sh9iat4E6ceJPGQb5AcXz5S3QPcHoPvgO4npjsnvbsCtn3PEiGRm7S\nUQGAxJ7IEYXM636AIEm/KyzLgHoysepJYgZWCPMUiR1/dC0RiHVTSzMn7VRBZm6P\n+NFsXIeGG6sKHyfqLZWdAXX2ZYv0JIFLBjLhW8ezBGnvSQ==\n=yc+H\n-----END PGP MESSAGE-----",
 				"fp": "6B61ECD76088748C70590D55E90A401336C8AAA9"
 			},
 			{
-				"created_at": "2023-05-13T00:05:54Z",
+				"created_at": "2023-05-13T04:53:03Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMAw95Vf08z8oUARAAUkPjEo1rdsn5ni9Lq6SL+JOvXGKYW1Y1u9qbI6RcYBoj\nfINpZNt3a6lmTj08hCmXpivM39sHWIZbDt8r+LEz7E1tsBlxQ1780xOEVYw+iq+J\nJEj76QkOT6kFkiD5YYLm370G9UwWGLgW5r2FXRv9MAskNVor6AntSc2OqF9Zu2bp\nIdH8JQVR+swqfWUkk95tAgeaRPIpXXN6YLXP7FJE0Mjrik2vyN28k+H2/gM41h6D\nwFMQu1nf4MFYIMW+ukZYQWbWqJdi2i+HgTw+u2fq+yuAWFbc0kAx7ZnwHQ+XjPNq\nL/Oafy1qT7g7LKzG5Ilqf/zmR7xallNWiIxbgGJjrVojFG+aTERatzkqZ9fgK5hU\n0Qw+YibxkdlAniamcsl4i8AYAo6Eo/PEhvgu8xNcM98I99RxdXf7msdAnsSHPtUk\nYknCv2bo80Oz8UB2KB9SrPbLhS0DwtpzSx5rLCoGQxg+LZeIWXBe1IwZ56xDTLCf\nOSPjcm2IFLyK/uuKykaEQPZDaSER1HbWYcIZi7GIc0iHzNifJX0L55mom3znvqX3\nGBG5vCcQh2UHgHtG789Ihs8iSvr0YJZ6kVxYxwx7VWq+6C+e4qfQEi3O/IYDA6bZ\nbgxaSsDnVxpWgl6rV46Ufv93thlmicL2sypuALDXt4WbMFkDxAE/zK+EYs3a61DS\n5gGjyw4VGxbd8mvr+VpmnW4099+TiTi3yfJRDwg/qV90+Qxj3ykU93HVrY+wkJQ3\nfzsy6kWpaOIU4wRS7FskYDPk6kE9GQIDmQY2bO8NyPdSsOLxH2DfAA==\n=1znl\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMAw95Vf08z8oUAQ/7Bjliei+/UiywsRd03CUPmFn3opmGGTKotsNxPqPTLZHL\nPyLAjC7f/wU1sSB27rrqI8KW2Fo3xih2yqGQ0+s3s5UzXlfzyZka+fD+RiizQ0Fa\n4PB2T4GkmHFPKJC4ISEAn3qlD9OHDJEhoG5Peg8Rq+DWneeS15KtMcT2AJKrQqou\naveR6FDRZauWSwX2hxe1tsChcNErbPJYQtV1ayeXzwLFMINzt7q95ZC3Dpgc8I9u\ngvVbH6k3YCJwQY4DrsLg78X4lzcbnddT9TTmX1buz4jKo2f04pwkPm8LO/qZZBRv\nHw/e1ebKMqcS4S9gZnioLUS9g6HXOxeHyfBRt3gzhguiryUl94gPDeEbIKUNggLS\nNY+FUnYjbDHVxqXCwBJyi2bhlK+l2ILMVRh9khzNdEOy6bnkorKbBH8/PUHKlWYl\nWIxIKEHs/XPlix5OGZVqKw5ZM/u9UvTIW/DSigd0Sm1dhYqYWIa5IhAAbepYRS6a\n8wLdQF5i+hVr2B9oGRX9PRh5SU5uGuz4IRvDjb2zIDS5O3PEOO3kGc2bFGiTMCBD\nOQeU/Qav1nQ/MrKdmJ8gW+PNUZ0FxoLREM6aWwHX3cSldJ1JIb7mTNI79lh0Oj/j\nxug+LXVdPwsuPjhwi99WISnjji2oaPR87BrSbQL+DkGx01XkVkWd80svAunEE6PS\nUQG3hRlJz+U+Qozg5FR2BuqiABs2Y17gDdutoa6AHAnZ/vj7YOBecwOjUW/QPmvY\nbdriG1ZtxUkfc6/B8HkwY5/TJZfbtm5pJpgmVwGPQMKNjQ==\n=O1BS\n-----END PGP MESSAGE-----",
