refactor: implement directory and overlay mounts

This complements the previous PRs to implement more volume features:
directory volumes control their permissions, SELinux labels, etc.

Overlay mounts support additional parent relationship.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T14:29:42Z by kres 921213e.
+# Generated on 2025-04-01T10:44:44Z by kres d903dae.
 
 name: default
 concurrency:
@@ -441,7 +441,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -453,7 +453,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: e2e-aws-prepare
@@ -576,7 +576,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -588,7 +588,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: checkout extensions
@@ -731,7 +731,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -743,7 +743,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: checkout extensions
@@ -870,7 +870,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -998,7 +998,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -1080,7 +1080,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -1175,10 +1175,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -1191,9 +1189,9 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: conformance-qemu
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
@@ -1201,7 +1199,7 @@ jobs:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           QEMU_CPUS_WORKERS: "6"
           QEMU_MEMORY_WORKERS: "4096"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           TEST_MODE: fast-conformance
         run: |
           sudo -E make e2e-qemu
@@ -1287,7 +1285,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -1421,7 +1419,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -1433,7 +1431,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: e2e-gcp-prepare
@@ -1661,21 +1659,6 @@ jobs:
         if: github.event_name == 'schedule'
         run: |
           make talosctl-cni-bundle
-      - name: iso
-        if: github.event_name == 'schedule'
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-        run: |
-          make iso secureboot-iso
-      - name: images-essential
-        if: github.event_name == 'schedule'
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-          PLATFORM: linux/amd64
-        run: |
-          make images-essential
       - name: factory-1.7-iso
         env:
           FACTORY_BOOT_METHOD: iso
@@ -1835,7 +1818,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -1918,7 +1901,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -1930,7 +1913,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make image-metal-uki
       - name: e2e-firewall
@@ -2045,7 +2028,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -2167,10 +2150,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -2183,16 +2164,16 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: e2e-no-cluster-discovery
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-cluster-discovery
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CLUSTER_DISCOVERY: "false"
         run: |
           sudo -E make e2e-qemu
@@ -2202,7 +2183,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-kubespan
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CLUSTER_DISCOVERY: "true"
           WITH_KUBESPAN: "true"
         run: |
@@ -2214,7 +2195,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-default-hostname
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
         run: |
           sudo -E make e2e-qemu
@@ -2227,7 +2208,7 @@ jobs:
           QEMU_MEMORY_WORKERS: "1024"
           QEMU_SYSTEM_DISK_SIZE: "10240"
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
         run: |
           sudo -E make e2e-qemu
       - name: save artifacts
@@ -2314,7 +2295,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -2333,7 +2314,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: e2e-bios
@@ -2462,7 +2443,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -2572,10 +2553,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -2588,16 +2567,16 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: e2e-network-chaos
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-network-chaos
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_NETWORK_CHAOS: "yes"
         run: |
           sudo -E make e2e-qemu
@@ -2607,7 +2586,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-metal-iso
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CONFIG_INJECTION_METHOD: metal-iso
         run: |
           sudo -E make e2e-qemu
@@ -2617,7 +2596,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-iommu-pcidriverrebind
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_IOMMU: "yes"
         run: |
           sudo -E make e2e-qemu
@@ -2699,7 +2678,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -2828,10 +2807,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -2844,16 +2821,16 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: e2e-siderolink
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-siderolink
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_SIDEROLINK_AGENT: "true"
         run: |
@@ -2864,7 +2841,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-siderolink-tunnel
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_SIDEROLINK_AGENT: tunnel
         run: |
@@ -2875,7 +2852,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-siderolink-tls
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_SIDEROLINK_AGENT: wireguard+tls
         run: |
@@ -2894,7 +2871,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-k8s-user-namespace
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CONFIG_PATCH: '@hack/test/patches/usernamespace.yaml'
         run: |
           sudo -E make e2e-qemu
@@ -2976,7 +2953,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3071,7 +3048,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3166,7 +3143,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3261,7 +3238,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3362,7 +3339,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3496,7 +3473,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3604,7 +3581,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3711,7 +3688,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -3809,25 +3786,23 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
+      - name: talosctl-cni-bundle
+        if: github.event_name == 'schedule'
+        run: |
+          make talosctl-cni-bundle
       - name: images-essential-enforcing
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
           make images-essential
-      - name: talosctl-cni-bundle
-        if: github.event_name == 'schedule'
-        run: |
-          make talosctl-cni-bundle
       - name: e2e-qemu
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
@@ -3835,7 +3810,7 @@ jobs:
           QEMU_EXTRA_DISKS: "3"
           QEMU_EXTRA_DISKS_DRIVERS: ide,nvme
           QEMU_EXTRA_DISKS_SIZE: "10240"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           USER_DISKS_MOUNTS: /var/lib/extra,/var/lib/p1,/var/lib/p2
           WITH_CONFIG_PATCH_WORKER: '@hack/test/patches/ephemeral-nvme.yaml:@hack/test/patches/dm-raid-module.yaml'
           WITH_USER_DISK: "true"
@@ -3919,7 +3894,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -4103,7 +4078,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -4116,7 +4091,7 @@ jobs:
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: secureboot-iso
@@ -4124,7 +4099,7 @@ jobs:
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make secureboot-iso
       - name: integration-trusted-boot
@@ -4220,7 +4195,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -4234,15 +4209,15 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: secureboot-iso
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
+          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make secureboot-iso
       - name: integration-trusted-boot
@@ -4250,7 +4225,7 @@ jobs:
           EXTRA_TEST_ARGS: -talos.trustedboot -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-integration-trusted-boot
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_TRUSTED_BOOT_ISO: "true"
         run: |

