# K3s server configuration
# Enable secrets encryption at rest
secrets-encryption: true

# Node configuration - force k3s to use the physical NIC IP
# instead of auto-detecting interfaces like mac-shim
node-ip: "{{ ansible_host }}"
advertise-address: "{{ ansible_host }}"
bind-address: "{{ ansible_host }}"
{% if k3s_node_iface is defined and k3s_node_iface | length > 0 %}
flannel-iface: "{{ k3s_node_iface }}"
{% endif %}

# TLS configuration - add SANs for API server certificate
# This ensures the certificate is valid for these names/IPs
tls-san:
  - "{{ k3s_first_server_ip }}"
  - "{{ k3s_first_server_hostname }}"
  - kubernetes.default.svc
  - kubernetes.default.svc.cluster.local

# Additional kube-apiserver arguments for TLS hardening
kube-apiserver-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

# Additional kubelet arguments for TLS
kubelet-arg:
  - "tls-min-version=VersionTLS12"

# Disable unnecessary components (optional - adjust as needed)
# disable:
#   - traefik
#   - servicelb