 				"fp": "88823A75ECAA786B0FF38B148E401478A3FBEF72"
 			},
 			{
-				"created_at": "2023-05-13T00:05:54Z",
+				"created_at": "2023-05-13T04:53:03Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dr/MjkOzuuRESAQdAM6cO+uuZN0ywbsToqQDPHGtYbnBMEroga1GTQaH44zww\ngNqSbw+wk9D4IWeUhPmOB549yAzwBkZjKX+kKtP1MhgCSpIVam9w0DMteTbwYwwC\n0lwBtXiTP1PhfuWhRcQrKcmAk8Htl1HH3epvv+Jw7dNc22+fApwdrPqGE2JUmqaa\ntg6srKbuJD5wKhpXHZEFEMXO2Sv1Kfe5T8VJS3hc624uf5P1/bmDV93IG/bFyA==\n=q/cN\n-----END PGP MESSAGE-----\n",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA0/D4ws+/KPtARAAjE7hsXE3cX2H4n3c7iT881eJV8vNdlsvl62vr704X3As\npOEJnmocgC7t2VRYSFyPbY8QkreGQ8AGxsWRYOyVGDh+k0eatEzlEZg1VjWeGBFW\nDbbwTbvPBCFjT9kyW2Mke3IMY0F1ElpHu/VJ7RUoMRJY4z4acJHzN2kR/ybg5Sc6\njAq4m7BI8mrOmjc//KSWlRz32+D81G/JZAPsZi2G62LhcndIY3qLYgd6w4vvrg/o\nzCSyqjp4MPdzFGLGpZHBjNrHXwW2096WY37w1llbHpB8u7EOn4jo7BDTq+e5rcVY\n8M67UTeDnZiL/p1nQ4Nckbc29WQreDJ0COR62VcnDfKXaYCTUgSkjj4uBY3P7zKf\n4OpRYrd3hnqwxC+kqfMKA0PUs8MFstzKL6wB9LkFtQPQ2s0bGYV1zCdIxCoOqhCa\nNhxTvHEpUD5cWKg500oSCHnM/uqqrEdb2U2dEHdn4+PNfni8AsZZv28r69DWv1Mz\nhC/EUJUjKWbP5jATGfkJTVTTcbkrAYoY05YRVfme8X+dX1vFtJ4OgDEZOGSJYitQ\n4dBDzunX9donv3ckf2e9xvoDvVb4ZA/EbWGgGBxG2AlZuq/NWGq8cWgep1emokYM\nAmfnm6+EvXi3Uk5n2vqHz+aeyjV/DrCsaNtMd/XOiHf8jzX8kwaZi9n02RHTzTbS\nUQHHNe/K3CZC4/g8Vkngvydgz71p1SI2Ec2hDEOgYtsdjyAgw21QM12EUbpYU9X+\nj4frRpmdoZXwBnZ57bcCZoQ4WUqDXOJCMS4FGYpP8psN4A==\n=tOB7\n-----END PGP MESSAGE-----",
 				"fp": "3D7C8D39E8C4DF771583D3F0A8A091FD346001CA"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.2"
+		"version": "3.7.3"
 	}
 }

secrets/production.talosconfig

@@ -1,31 +1,31 @@
 {
-	"data": "ENC[AES256_GCM,data:ALTixImfXKjEOgFcX+tbEPfUj8ukXh7SGHM7uEnwG9nJ5aktA0WSw4vAhVKTLkZj4I7aTzXEt14Lnr/V3qJ/4KF2hv86kruzA2DO0HpiUhKQSZ5vmedO+P/Jv6jN7VpwwQiqIFyB7vjLftLURR2hbAorS6Io0whBiZra23wEpnxgefCl9yfpzDjLMW9IVZ6O8XrUOQ73Py5oCUY34rt7DL9rj9FuTpb/krBW8djQCT0qYL0LivEBrgXrBwjQdRdTHrxpvJMHQp287Faak7XxqFuwrcX4gAI8MR/C0b0IEdMACfBiBcZreZLecopIxLIYEfqYCXwRZLZKXYScNSzpWDBb6O0EC9G8moCczHVhXRd3DyBXnbZGslTNHZr4AyO8vnWXHeUGzEJdq3CfcSahpIyq1UyTfljajql3Hw82rycOV1qIYWs6LFEoFVd2IKGlKqLE3YOskgWZwEFdV1SKbM8Rn/IpZfEkBCZ0N36ehUeMN6rHWfO/d8CQ2hYKKoMZXvN1VebZ3M85OIrC34XSI08Y0X4XMXZFz1N/nXIQfUZXpFD7GuOxba+smaEPkLKm1JsH9SQQUo9vuGtzwtkwh31YH3xyQMdi5EsHWKHwKRoDbodX2E6n4c/FSCvDsXXOjSFLWacJ8gv4zSxXZWxe9niny7dD7f7ookD0LQNoY6Uc9xQjvUpn7zkSBR56NmYbpl1YBpY8cNqoG7p4itNdg1yWVvjDkIh7s6iu9cDxyVKn828+6DbfVHdZjS4Ictb21O6lqtMw5dlwYrsU3mxsaKiZHTS6Jiutjgb0C9ZZqSNzG7kjyXhx0xhpTT86+gAYbtM7kPb3vd1pGotyRc5BsNzRdeUjf9Tz7bKapja9C41gWW4QiX0Y8Q88QDY3DAHCStkd7WqRu6zP1abp247KmE5W/mIdqvS+Sn2nqFH8+I6qVTojqDs+f+vrAajzjmQw+VNWPcpbEdlSqCXlUgsqfXz9rOf4KPGcQtVRr5D5DRDCvdGTVs/4sBoOhPRPc6kFbK9tacXewVor9eH703AXVk2gtGJaIgGv8U42a22PZxHpHHFzuedMCLVjZMNKvGDk1jJnRleXDFOQ6LLzJJzr5iaLnpiN3Aj2LmDiEVxY4rVlujFEq0Cd+jZOcSLu0I7Beq/1NRXTBvwpEA5avCiX7PKt7+iIs11t2zt/aSgadVCKyEZs0oLaPbJHAFyfyMy6/Zf2GNOL3SZTnsMG9zVGh1HJTTGgGTZi4Hn1EqrruUnqAF2lxILBETUOnri45xSwkEYa6qrre59uygBaqFibgAmnrcvidvrQiWr24NdDANfmFoJo0sK8XBS2w3+/QxPSnDPNMc0cEUdWGR6GALP2VEq/AxNPP9Moml7KcYsZvj3PwfA6oZX02sasB2q2fbpfF6GDz0SKiYn2CMty6GuHyKBDnL1xA6IkOuPBYefytywZLdQBOrbiSBmZhi115gZngWsl50jl5+3jxhnPIdhB96vu/I01T/NEDt5dfT11RZZgPGTvpIMCnv8yBAEak66I3rnCWByc73S6ajGn6/QwdcfqAF2B1hlrAweox9DDpLWB4zGbyZr6DisPjvZC6piWvXhc2xZWY4heU8bSMpS0r55SRzqrsVkJSJ3jZozqajpZURxFuNQE7op+GWIHcJX9b9yPC2z2BUzs1MJX32O9z/DMSqfCN88FXaFr7Xgoaa13PP7MV0cNeq/G2OpqsLJvesUD4Duivn8d/veTVBMoxhyo4/Sv0S00MHSCqjxFKTU7GrE+m4cZ3Fb6pdEkRNpGx43vLV6ieTFBYtrjFJ27IhjPTAKeWxHYD7sotqPIAfToyzr5/cxJMG2eKW5aOIcK4yxh90/wCDdnL1urJ/dRahr2mI9sxUtKr1ChX/sea/ZxeOKjUs+hyu2jQTwiP6wZs2fquubqWhCts2qd6vnMzpo1KIbQH9LmYELs5B39rmQYzS0pIo+ctTd++r04ytql/uEP49Y1nTx5pPUe0J7wl60+GIQrjsfrVP653S+kPVhGn1n2OCvSFBM5GovWHIElMxUrn2WuDjoOyFm9PMhhy+N9wblIIeWinMcI7n+Yy/f06I1t5CihvpHMsth8IfQ0Hma5JM8M7Yd3rcGXPJpv7TcdxrkQ1SYKzJPYQVCDYpov5URlqVXNV3i/FDYtZMQoTpINXJMYdjmlBny/VWQPIpnFRKfN5Z/FQpET3+U+TXvaj/9hxPAbXBgwr5isG4jxmqDG64gqphqzF0rd9NpdCf7B6mWCJ9UWp8uMBto=,iv:W9D4PiGc0ZW43IN+TWiC8HHmj59mfG59cH7AoYTwVVE=,tag:VoRsL9UngeBKfYkMXmDjMQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:LMSAPI1MMRAB/Qoj+N1sS5+zss1YDxAlHFckRk3IWNnKuX2IBe39JhA6gsjQ0MyMaJLWrzu0QLud3XTw+P2y3m8l6dCSCoBQBS+ApIr+tgW31aBnHJyWeVfy/WaQhFOXIYjyuTIxXtj2zUu1vOZEEs1eI0vzefStSdh/8tsv99tuQ56exwGfTfzZNspaEkYiHivpmd0C7e7PX7g6ESX7CQzV/AIupPNNR2cTanVwuJkn3helTf1UpFMFKVY7J3FzGcd9jEyWaKUp+agzDtL0ewWdoyDJ5edrsKVmqId5EIy+1VVyEvNpUp5WZhTpfB67qZxSphewgb+PQuuSpZN/0LqKa3pJKSAkqqdms7lbpVkPS/w3ZlsP5L6YMe3QvAdbmwZ1os0qUSfF+k0tl49idpSrC+O0cTTINi6J1a7xE6wJAjuMoBAhxdVqx61+xIG28rZwA3qtF/Eo3n4HAYkRVKylRixLrkd9/Nt9ViqbTLAg7r+0jQ3gTeKO0JJoOd0hwJY+bhOOzTTOjgX+Jwek4roSi8dVp5nHrCGcTRoddZFc6POzkmu3Axtmjj0MCHk+M5hePIp1opFSvYHkB2yWyJvyBSUM65NfQUsKIWLgjhpGvBOalGSn09OrHqu4j19eHHr/1xTO1wra7hqIFQK0wpJARdGVzKP4c+DyaKhbD8IvethfnRfif6BFFfDJ8d87l25o2D7QzGURagiIXGKgFAEd9WZhXhb9cr4WnPKoFXE50Had7Q8yD/Zs3dicGZ1D+SBnBnU4N3IxY/hY3YP5DaflYuPUAna94uvU12wvlW1NPekK+592zcc62WSq/5dQJO+JhbLI2/fzCdwHsl6wGE97Xn9+wYFtK+bEAUUhi766VX+jyEnqkC0UKcQZlSnQBWCZ4xjqjECo5Vdd3ZPIF3PSTimuI0dkd9RHSag40OnLKoHFNOzTwOq6EjZNVWq1fvgdsnNDemAXBxgerhwzEKRPEbXCJ0BDpHBtQlwpZ0lyBm3ivDR9okgo0PraJmB4Y8bgJXIGnXYLDIPsVXU0GL9VZN/qu/xKuGXU+EuFwKCzAK3+QXxLAO1qR8JctlgjFDYKJ0Z1V3VRMTXBVBPy9UiQzO8LxRMoUFV0dB+CHX+XqIwlTyZt6xLS6KkAVAu+w+0GUj9NGMcrzRnF9VX7vW2o37YE/du9htdd5P9oSWtAmIj/WM4he2u6lGjxq5oYWQ7cwSp0OUrtR+ob0PLPM/X3dNFPAZ/MFM2JA1YycPwP08ghZqftkgscc4Q0OtHILLZ2HtX6hGaoJ3WxzwyjyxV7LeemCnxAmBNXZlGtXm60tNxiRrEP/ZgX3Zoj+2JREGcr3pUVwN+Cue1s8zdXvNDUcsVwi+7mCYNiXjsuQNTAw3t0WxuwHmFP9fYAcwoR6PhzkZsLA6T6WdUz16Q9AfcRgazlNd5auP6gXYBYSCY1990AYTG4lvjs5WovrW/hPu9fkm8S0hq/vFYy2cvWC3ktgcZExXHB0W6xH6Z0hYqP5zpaQshY9ODxFQCOfbT8HswQAGEPdG0y/weRWl3IG8u6qFaRz82aHyI8UgPKkPV9YuJxavUjawuNG0oP2RzYwdSuJw0VMEn06uerYEQ0W/BL2MxrlefQrxwE2R6J0TR8CvEpyNRpiXNGQDUX8MpVYORiHp1Rai94YwWZq0C2bEEpUUBCFlWXAdKV+R6HFl0rYez0eJ2U9hPViEieeD3zUMisLTMd8KO+HfuTG52KdM+XnweEEgBTVwAYo2mhYINb4irvlJLoTdZ44ICIIYZxw9QgxYhpaYzuTfdD8sZVNHod+rMKBjrSuPSEAMbzBcLIe0Eh7WO7dbGBj4uWcK4NFeVjTtsuFYj+JuRn96+lCDqjeXX/unSxplL3PBUjZqU2NZWlQgIVZxSf0GOvphjuqRUS1B+XgfYezrmC3M4ts53KwPltGVIHz2SsmPXXd1/A1bWIKSdGSLgUGGpeaFj+OOAOi6iEW1jLr/ofSKAiiIyF1p3iRYk0lDHV1Hrl2uHwCV9k6zq4QUizDWlGv/4/uPau71TcrxmEZ7I+sc7OkSEioaGMOjVEVDepCA+dVtdKC2oSYiTdX55OH+dASkpiX2Om9E1aLIDDSOMPTbzDfBU++cmOPIJeuC7V6zyW1g0D2gjbRC/UHxtwQKLHzh3nM6Mk9LKdftVNRIDdPbBtnvMGfWOQrn+gZp84dwZJjNKh7XpZQE8BOBk1oHoXD1Yd4/bAHwYMy7M5Rw3SiA==,iv:TiC+GsaEnLlv2w7UfIQ2BbKvbwesYTPL62lQhsgUjho=,tag:J8PVfThSkw1O4nOQwPcuig==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2023-05-13T00:05:54Z",
+		"lastmodified": "2023-05-13T04:53:03Z",