.github/workflows/integration-aws-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-11T14:06:53Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-aws-cron
 concurrency:
@@ -82,7 +82,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -94,7 +94,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: e2e-aws-prepare

.github/workflows/integration-aws-nvidia-nonfree-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-11T14:06:53Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-aws-nvidia-nonfree-cron
 concurrency:
@@ -86,7 +86,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -98,7 +98,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: checkout extensions

.github/workflows/integration-aws-nvidia-oss-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-11T14:06:53Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-aws-nvidia-oss-cron
 concurrency:
@@ -86,7 +86,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -98,7 +98,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: checkout extensions

.github/workflows/integration-cilium-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-cilium-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-conformance-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T15:51:32Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-conformance-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-conformance-enforcing-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T09:55:56Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-conformance-enforcing-cron
 concurrency:
@@ -70,10 +70,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -86,9 +84,9 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: conformance-qemu
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
@@ -96,7 +94,7 @@ jobs:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           QEMU_CPUS_WORKERS: "6"
           QEMU_MEMORY_WORKERS: "4096"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           TEST_MODE: fast-conformance
         run: |
           sudo -E make e2e-qemu

.github/workflows/integration-extensions-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-extensions-cron
 concurrency:
@@ -74,7 +74,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-gcp-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-11T14:06:53Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-gcp-cron
 concurrency:
@@ -82,7 +82,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -94,7 +94,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: e2e-gcp-prepare

.github/workflows/integration-image-factory-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-image-factory-cron
 concurrency:
@@ -84,21 +84,6 @@ jobs:
         if: github.event_name == 'schedule'
         run: |
           make talosctl-cni-bundle
-      - name: iso
-        if: github.event_name == 'schedule'
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-        run: |
-          make iso secureboot-iso
-      - name: images-essential
-        if: github.event_name == 'schedule'
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-          PLATFORM: linux/amd64
-        run: |
-          make images-essential
       - name: factory-1.7-iso
         env:
           FACTORY_BOOT_METHOD: iso

.github/workflows/integration-images-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-images-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-misc-0-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T15:51:32Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-0-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -82,7 +82,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make image-metal-uki
       - name: e2e-firewall

.github/workflows/integration-misc-1-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T16:23:54Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-1-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-misc-1-enforcing-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T09:55:56Z by kres ec5ec04.
+# Generated on 2025-04-01T10:44:44Z by kres d903dae.
 
 name: integration-misc-1-enforcing-cron
 concurrency:
@@ -70,10 +70,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -86,16 +84,16 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: e2e-no-cluster-discovery
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-cluster-discovery
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CLUSTER_DISCOVERY: "false"
         run: |
           sudo -E make e2e-qemu
@@ -105,7 +103,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-kubespan
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CLUSTER_DISCOVERY: "true"
           WITH_KUBESPAN: "true"
         run: |
@@ -117,7 +115,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-default-hostname
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
         run: |
           sudo -E make e2e-qemu
@@ -130,7 +128,7 @@ jobs:
           QEMU_MEMORY_WORKERS: "1024"
           QEMU_SYSTEM_DISK_SIZE: "10240"
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
         run: |
           sudo -E make e2e-qemu
       - name: save artifacts

.github/workflows/integration-misc-2-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-14T10:24:50Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-2-cron
 concurrency:
@@ -76,7 +76,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -95,7 +95,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: e2e-bios

.github/workflows/integration-misc-3-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T15:51:32Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-3-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-misc-3-enforcing-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T09:55:56Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-3-enforcing-cron
 concurrency:
@@ -70,10 +70,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -86,16 +84,16 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: e2e-network-chaos
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-network-chaos
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_NETWORK_CHAOS: "yes"
         run: |
           sudo -E make e2e-qemu
@@ -105,7 +103,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-metal-iso
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CONFIG_INJECTION_METHOD: metal-iso
         run: |
           sudo -E make e2e-qemu
@@ -115,7 +113,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-iommu-pcidriverrebind
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_IOMMU: "yes"
         run: |
           sudo -E make e2e-qemu

.github/workflows/integration-misc-4-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T15:51:32Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-4-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-misc-4-enforcing-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T09:55:56Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-misc-4-enforcing-cron
 concurrency:
@@ -70,10 +70,8 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
       - name: talosctl-cni-bundle
@@ -86,16 +84,16 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: e2e-siderolink
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-siderolink
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_SIDEROLINK_AGENT: "true"
         run: |
@@ -106,7 +104,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-siderolink-tunnel
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_SIDEROLINK_AGENT: tunnel
         run: |
@@ -117,7 +115,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-siderolink-tls
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_SIDEROLINK_AGENT: wireguard+tls
         run: |
@@ -136,7 +134,7 @@ jobs:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-k8s-user-namespace
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           SHORT_INTEGRATION_TEST: "yes"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           WITH_CONFIG_PATCH: '@hack/test/patches/usernamespace.yaml'
         run: |
           sudo -E make e2e-qemu

