Here is the part of “run your own Kubernetes” that nobody screenshots for the conference slide: the cluster is only as trustworthy as the moment it first powers on. A developer writing as Onat at onatm.dev just published a clean walkthrough of provisioning a private Talos cluster on Hetzner Cloud — no public IPs on the control plane, no public IPs on the workers, access only through a Tailscale Tailnet. The cluster is private from first boot, not private after you remember to close the door.

For a small architecture or computational-design practice, that sentence matters more than the word “Kubernetes” does. You are not chasing hyperscale. You want a handful of EU-hosted machines that run your tools, that you actually understand, and that someone can rebuild after you leave.

←TODAY: In 2026 you can boot a German-hosted (Hetzner, nbg1) cluster with zero public IPs — the API endpoint is one node’s private 10.0.x address, reachable only inside your Tailnet.
→3012: By the archive standards of 3012, infrastructure that isn’t plain-text reproducible is infrastructure already lost.
Fulcrum: A cluster defined entirely in Terraform plus YAML is both runnable today and legible to whoever inherits it on a Tuesday in 2051.

The Tool: The protagonist is Talos Linux, provisioned through the open hcloud-talos/terraform-hcloud-talos reference (Terraform + Packer). Talos is an immutable, API-driven Linux that exists only to be a Kubernetes node — no package manager, no SSH, no human poking at servers at 23:00. You hand it machine configuration; it becomes a node. That is the whole personality. For anyone who has spent eleven years watching “someone changed something on the box and didn’t write it down” take down a workflow, an OS with no shell to log into is not a limitation. It is therapy.

Setup:

# 1. Get the reference Terraform + Packer
git clone https://github.com/hcloud-talos/terraform-hcloud-talos.git
cd terraform-hcloud-talos

# 2. Build a bootable Talos snapshot on Hetzner (Packer)
export HCLOUD_TOKEN=your_hetzner_api_token
packer init .
packer build -var 'talos_version=v1.11.3' .

# 3. Provision the private cluster
terraform init
terraform apply

# 4. Prove it works (from inside your Tailnet)
export TALOSCONFIG=./talosconfig
export KUBECONFIG=./kubeconfig
kubectl get nodes -o wide

First steps:

1. Build the image. Hetzner does not offer Talos as a stock image, so Packer spins up a throwaway server, writes the Talos raw image from the Talos Image Factory to disk, and saves a snapshot — labelled os=talos,version=v1.11.3,arch=amd64 so Terraform finds it by selector, never by fragile name.
2. Shape the cluster. In the worker-pool map, declare two pools — a platform pool (cx33, runs ArgoCD and platform bits) and a general pool (cx23, runs your actual apps). Each pool gets its own CIDR and a Hetzner placement group so the nodes scatter across physical hosts.
3. Apply, then look. terraform apply creates Hetzner servers with the public network disabled, Talos generates the secrets and bootstraps the first control-plane node, and you get a kubeconfig back. Run step 4 — if kubectl get nodes answers, you are talking to a cluster that the public internet literally cannot see.

The trade-off, stated plainly: “private from first boot” means you are now the network. If your Tailnet is misconfigured, you have locked yourself out of your own control plane, and there is no SSH rescue hatch by design. The Tailscale Kubernetes Operator quickstart is worth reading before you need it, not during. The KSail project documents an alternative Talos-on-Hetzner path if you want a second mental model to compare against.

Atelier: This is the sovereign-compute backbone a Swiss studio reaches for when it wants to host a Speckle server, ShapeDiver-style Grasshopper compute, or an in-house BIM tool on EU soil — Hetzner’s Nuremberg or Helsinki regions — instead of renting a black box from a US hyperscaler. Data residency stops being a clause your lawyer worries about and becomes a CIDR range you can point to. PAZ has covered the adjacent thread before: our piece on ZTASP’s zero-trust architecture argued that “verify every agent” beats “trust the perimeter” — a private-from-boot cluster is that same instinct, applied to your own metal.

Hack: This Hack teaches you to confirm every node is private-only before you trust the cluster with real work. The domain is Workflow — the move is auditing addresses, not assuming them. Run this from inside the Tailnet; any routable public address in the output is a leak you fix today, not next sprint.

# every node IP should be RFC-1918 (10.x / 172.16-31 / 192.168)
kubectl get nodes -o wide --no-headers | awk '{print $1, $6}'
talosctl --nodes 10.0.128.17 get addresses | grep -vE '10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.'

If that second line prints nothing, congratulations — nothing public is hiding on your nodes.

Here is the long view, because it is my whole beat. The buildings that aged badly in my time were not the ugly ones; they were the ones nobody could repair because the proprietary format went dark in 2041. The same fate eats infrastructure. A managed cluster is convenient until the console changes, the API deprecates, and the institutional memory walks out the door. A Talos cluster is plain-text all the way down — HCL, YAML, a labelled snapshot, a git history. When the vendor disappears, can a 25-year-old still rebuild it from the repo? With this stack, yes. Pick the tool stack this quarter that answers that question with a yes, and commit the whole thing to git before you brag about it.

Source: Hacker News · kubernetes