-		"mac": "ENC[AES256_GCM,data:XhZMgmHPlrLSxxIRxDlle6zFRmH73N9/7KyIzvgWMyV9mmlavydjBq1c4rbHjVhlUZBkHpliPOUMfH655lb7onsiPjBYU/jUFjJJkhTYtO0MZOwA+S7k7Ar4g+1CkFDuNA2V5uCcsAFcy3PH5iTplw8Mxnb39zQMQDnVvk0IkNs=,iv:v52ivi0xUmAL+HmLt6Wl3KzXyIKsNV/gR1Cje4oC5dk=,tag:RG+z85C8IxDIPINwGiJUnA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:xftk6tugkSaNg+ewVl29pF29ll28tCAez12wV6J9GFbIUb8xa2ERuWWHaVkD0/u2KmECGVga/y5pfVzVGS8DtMn89cdYTv1SXE48IgQwkrU3PWACt6zyqHPrcqbVNmJb5H2iEaLKsXh9QU7zljBhWrvKgomfUGkrd68PgxiL90Y=,iv:YJum5JvZwcJIGJykGKnOrHsayM7Wt6gsApm2F8JcVvA=,tag:ykuMq0Hwd+sHf03MtQhjGA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2023-05-13T00:05:53Z",
+				"created_at": "2023-05-13T04:53:02Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA82rPM2mSf/aARAAKAHJMnKOOvvqJR7N0GMe+cTJnCCJxxWZR/PO/RiGeLAV\nRdktBcaOuX/JNR5rhkNxs03R5ZcTFVe+BQAA4eJX5ocorC4oohlVfcQo6238D6XZ\n9v0UQE4IUbT66Xwra6DgiptvTfdMCjGBuksfYeACwnerHxS9kx2fxxWHzjRjNVQD\nCxvkbvO9HZ8PCJKSf0yttKxHwp/4ZnuNvSqgW1tY8vLbhrBbvOXPP1TOnt2qDWmY\nbOBWVssrSPacoqI1ppnyF1PkcjSutE6/aMHz/x5A4lzxlpVrVz2y34NFw7+7Mdyv\nJ8aTFU3r+P/3sIlTWvW2QuHpFPPwZOgz6ElMoBDItcMnuo9yKw5jgEZhw2R8BbnP\nozh+YZPSnOT40sWB9rdv8ILvd+0DfKTc3NlKM3i/zpINYe36en0bQJAvBdkyQg9l\ns5h8EVyuQwuekkvwHIMm+AK3TCB6+EZ0/rNc7m/Va7k8INJGxo1Bk/LYkP1esNDE\npqJT0xeRxxIbXUmLXTF82RjFeb8wtpsFr4gdfXByVY4mG+UoMX8lyey/ncnoWRHf\nltt7MPyGs+54SkyPq36fAx7FlwKPsdiscB0uXxp8CoxHsmqmiy4nnqHdfZD6l5LX\nXR0hRDfbrzZ91ORNiiCUJfyJn8D/+O1zRFP66O4m9yBEeLRiDTkatpI7CYU7iCrS\n5gG3vanGcg7G+6EIDpKmaEE+0MfegmX6lEOGbVldt659GHul9qqkTawCT4TEYHSZ\nweh1y+LuEEz7jAaCTOnD3/TkzyWPAL8C47/9QLT0pb/om+LwEEocAA==\n=CtWt\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA82rPM2mSf/aAQ//S9hfjyuGnveSa8iFITWcQ2qHJmnFP/8CwXL6tcHDWGmA\n2EevClc+wPkq9TDvnoTxU0ri+msWLWHvFiJBZ+1JLE0+vrQgT5GjhqzpGDm9uCDY\ns3cuHoy8f0ZznacrL/Nml/2GYxF3pVPQX6UUaZ53iGLNwDlEubzv5B4F8+aYKSy8\nbKwqjVkSgHBw7H2XxxC+ya2FVB1QL7hPSlI6bEAeScoSoqIeCl2kNxP3teN+yyhX\nMjYosxvVb7ZLVWDHQV3zx2OORA8HQBXeUct+bjAAFqaDTHwUeGhkeCTm+9tQqdYD\nW5JZZ1zoiHs3DMpNGKm8oL6+O641/CPZE1VsRE7hN//fI04YAgIgUmtt2M3V6dkT\n2yOcp6OIXFElNz1nBv2dYfxzutIHmTckJmEGp9uQcxGf+Ok4QCNBY9irUBXIlYsq\narUM3d1ZNIC+uu3IYue3Xobsr+j8xiQ+KbKaPm8eRa1SYAlurIdZEa74HlEFBcDq\nu0hGbNUYsRqu4xNB+Gfi27C6CrkZQE+sn/Z9VIKBiryjlixAvzUlnEozTbsz44+F\nPnk+GuGGMISCP8Jbh4C4LZe0MYOAKAG8bcUsL9ptlMVtSX1BmQiax94ByfbA9FEf\nWIfgAHsBP6PM4ZIwDbxYf2K37nU4hSaEs5AJSfzG7G/zvLvp9qghcAbIzFpLcFXS\nUQEIyTZmlYojAVl41KO9XiSOEpvXGhsn6DbwsrDrPjQD+u8vxNPtDlkJa4GlxMuZ\nCVw0j5spqYiKPtBWn4UbQZRyjX6vnEIp4qIJcmMQofKbhQ==\n=WA0O\n-----END PGP MESSAGE-----",