.github/workflows/integration-provision-0-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-provision-0-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-provision-1-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-provision-1-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-provision-2-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-provision-2-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-qemu-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-qemu-csi-longhorn-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-04T16:42:28Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-csi-longhorn-cron
 concurrency:
@@ -74,7 +74,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-qemu-csi-openebs-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-csi-openebs-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-qemu-csi-rook-ceph-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-02-26T15:23:43Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-csi-rook-ceph-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-qemu-encrypted-vip-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T15:51:32Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-encrypted-vip-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-qemu-enforcing-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T09:55:56Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-enforcing-cron
 concurrency:
@@ -70,25 +70,23 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=enforcing=1
+          PLATFORM: linux/amd64,linux/arm64
-          PLATFORM: linux/amd64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
+      - name: talosctl-cni-bundle
+        if: github.event_name == 'schedule'
+        run: |
+          make talosctl-cni-bundle
       - name: images-essential-enforcing
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
           make images-essential
-      - name: talosctl-cni-bundle
-        if: github.event_name == 'schedule'
-        run: |
-          make talosctl-cni-bundle
       - name: e2e-qemu
         env:
           EXTRA_TEST_ARGS: -talos.enforcing
@@ -96,7 +94,7 @@ jobs:
           QEMU_EXTRA_DISKS: "3"
           QEMU_EXTRA_DISKS_DRIVERS: ide,nvme
           QEMU_EXTRA_DISKS_SIZE: "10240"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           USER_DISKS_MOUNTS: /var/lib/extra,/var/lib/p1,/var/lib/p2
           WITH_CONFIG_PATCH_WORKER: '@hack/test/patches/ephemeral-nvme.yaml:@hack/test/patches/dm-raid-module.yaml'
           WITH_USER_DISK: "true"

.github/workflows/integration-qemu-race-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-04T13:59:07Z by kres 1281806.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-qemu-race-cron
 concurrency:
@@ -70,7 +70,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64

.github/workflows/integration-trusted-boot-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-21T15:51:32Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-trusted-boot-cron
 concurrency:
@@ -76,7 +76,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -89,7 +89,7 @@ jobs:
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make images-essential
       - name: secureboot-iso
@@ -97,7 +97,7 @@ jobs:
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make secureboot-iso
       - name: integration-trusted-boot

.github/workflows/integration-trusted-boot-enforcing-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-03-24T09:55:56Z by kres ec5ec04.
+# Generated on 2025-04-01T08:14:24Z by kres d903dae.
 
 name: integration-trusted-boot-enforcing-cron
 concurrency:
@@ -76,7 +76,7 @@ jobs:
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
         run: |
           make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
@@ -90,15 +90,15 @@ jobs:
           IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
           PLATFORM: linux/amd64,linux/arm64
           PUSH: "true"
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_OUT: -enforcing
         run: |
-          make imager installer-base installer images-essential
+          make images-essential
       - name: secureboot-iso
         if: github.event_name == 'schedule'
         env:
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0
+          IMAGER_ARGS: --extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1
-          PLATFORM: linux/amd64
+          PLATFORM: linux/amd64,linux/arm64
         run: |
           make secureboot-iso
       - name: integration-trusted-boot
@@ -106,7 +106,7 @@ jobs:
           EXTRA_TEST_ARGS: -talos.trustedboot -talos.enforcing
           GITHUB_STEP_NAME: ${{ github.job}}-integration-trusted-boot
           IMAGE_REGISTRY: registry.dev.siderolabs.io
-          TAG_SUFFIX: -enforcing
+          TAG_SUFFIX_IN: -enforcing
           VIA_MAINTENANCE_MODE: "true"
           WITH_TRUSTED_BOOT_ISO: "true"
         run: |

