config.md

Configuration Reference

All configurable parameters for the Talos platform, organized by layer.

Version Variables (vars.mk)

Variable	Default	Description
TALOS_VERSION	v1.12.6	Talos Linux OS version
KUBERNETES_VERSION	1.35.4	Kubernetes version
CILIUM_VERSION	1.17.13	Cilium CNI Helm chart version
IMAGER_IMAGE	ghcr.io/siderolabs/imager:$(TALOS_VERSION)	Talos image builder container
OUT_DIR	_out	Build artifacts directory

Makefile Variables

Variable	Default	Description
ENV	scaleway	Provider selection: scaleway, local
TF	tofu	Terraform/OpenTofu binary
KC_FILE	~/.kube/talos-$(ENV)	Kubeconfig file path
KMS_OUTPUT	kms-output	Directory for exported tokens and certificates
BOOTSTRAP_DIR	/tmp/platform-local	Working directory for bootstrap generated files
BOOTSTRAP_HOST	localhost	Remote bootstrap host (for bootstrap-tunnel)

Environment Variables

Variable	Required	Source	Description
TF_HTTP_USERNAME	Yes (auto)	kms-output/approle-role-id.txt	AppRole role-id for vault-backend auth
TF_HTTP_PASSWORD	Yes (auto)	kms-output/approle-secret-id.txt	AppRole secret-id for vault-backend auth
VAULT_TOKEN	For identity/storage	kms-output/cluster-secrets-token.txt	OpenBao token for secret reads
SCW_ACCESS_KEY	For Scaleway	IAM stage output	Scaleway API access key (set per-target)
SCW_SECRET_KEY	For Scaleway	IAM stage output	Scaleway API secret key (set per-target)
KUBECONFIG	For kubectl	Generated by env-apply	Path to kubeconfig file

Bootstrap Configuration (bootstrap/main.tf)

Variable	Default	Description
source_dir	(required)	Host path mounted as /source in the pod
bootstrap_dir	/tmp/platform-local	Working directory for generated files
gitea_url	http://host.containers.internal:3000	Gitea URL (internal to pod network)
oauth_url	http://127.0.0.1:3000	OAuth URL (browser-accessible)
domain	127.0.0.1	Gitea server domain
wp_host	http://127.0.0.1:8000	Woodpecker external URL
admin_user	talos	Admin username for Gitea and Woodpecker
admin_password	localpass123	Admin password (sensitive)
git_repo_url	file:///source	Git repo URL for Woodpecker

Talos Cluster Module (modules/talos-cluster)

Variable	Type	Description
cluster_name	string	Name of the Kubernetes cluster
cluster_endpoint	string	API server endpoint URL
talos_version	string	Talos Linux version
kubernetes_version	string	Kubernetes version
controlplane_nodes	map(object)	Control plane node definitions (IP, name)
worker_nodes	map(object)	Worker node definitions (IP, name)
common_config_patches	list(string)	Machine config patches applied to all nodes
controlplane_config_patches	list(string)	Patches for control plane nodes only
worker_config_patches	list(string)	Patches for worker nodes only

K8s Stack Common Variable

All stacks accept:

Variable	Type	Description
kubeconfig_path	string	Path to kubeconfig file (provider-agnostic)

Stacks that read secrets from bootstrap OpenBao also accept:

Variable	Type	Description
vault_token	string	OpenBao token for reading cluster secrets
vault_address	string	OpenBao address (default: http://127.0.0.1:8200)

Helm Values by Stack

All Helm values files are co-located in each stack directory. Key configuration points:

CNI (stacks/cni/values.yaml)

Setting	Value	Purpose
kubeProxyReplacement	true	Cilium replaces kube-proxy (eBPF)
hubble.enabled	true	Network observability
hubble.relay.enabled	true	Hubble relay for remote access
ipam.mode	kubernetes	Use Kubernetes IPAM

Monitoring (stacks/monitoring/)

Files: values-vm-stack.yaml, values-vlogs-single.yaml, values-vlogs-collector.yaml, values-headlamp.yaml

Setting	File	Purpose
vmsingle.spec.retentionPeriod	values-vm-stack.yaml	Metrics retention (default: 30d)
victoria-logs-single.server.persistentVolume.size	values-vlogs-single.yaml	Log storage size
grafana.defaultDashboardsEnabled	values-vm-stack.yaml	Auto-provision dashboards

PKI (stacks/pki/)

Files: values-openbao-infra.yaml, values-openbao-app.yaml, values-cert-manager.yaml

Setting	File	Purpose
server.standalone.enabled	values-openbao-*.yaml	OpenBao runs in standalone mode
injector.enabled	values-openbao-infra.yaml	Agent Injector for secret injection
installCRDs	values-cert-manager.yaml	Install cert-manager CRDs

Identity (stacks/identity/)

Files: values-kratos.yaml, values-hydra.yaml, values-pomerium.yaml

Setting	File	Purpose
hydra.config.urls.self.issuer	values-hydra.yaml	OIDC issuer URL
pomerium.config.policy	values-pomerium.yaml	Zero-trust proxy routing rules

Security (stacks/security/)

Setting	File	Purpose
trivy.scanNodeCollectorLimit	main.tf	Set to 0 (disabled for Talos -- ADR-011)
tetragon.extraHostPathMounts	main.tf	Mount /sys/kernel/tracing (Talos requirement)
kyverno.webhooks.failurePolicy	main.tf	Set to Ignore (prevents blocking on failure)

Storage (stacks/storage/)

Files: values-local-path.yaml, values-garage.yaml, values-velero.yaml, values-harbor.yaml

Setting	File	Purpose
garage.replication_mode	values-garage.yaml	Replication factor (default: 3)
velero.configuration.backupStorageLocation	values-velero.yaml	Garage S3 endpoint
harbor.persistence.imageChartStorage.s3	values-harbor.yaml	S3 backend config

Scaleway-Specific Configuration

IAM (envs/scaleway/iam/secret.tfvars)

Variable	Description
organization_id	Scaleway organization ID
access_key	Admin API access key
secret_key	Admin API secret key

Cluster (envs/scaleway/terraform.tfvars)

Variable	Default	Description
cp_count	3	Number of control plane nodes
worker_count	3	Number of worker nodes
cp_type	DEV1-S	Control plane instance type
worker_type	DEV1-M	Worker instance type
region	fr-par	Scaleway region
zone	fr-par-1	Scaleway zone

State Backend Configuration

All stacks use the HTTP backend pointing to vault-backend:

backend "http" {
  address        = "http://localhost:8080/state/<stack-name>"
  lock_address   = "http://localhost:8080/state/<stack-name>"
  unlock_address = "http://localhost:8080/state/<stack-name>"
}

Authentication via AppRole: TF_HTTP_USERNAME (role-id from kms-output/approle-role-id.txt) and TF_HTTP_PASSWORD (secret-id from kms-output/approle-secret-id.txt). Both are auto-set by the Makefile.