 				"fp": "6B61ECD76088748C70590D55E90A401336C8AAA9"
 			},
 			{
-				"created_at": "2023-05-13T00:05:53Z",
+				"created_at": "2023-05-13T04:53:02Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMAw95Vf08z8oUARAA7lvTrOJ7YQaMTfuNfYSMhLRb0z70fgo4s5dNPLWcc92O\ns5oj4lXkuwdB2lA1w0GAxavw8xoZ1hBtv2xylH6Wmydxfqu2FroDaxcTGOKEN739\nHVnUz1UzHm4uR5Kfec6XjIbA9VWyPeyJChefccfIcBIvWKRhX3k9lvprFB4jrXA6\nq7y1eMiSPD7Yod1c6GeQNPcKPXSoBaB8sBHOzram5c1OEYLojonu6Q8d0c6HuLMY\n2uJivZAnQ6NIDTzwzrC1/gKQ4xAkWN1/bkExNgCUB279ag2HVCaJT8z7Fu02wdd/\nf5uljSLeVfOku1YKRCQfVLTwpUwhgL9jy4GQomp4IWylfuSXoQxzdaSt22vnzAZe\n+3Ac1sO5UxmH3h0R9XGKHRTWnQmZmr/JP3eAtN4m6JoF1zkD1Nd/GgsvHvD0hEkv\n+sNwszgcKDym2Z/XRFTvsnfcYuRsmVqOTcTl5cn5cAfNU4N0U2Z7UYZ6SWf8mZox\nTX2/UchMIF9ujf76MRYKSfxC6gKFi805oZ/b2Lk61fSmSxXHVAYULcNxbrADSgQL\nMr3Cq67RaN4/3fKGzZMvZrTLQT38yk4dU+r0pt6Wre7DquuJAAArWtgSgpykEhKO\nRR0xIDsiD+J6xOHGCL/+ARR+WpXI00OSTTs3Qu1nH4eUh1JeWmY1CK/HKwBbRfzS\n5gHcUz8ZdzIWp+j/3k5beJnTz5pTCNOgVoURXeptrhBRABvC56/j0KxEo0i8vq3w\naHkiY6YaYrlWghIl/5OYM+7kk0jODMoW82wVFtTT3/eHF+ImeUjjAA==\n=sujw\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMAw95Vf08z8oUARAArR1Sk14kQm7ry4LD+gCzWdKr8gmrIAgsE+kaDWdgxvyr\n7KNTs7Wt6sqhT3HCiP4+7y9cDE6uAnOqeWbt1Nvv9b0kF48zsOWYFDBl/NHJSqsl\nDCZtJcrwp9x3JZAiYKSYjsUV1eEvk0ov/b3u13YJwbL1rnQ2RctK37bNQ+pknTAC\nkkFusHKEccmM+Ehrwgkh8gfSY+VT0zdWVc3j2lXCrVc/ek/175cEsFwyolpPWd33\nQxOA7109V9hRqAMSmWrw3upRtVV5hs5UPDKIrU0X0iRPQxTs4+wfPLffcmwx+nY5\nqkOu4J3HzjC5J8GPmmHzSYUKUm8RxDFWFCye71S8DCwcIxYIubEZYwx1qs1MbYkS\nLfisxm8+ALk4iqLkhE6Vx9LMToYPf4cQP1rOfrc2Rj7OgE+ShSlhUGwd49kUS3uJ\nHnXluxWwk3DTO66SqENzbcu+nrhC9+X4rvUUYxZmVVmtUsf+cM3SBSnAQ5X6fjuy\njQUMiLZb7BPZ1v+dCAnsQWa5WIsY0IgXtZuPH1CF3ZPWTavnololQylcFAvgF+Nl\njYq3G8cV3DRmS4RrF81a7Ka5DxmrS3Z++P4YsFB1x8QEz/p/E4tcp/MWurInxohh\nlCnXRrQ+AvHDekHOYDWEHMFuvreTC0bXXXxT1wKYWpeVFGP/DNiMbI0NtSFzsl3S\nUQF0Hj7IGNzgnStKi6syuRwoeDjC3l4bs+AesNd3QcHloYszsYZyIovTBogifnDU\nX/jGH+K/T2A1ReG3cgiaYwo8XEgFDSuLwLL7/Roe01zsdg==\n=R+nF\n-----END PGP MESSAGE-----",