.kres.yaml

@@ -331,7 +331,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -384,27 +384,25 @@ spec:
           conditions:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
-          environment:
-            PLATFORM: linux/amd64
-            IMAGER_ARGS: "--extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
-            IMAGE_REGISTRY: registry.dev.siderolabs.io
-            PUSH: true
-        - name: images-essential-enforcing
-          command: images-essential
           environment:
             PLATFORM: linux/amd64,linux/arm64
-            IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
+        - name: images-essential-enforcing
+          command: images-essential
+          environment:
+            PLATFORM: linux/amd64,linux/arm64
+            IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
+            TAG_SUFFIX_OUT: -enforcing
+            IMAGE_REGISTRY: registry.dev.siderolabs.io
+            PUSH: true
         - name: e2e-qemu
           withSudo: true
           environment:
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             QEMU_EXTRA_DISKS: "3"
@@ -451,7 +449,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -504,20 +502,18 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
-            IMAGER_ARGS: "--extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
         - name: images-essential-enforcing
-          command: imager installer-base installer images-essential
+          command: images-essential
           environment:
             PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_OUT: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: conformance-qemu
@@ -528,7 +524,7 @@ spec:
             QEMU_CPUS_WORKERS: 6
             QEMU_MEMORY_WORKERS: 4096
             TEST_MODE: fast-conformance
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
@@ -574,7 +570,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -584,14 +580,14 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0"
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: secureboot-iso
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0"
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: integration-trusted-boot
@@ -646,26 +642,26 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
         - name: images-essential-enforcing
-          command: imager installer-base installer images-essential
+          command: images-essential
           environment:
             PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_OUT: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: secureboot-iso
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
-            IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0"
+            IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: integration-trusted-boot
           command: e2e-qemu
@@ -674,7 +670,7 @@ spec:
             GITHUB_STEP_NAME: ${{ github.job}}-integration-trusted-boot
             VIA_MAINTENANCE_MODE: true
             WITH_TRUSTED_BOOT_ISO: true
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: "-talos.trustedboot -talos.enforcing"
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
@@ -716,7 +712,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -767,7 +763,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -818,7 +814,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -869,7 +865,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -879,7 +875,7 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-firewall
           command: e2e-qemu
@@ -954,7 +950,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1035,20 +1031,18 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
-            IMAGER_ARGS: "--extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
         - name: images-essential-enforcing
-          command: imager installer-base installer images-essential
+          command: images-essential
           environment:
             PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_OUT: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: e2e-no-cluster-discovery
@@ -1058,7 +1052,7 @@ spec:
             GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-cluster-discovery
             SHORT_INTEGRATION_TEST: yes
             WITH_CLUSTER_DISCOVERY: false
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-kubespan
@@ -1069,7 +1063,7 @@ spec:
             SHORT_INTEGRATION_TEST: yes
             WITH_CLUSTER_DISCOVERY: true
             WITH_KUBESPAN: true
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-default-hostname
@@ -1080,7 +1074,7 @@ spec:
             SHORT_INTEGRATION_TEST: yes
             VIA_MAINTENANCE_MODE: true
             DISABLE_DHCP_HOSTNAME: true
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-min-requirements
@@ -1092,7 +1086,7 @@ spec:
             QEMU_MEMORY_WORKERS: 1024
             QEMU_MEMORY_CONTROLPLANES: 2048
             QEMU_SYSTEM_DISK_SIZE: 10240
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
@@ -1139,7 +1133,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1156,7 +1150,7 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-bios
           command: e2e-qemu
@@ -1245,7 +1239,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1314,20 +1308,18 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
-            IMAGER_ARGS: "--extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
         - name: images-essential-enforcing
-          command: imager installer-base installer images-essential
+          command: images-essential
           environment:
             PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_OUT: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: e2e-network-chaos
@@ -1337,7 +1329,7 @@ spec:
             GITHUB_STEP_NAME: ${{ github.job}}-e2e-network-chaos
             SHORT_INTEGRATION_TEST: yes
             WITH_NETWORK_CHAOS: yes
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-metal-iso
@@ -1347,7 +1339,7 @@ spec:
             GITHUB_STEP_NAME: ${{ github.job}}-e2e-metal-iso
             SHORT_INTEGRATION_TEST: yes
             WITH_CONFIG_INJECTION_METHOD: "metal-iso"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-iommu-pcidriverrebind
@@ -1357,7 +1349,7 @@ spec:
             GITHUB_STEP_NAME: ${{ github.job}}-e2e-iommu-pcidriverrebind
             SHORT_INTEGRATION_TEST: yes
             WITH_IOMMU: yes
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
@@ -1399,7 +1391,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1487,20 +1479,18 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
-            IMAGER_ARGS: "--extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
         - name: images-essential-enforcing
-          command: imager installer-base installer images-essential
+          command: images-essential
           environment:
             PLATFORM: linux/amd64,linux/arm64
             IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0 --extra-kernel-arg=enforcing=1"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_OUT: -enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: e2e-siderolink
@@ -1511,7 +1501,7 @@ spec:
             SHORT_INTEGRATION_TEST: yes
             WITH_SIDEROLINK_AGENT: true
             VIA_MAINTENANCE_MODE: true
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-siderolink-tunnel
@@ -1522,7 +1512,7 @@ spec:
             SHORT_INTEGRATION_TEST: yes
             WITH_SIDEROLINK_AGENT: tunnel
             VIA_MAINTENANCE_MODE: true
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-siderolink-tls
@@ -1533,7 +1523,7 @@ spec:
             SHORT_INTEGRATION_TEST: yes
             WITH_SIDEROLINK_AGENT: wireguard+tls
             VIA_MAINTENANCE_MODE: true
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-apparmor
@@ -1551,7 +1541,7 @@ spec:
             GITHUB_STEP_NAME: ${{ github.job}}-e2e-k8s-user-namespace
             SHORT_INTEGRATION_TEST: yes
             WITH_CONFIG_PATCH: "@hack/test/patches/usernamespace.yaml"
-            TAG_SUFFIX: -enforcing
+            TAG_SUFFIX_IN: -enforcing
             EXTRA_TEST_ARGS: -talos.enforcing
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
@@ -1595,7 +1585,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1675,7 +1665,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1755,7 +1745,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1810,7 +1800,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1876,7 +1866,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -1946,7 +1936,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2037,7 +2027,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2103,7 +2093,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2166,7 +2156,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: images
@@ -2279,20 +2269,6 @@ spec:
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
-        - name: iso
-          conditions:
-            - only-on-schedule
-          command: iso secureboot-iso
-          environment:
-            IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0"
-            IMAGE_REGISTRY: registry.dev.siderolabs.io
-        - name: images-essential
-          conditions:
-            - only-on-schedule
-          environment:
-            PLATFORM: linux/amd64
-            IMAGER_ARGS: "--extra-kernel-arg=console=ttyS0"
-            IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: factory-1.7-iso
           command: e2e-image-factory
           withSudo: true
@@ -2418,7 +2394,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2428,7 +2404,7 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-aws-prepare
           environment:
@@ -2494,7 +2470,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2504,7 +2480,7 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: checkout extensions
           checkoutStep:
@@ -2592,7 +2568,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2602,7 +2578,7 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: checkout extensions
           checkoutStep:
@@ -2687,7 +2663,7 @@ spec:
             - only-on-schedule
           command: talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
             PUSH: true
         - name: talosctl-cni-bundle
@@ -2697,7 +2673,7 @@ spec:
           conditions:
             - only-on-schedule
           environment:
-            PLATFORM: linux/amd64
+            PLATFORM: linux/amd64,linux/arm64
             IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-gcp-prepare
         - name: checkout contrib

Makefile

@@ -4,9 +4,12 @@ SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty)
 TAG ?= $(shell git describe --tag --always --dirty --match v[0-9]\*)
 ABBREV_TAG ?= $(shell git describe --tag --always --match v[0-9]\* --abbrev=0 )
 TAG_SUFFIX ?=
+TAG_SUFFIX_IN ?= $(TAG_SUFFIX)
+TAG_SUFFIX_OUT ?= $(TAG_SUFFIX)
 SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
 IMAGE_REGISTRY ?= $(REGISTRY)
-IMAGE_TAG ?= $(TAG)$(TAG_SUFFIX)
+IMAGE_TAG_IN ?= $(TAG)$(TAG_SUFFIX_IN)
+IMAGE_TAG_OUT ?= $(TAG)$(TAG_SUFFIX_OUT)
 BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 REGISTRY_AND_USERNAME := $(IMAGE_REGISTRY)/$(USERNAME)
 NAME = Talos
@@ -24,7 +27,7 @@ EMBED_TARGET ?= embed
 TOOLS_PREFIX ?= ghcr.io/siderolabs/tools
 TOOLS ?= v1.10.0-alpha.0-23-g6d456ca
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.10.0-alpha.0-69-g665f782
+PKGS ?= v1.10.0-alpha.0-72-g7d7323b
 EXTRAS ?= v1.10.0-alpha.0-4-gc201b87
 
 KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
@@ -355,10 +358,10 @@ local-%: ## Builds the specified target defined in the Dockerfile using the loca
 
 docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be output to the specified local destination.
 	@mkdir -p $(DEST)
-	@$(MAKE) target-$* TARGET_ARGS="--output type=docker,dest=$(DEST)/$*.tar,name=$(REGISTRY_AND_USERNAME)/$*:$(IMAGE_TAG) $(TARGET_ARGS)"
+	@$(MAKE) target-$* TARGET_ARGS="--output type=docker,dest=$(DEST)/$*.tar,name=$(REGISTRY_AND_USERNAME)/$*:$(IMAGE_TAG_OUT) $(TARGET_ARGS)"
 
 registry-%: ## Builds the specified target defined in the Dockerfile using the image/registry output type. The build result will be pushed to the registry if PUSH=true.
-	@$(MAKE) target-$* TARGET_ARGS="--output type=image,name=$(REGISTRY_AND_USERNAME)/$*:$(IMAGE_TAG) $(TARGET_ARGS)"
+	@$(MAKE) target-$* TARGET_ARGS="--output type=image,name=$(REGISTRY_AND_USERNAME)/$*:$(IMAGE_TAG_OUT) $(TARGET_ARGS)"
 
 hack-test-%: ## Runs the specified script in ./hack/test with well known environment variables.
 	@./hack/test/$*.sh
@@ -450,10 +453,10 @@ talosctl:
 	@$(MAKE) local-talosctl-targetarch DEST=$(ARTIFACTS)
 
 image-%: ## Builds the specified image. Valid options are aws, azure, digital-ocean, gcp, and vmware (e.g. image-aws)
-	@docker pull $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG)
+	@docker pull $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG_IN)
 	@for platform in $(subst $(,),$(space),$(PLATFORM)); do \
 		arch=$$(basename "$${platform}") && \
-		docker run --rm -t -v /dev:/dev -v $(PWD)/$(ARTIFACTS):/secureboot:ro -v $(PWD)/$(ARTIFACTS):/out -e SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) --network=host --privileged $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG) $* --arch $$arch $(IMAGER_ARGS) ; \
+		docker run --rm -t -v /dev:/dev -v $(PWD)/$(ARTIFACTS):/secureboot:ro -v $(PWD)/$(ARTIFACTS):/out -e SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) --network=host --privileged $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG_IN) $* --arch $$arch $(IMAGER_ARGS) ; \
 	done
 
 .PHONY: images-essential
@@ -472,23 +475,23 @@ IMAGES_LIST :=
 
 .PHONY: installer
 installer: ## Builds the installer and outputs it to the artifact directory.
-	@$(MAKE) image-installer IMAGER_ARGS="--base-installer-image $(REGISTRY_AND_USERNAME)/installer-base:$(IMAGE_TAG) $(IMAGER_ARGS)"
+	@$(MAKE) image-installer IMAGER_ARGS="--base-installer-image $(REGISTRY_AND_USERNAME)/installer-base:$(IMAGE_TAG_IN) $(IMAGER_ARGS)"
 
 	@crane_args=""
 	@for platform in $(subst $(,),$(space),$(PLATFORM)); do \
 		arch=$$(basename "$${platform}") && \
-		image=$$(crane push $(ARTIFACTS)/installer-$${arch}.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-$${arch}) && \
+		image=$$(crane push $(ARTIFACTS)/installer-$${arch}.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG_OUT)-$${arch}) && \
 		crane_args="$${crane_args} -m $${image}" ; \
 	done; \
-	crane index append -t "${REGISTRY_AND_USERNAME}/installer:${IMAGE_TAG}" $${crane_args}
+	crane index append -t "${REGISTRY_AND_USERNAME}/installer:${IMAGE_TAG_OUT}" $${crane_args}
 
 
 .PHONY: secureboot-installer
 secureboot-installer: ## Builds UEFI only installer which uses UKI and push it to the registry.
-	@$(MAKE) image-secureboot-installer IMAGER_ARGS="--base-installer-image $(REGISTRY_AND_USERNAME)/installer-base:$(IMAGE_TAG) $(IMAGER_ARGS)"
+	@$(MAKE) image-secureboot-installer IMAGER_ARGS="--base-installer-image $(REGISTRY_AND_USERNAME)/installer-base:$(IMAGE_TAG_IN) $(IMAGER_ARGS)"
 	@for platform in $(subst $(,),$(space),$(PLATFORM)); do \
 		arch=$$(basename "$${platform}") && \
-		crane push $(ARTIFACTS)/installer-$${arch}-secureboot.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-$${arch}-secureboot ; \
+		crane push $(ARTIFACTS)/installer-$${arch}-secureboot.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG_OUT)-$${arch}-secureboot ; \
 	done
 