 				"fp": "88823A75ECAA786B0FF38B148E401478A3FBEF72"
 			},
 			{
-				"created_at": "2023-05-13T00:05:53Z",
+				"created_at": "2023-05-13T04:53:02Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dr/MjkOzuuRESAQdAqrqCUtkT9c+B6S1vuhDCke6eAOhkRlNlTfJaDqHEnAww\nz3fQaEIIux+tUGDmy5KZi+AWCz76znk1rwF1Vqv+mr14N5UUHx9dt8uGkOvWrvF4\n0l4BRVpJQJl4LKBCzR20pmfbn5vTKpBMml2fJmKRtfy+BRWimX3N0PTNy81nslQs\nSUZ1aH2ZMdJM0mTtDh5hKhb7ncY9eG5qI3Bbhq55BfG9eM8CQLTbvbz2xaz/SVGR\n=Lo6Z\n-----END PGP MESSAGE-----\n",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA0/D4ws+/KPtAQ/8C0wTy607UgpNZ2YM+B7Iic9IqrVeGj8nyVsTTdZlYo0E\n2fqCxSnjzozm3nMTSzgQwCLvBvoUCZyfKBImdC8fY2rzMoscdkHHGyQm5B17/8hT\nEfE5C45xK6ZORF1hVxay1YN9pr265Lb2JurMUVxtNodSj1Q2yiJyyCRYE7R4OKQo\nZoSVS+lWVYjDoENz52x+sCf+fgnCeZ/8yhtLR0fCxDlD7cgMMSwTQ1HeeVo8vrg0\nkkwTsI/fijyogvVjvTYT3+BXQ+UuRH1WyQ+p1nKhYSZe19kRRVHvOB6uumXxut9g\nVVSReNuT6Fn3BOEvjCZjqNvrASXY6D3HGyrYvpX/QcB6icN5EvF2IkblJ6YTWwRd\naHn/f7v9DOVl1J4bFtehdoZ3tr7MPDe39s0WXztsDEujp1AjgUViV9u7m+dStG2I\nRSJWp2sqhNAdl7//CSweWpNBhnIBzXkEb4l0lOzKhxRz3kd2y4UBcRKQfsGzFDis\nOWQ9bpYzc6bzr9lEzqpHDKLktLyYQYhIqGoRFALRlAXNcCRPNko5J2HPtxRIqXdn\n5tiv0ZhiMubMQaU20oTSlkIJMcoVUjEA7gQWIgloNjc+KzwCe535nDxAhiiHdKjD\nhs8wQkzdxAa99Yvu0QVz0XR9v0eBe4HzY2AGD1KE2/KNxug+aPTgbLOw99kedjHS\nUQGasf2AG5UqPRLUV/xvrWcxru2DAJwMNHpylSYuXeRaO88Jk64thmZ7kuCZx4Cy\nFBHvnfNvL0/xZV5K1FdIaoonjEwM/NVANzbQd825viA4Og==\n=OsnH\n-----END PGP MESSAGE-----",
 				"fp": "3D7C8D39E8C4DF771583D3F0A8A091FD346001CA"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.2"
+		"version": "3.7.3"
 	}
 }

terraform_modules/digitalocean_database_cluster/main.tf

@@ -14,7 +14,7 @@ resource "digitalocean_database_cluster" "main" {
   region = var.digitalocean_region
   node_count = var.node_count
   version = var.db_version
-  private_network_uuid = var.vpc_id  # TODO: nullable = true
+  private_network_uuid = var.vpc_id
 }
 
 resource "digitalocean_database_db" "main" {

terraform_modules/digitalocean_talos_cluster/main.tf

@@ -18,13 +18,6 @@ resource "digitalocean_ssh_key" "dummy" {
   public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAseDS76tIQnZyiaBSuZOMI8nixs9NuXqCDGKuv5XPJZ"