 .PHONY: talosctl-cni-bundle
@@ -519,10 +522,10 @@ uki-certs: talosctl ## Generate test certificates for SecureBoot/PCR Signing
 .PHONY: cache-create
 cache-create: installer imager ## Generate image cache.
 	@docker run --entrypoint /usr/local/bin/e2e.test registry.k8s.io/conformance:$(KUBECTL_VERSION) --list-images | \
-		$(TALOSCTL_EXECUTABLE) images integration --installer-tag=$(IMAGE_TAG) --registry-and-user=$(REGISTRY_AND_USERNAME) | \
+		$(TALOSCTL_EXECUTABLE) images integration --installer-tag=$(IMAGE_TAG_IN) --registry-and-user=$(REGISTRY_AND_USERNAME) | \
 		$(TALOSCTL_EXECUTABLE) images cache-create --image-cache-path=/tmp/cache.tar --images=- --force
-	@crane push /tmp/cache.tar $(REGISTRY_AND_USERNAME)/image-cache:$(IMAGE_TAG)
+	@crane push /tmp/cache.tar $(REGISTRY_AND_USERNAME)/image-cache:$(IMAGE_TAG_OUT)
-	@$(MAKE) image-iso IMAGER_ARGS="--image-cache=$(REGISTRY_AND_USERNAME)/image-cache:$(IMAGE_TAG) --extra-kernel-arg='console=ttyS0'"
+	@$(MAKE) image-iso IMAGER_ARGS="--image-cache=$(REGISTRY_AND_USERNAME)/image-cache:$(IMAGE_TAG_OUT) --extra-kernel-arg='console=ttyS0'"
 
 # Code Quality
 
@@ -600,8 +603,8 @@ e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts
 		TAG=$(TAG) \
 		SHA=$(SHA) \
 		REGISTRY=$(IMAGE_REGISTRY) \
-		IMAGE=$(REGISTRY_AND_USERNAME)/talos:$(IMAGE_TAG) \
+		IMAGE=$(REGISTRY_AND_USERNAME)/talos:$(IMAGE_TAG_IN) \
-		INSTALLER_IMAGE=$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG) \
+		INSTALLER_IMAGE=$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG_IN) \
 		ARTIFACTS=$(ARTIFACTS) \
 		TALOSCTL=$(PWD)/$(ARTIFACTS)/$(TALOSCTL_DEFAULT_TARGET)-amd64 \
 		INTEGRATION_TEST=$(PWD)/$(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 \
@@ -633,9 +636,9 @@ provision-tests-track-%:
 
 installer-with-extensions: $(ARTIFACTS)/extensions/_out/extensions-metadata
 	$(MAKE) image-installer \
-		IMAGER_ARGS="--base-installer-image=$(REGISTRY_AND_USERNAME)/installer-base:$(IMAGE_TAG) $(shell cat $(ARTIFACTS)/extensions/_out/extensions-metadata | $(EXTENSIONS_FILTER_COMMAND) | xargs -n 1 echo --system-extension-image)"
+		IMAGER_ARGS="--base-installer-image=$(REGISTRY_AND_USERNAME)/installer-base:$(IMAGE_TAG_IN) $(shell cat $(ARTIFACTS)/extensions/_out/extensions-metadata | $(EXTENSIONS_FILTER_COMMAND) | xargs -n 1 echo --system-extension-image)"
-	crane push $(ARTIFACTS)/installer-amd64.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-amd64-extensions
+	crane push $(ARTIFACTS)/installer-amd64.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG_OUT)-amd64-extensions
-	INSTALLER_IMAGE_EXTENSIONS="$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-amd64-extensions" yq eval -n '.machine.install.image = strenv(INSTALLER_IMAGE_EXTENSIONS)' > $(ARTIFACTS)/installer-extensions-patch.yaml
+	INSTALLER_IMAGE_EXTENSIONS="$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG_OUT)-amd64-extensions" yq eval -n '.machine.install.image = strenv(INSTALLER_IMAGE_EXTENSIONS)' > $(ARTIFACTS)/installer-extensions-patch.yaml
 
 kubelet-fat-patch:
 	K8S_VERSION=$(KUBECTL_VERSION) yq eval -n '.machine.kubelet.image = "ghcr.io/siderolabs/kubelet:" + strenv(K8S_VERSION) + "-fat"' > $(ARTIFACTS)/kubelet-fat-patch.yaml
@@ -687,7 +690,7 @@ push: ## Pushes the installer, imager, talos and talosctl images to the configur
 	@$(MAKE) talosctl-image PUSH=true
 
 push-%: ## Pushes the installer, imager, talos and talosctl images to the configured container registry with the specified tag (e.g. push-latest).
-	@$(MAKE) push IMAGE_TAG=$*
+	@$(MAKE) push IMAGE_TAG_OUT=$*
 
 .PHONY: clean
 clean: ## Cleans up all artifacts.
@@ -695,11 +698,11 @@ clean: ## Cleans up all artifacts.
 
 .PHONY: image-list
 image-list: ## Prints a list of all images built by this Makefile with digests.
-	@echo -n installer installer-base talos imager talosctl | xargs -d ' ' -I{} sh -c 'echo $(REGISTRY_AND_USERNAME)/{}:$(IMAGE_TAG)' | xargs -I{} sh -c 'echo {}@$$(crane digest {})'
+	@echo -n installer installer-base talos imager talosctl | xargs -d ' ' -I{} sh -c 'echo $(REGISTRY_AND_USERNAME)/{}:$(IMAGE_TAG_IN)' | xargs -I{} sh -c 'echo {}@$$(crane digest {})'
 
 .PHONY: sign-images
 sign-images: ## Run cosign to sign all images built by this Makefile.
-	@for image in $(shell $(MAKE) --quiet image-list REGISTRY_AND_USERNAME=$(REGISTRY_AND_USERNAME) IMAGE_TAG=$(IMAGE_TAG)); do \
+	@for image in $(shell $(MAKE) --quiet image-list REGISTRY_AND_USERNAME=$(REGISTRY_AND_USERNAME) IMAGE_TAG_IN=$(IMAGE_TAG_IN)); do \
 		echo '==>' $$image; \
 		cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \
 			cosign sign --yes $$image; \

api/resource/definitions/block/block.proto

@@ -126,6 +126,10 @@ message MountSpec {
   string selinux_label = 2;
   bool project_quota_support = 3;
   string parent_id = 4;
+  uint32 file_mode = 5;
+  int64 uid = 6;
+  int64 gid = 7;
+  bool recursive_relabel = 8;
 }
 
 // MountStatusSpec is the spec for MountStatus.
@@ -156,6 +160,12 @@ message ProvisioningSpec {
   FilesystemSpec filesystem_spec = 4;
 }
 
+// SymlinkProvisioningSpec is the spec for volume symlink.
+message SymlinkProvisioningSpec {
+  string symlink_target_path = 1;
+  bool force = 2;
+}
+
 // SymlinkSpec is the spec for Symlinks resource.
 message SymlinkSpec {
   repeated string paths = 1;
@@ -181,6 +191,7 @@ message VolumeConfigSpec {
   LocatorSpec locator = 4;
   MountSpec mount = 5;
   EncryptionSpec encryption = 6;
+  SymlinkProvisioningSpec symlink = 7;
 }
 
 // VolumeMountRequestSpec is the spec for VolumeMountRequest.
@@ -217,5 +228,7 @@ message VolumeStatusSpec {
   MountSpec mount_spec = 15;
   talos.resource.definitions.enums.BlockVolumeType type = 16;
   repeated string configured_encryption_keys = 17;
+  SymlinkProvisioningSpec symlink_spec = 18;
+  string parent_id = 19;
 }
 

api/resource/definitions/enums/enums.proto

@@ -401,6 +401,8 @@ enum BlockVolumeType {
   VOLUME_TYPE_DISK = 1;
   VOLUME_TYPE_TMPFS = 2;
   VOLUME_TYPE_DIRECTORY = 3;
+  VOLUME_TYPE_SYMLINK = 4;
+  VOLUME_TYPE_OVERLAY = 5;
 }
 
 // CriImageCacheStatus describes image cache status type.

internal/app/machined/pkg/controllers/block/internal/volumes/close.go

@@ -19,8 +19,8 @@ import (
 // Close the encrypted volumes.
 func Close(ctx context.Context, logger *zap.Logger, volumeContext ManagerContext) error {
 	switch volumeContext.Cfg.TypedSpec().Type {
-	case block.VolumeTypeTmpfs, block.VolumeTypeDirectory:
+	case block.VolumeTypeTmpfs, block.VolumeTypeDirectory, block.VolumeTypeSymlink, block.VolumeTypeOverlay:
-		// tmpfs & directory volumes can be always closed
+		// tmpfs, directory, symlink and overlay volumes can be always closed
 		volumeContext.Status.Phase = block.VolumePhaseClosed
 
 		return nil

internal/app/machined/pkg/controllers/block/internal/volumes/locate.go

@@ -25,11 +25,12 @@ import (
 //nolint:gocyclo,cyclop
 func LocateAndProvision(ctx context.Context, logger *zap.Logger, volumeContext ManagerContext) error {
 	volumeContext.Status.MountSpec = volumeContext.Cfg.TypedSpec().Mount
+	volumeContext.Status.SymlinkSpec = volumeContext.Cfg.TypedSpec().Symlink
 	volumeType := volumeContext.Cfg.TypedSpec().Type
 
 	switch volumeType {
-	case block.VolumeTypeTmpfs, block.VolumeTypeDirectory:
+	case block.VolumeTypeTmpfs, block.VolumeTypeDirectory, block.VolumeTypeSymlink, block.VolumeTypeOverlay:
-		// tmpfs & directory volumes are always ready
+		// tmpfs, directory, symlink and overlays volumes are always ready
 		volumeContext.Status.Phase = block.VolumePhaseReady
 
 		return nil

internal/app/machined/pkg/controllers/block/internal/volumes/volumes.go

@@ -82,6 +82,8 @@ func (d *DiskContext) ToCELContext() map[string]any {
 type ManagerContext struct {
 	Cfg               *block.VolumeConfig
 	Status            *block.VolumeStatusSpec
+	ParentStatus      *block.VolumeStatus
+	ParentFinalizer   string
 	DiscoveredVolumes []*blockpb.DiscoveredVolumeSpec
 	Disks             []DiskContext
 

internal/app/machined/pkg/controllers/block/mount.go

@@ -7,7 +7,9 @@ package block
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
+	"syscall"
 