 }
 
-resource "digitalocean_vpc" "talos" {
-  count = var.vpc_id == "undefined" ? 1 : 0
-  name = "talos"
-  region = data.digitalocean_region.provided.slug
-  ip_range = "192.168.0.0/16"
-}
-
 /*
 // Not necessary on single node planes
 resource "digitalocean_loadbalancer" "public" {
@@ -78,15 +71,24 @@ resource "digitalocean_reserved_ip" "control_plane" {
   provisioner "local-exec" {
     command = "mkdir -p ${local.config_directory}"
   }
+
   provisioner "local-exec" {
     command = join(" ", ["talosctl", "gen", "config",
       "--output-dir=${local.config_directory}",
       "--config-patch-control-plane=@${local.control_plane_patch_labels}",
-      # "--config-patch-control-plane=@${local.control_plane_patch_cni}",
+      "--config-patch-control-plane=@${local.control_plane_patch_cni}",
       var.talos_cluster_name,
       "https://${self.ip_address}:6443"
     ])
   }
+
+  /*
+   * Terraform is stinky, won't let us use `local.config_directory`
+  provisioner "local-exec" {
+    command = "rm -rf ${local.config_directory}"
+    when = destroy
+  }
+  */
 }
 
 data "local_file" "controlplane" {
@@ -106,7 +108,7 @@ resource "digitalocean_droplet" "control_plane" {
   size       = var.control_plane_pool.size
   user_data  = data.local_file.controlplane.content
   ssh_keys   = [digitalocean_ssh_key.dummy.fingerprint]
-  vpc_uuid = var.vpc_id == "undefined" ? digitalocean_vpc.talos[0].id : var.vpc_id
+  vpc_uuid   = var.vpc_id
 
   // talos expects the endpoint and node to be that of the machine itself, not the elastic IP
   provisioner "local-exec" {
@@ -141,7 +143,7 @@ resource "digitalocean_droplet" "worker" {
   size       = each.value.size
   user_data  = data.local_file.worker.content
   ssh_keys   = [digitalocean_ssh_key.dummy.fingerprint]
-  vpc_uuid = var.vpc_id == "undefined" ? digitalocean_vpc.talos[0].id : var.vpc_id
+  vpc_uuid   = var.vpc_id
 }
 
 # TODO(RyanSquared): Commenting this part out until I get Kustomizations built

terraform_modules/digitalocean_talos_cluster/outputs.tf

@@ -1,3 +0,0 @@
-output "vpc_id" {
-  value = var.vpc_id == "undefined" ? digitalocean_vpc.talos[0].id : var.vpc_id
-}