 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/resource"
@@ -15,8 +17,12 @@ import (
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/siderolabs/gen/xslices"
 	"go.uber.org/zap"
+	"golang.org/x/sys/unix"
 
 	"github.com/siderolabs/talos/internal/pkg/mount/v2"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
+	"github.com/siderolabs/talos/pkg/filetree"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/block"
 )
 
@@ -203,12 +209,13 @@ func (ctrl *MountController) Run(ctx context.Context, r controller.Runtime, logg
 				mountTarget := volumeStatus.TypedSpec().MountSpec.TargetPath
 				mountFilesystem := volumeStatus.TypedSpec().Filesystem
 
+				rootPath := "/"
+
 				if mountHasParent {
-					// mount target is a path within the parent mount
+					rootPath = mountParentStatus.TypedSpec().Target
-					mountTarget = filepath.Join(mountParentStatus.TypedSpec().Target, mountTarget)
 				}
 
-				if err = ctrl.handleMountOperation(logger, mountSource, mountTarget, mountFilesystem, mountRequest, volumeStatus); err != nil {
+				if err = ctrl.handleMountOperation(logger, rootPath, mountSource, mountTarget, mountFilesystem, mountRequest, volumeStatus); err != nil {
 					return err
 				}
 
@@ -217,7 +224,7 @@ func (ctrl *MountController) Run(ctx context.Context, r controller.Runtime, logg
 					func(mountStatus *block.MountStatus) error {
 						mountStatus.TypedSpec().Spec = *mountRequest.TypedSpec()
 						mountStatus.TypedSpec().Source = mountSource
-						mountStatus.TypedSpec().Target = mountTarget
+						mountStatus.TypedSpec().Target = filepath.Join(rootPath, mountTarget)
 						mountStatus.TypedSpec().Filesystem = mountFilesystem
 						mountStatus.TypedSpec().EncryptionProvider = volumeStatus.TypedSpec().EncryptionProvider
 						mountStatus.TypedSpec().ReadOnly = mountRequest.TypedSpec().ReadOnly
@@ -264,6 +271,7 @@ func (ctrl *MountController) tearDownMountStatus(ctx context.Context, r controll
 
 func (ctrl *MountController) handleMountOperation(
 	logger *zap.Logger,
+	rootPath string,
 	mountSource, mountTarget string,
 	mountFilesystem block.FilesystemType,
 	mountRequest *block.MountRequest,
@@ -271,24 +279,173 @@ func (ctrl *MountController) handleMountOperation(
 ) error {
 	switch volumeStatus.TypedSpec().Type {
 	case block.VolumeTypeDirectory:
-		return ctrl.handleDirectoryMountOperation(mountTarget, volumeStatus)
+		return ctrl.handleDirectoryMountOperation(rootPath, mountTarget, volumeStatus)
+	case block.VolumeTypeOverlay:
+		return ctrl.handleOverlayMountOperation(logger, filepath.Join(rootPath, mountTarget), mountRequest, volumeStatus)
+	case block.VolumeTypeSymlink:
+		return ctrl.handleSymlinkMountOperation(logger, rootPath, mountTarget, mountRequest, volumeStatus)
 	case block.VolumeTypeTmpfs:
 		return fmt.Errorf("not implemented yet")
 	case block.VolumeTypeDisk, block.VolumeTypePartition:
-		return ctrl.handleDiskMountOperation(logger, mountSource, mountTarget, mountFilesystem, mountRequest, volumeStatus)
+		return ctrl.handleDiskMountOperation(logger, mountSource, filepath.Join(rootPath, mountTarget), mountFilesystem, mountRequest, volumeStatus)
 	default:
 		return fmt.Errorf("unsupported volume type %q", volumeStatus.TypedSpec().Type)
 	}
 }
 
 func (ctrl *MountController) handleDirectoryMountOperation(
-	_ string,
+	rootPath string,
-	_ *block.VolumeStatus,
+	target string,
+	volumeStatus *block.VolumeStatus,
 ) error {
-	// [TODO]: implement me
+	targetPath := filepath.Join(rootPath, target)
-	//  - create directory if missing
+
-	//  - set SELinux label if needed
+	if err := os.Mkdir(targetPath, volumeStatus.TypedSpec().MountSpec.FileMode); err != nil {
-	//  - set uid:gid if needed
+		if !os.IsExist(err) {
+			return fmt.Errorf("failed to create target path: %w", err)
+		}
+
+		st, err := os.Stat(targetPath)
+		if err != nil {
+			return fmt.Errorf("failed to stat target path: %w", err)
+		}
+
+		if !st.IsDir() {
+			return fmt.Errorf("target path %q is not a directory", targetPath)
+		}
+	}
+
+	return ctrl.updateTargetSettings(targetPath, volumeStatus.TypedSpec().MountSpec)
+}
+
+//nolint:gocyclo
+func (ctrl *MountController) handleSymlinkMountOperation(
+	logger *zap.Logger,
+	rootPath string,
+	target string,
+	mountRequest *block.MountRequest,
+	volumeStatus *block.VolumeStatus,
+) error {
+	_, ok := ctrl.activeMounts[mountRequest.Metadata().ID()]
+	if ok {
+		return nil
+	}
+
+	targetPath := filepath.Join(rootPath, target)
+
+	st, err := os.Lstat(targetPath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to stat target path: %w", err)
+	}
+
+	if st == nil {
+		// create the symlink
+		if err := os.Symlink(volumeStatus.TypedSpec().SymlinkSpec.SymlinkTargetPath, targetPath); err != nil {
+			return fmt.Errorf("failed to create symlink %q: %w", targetPath, err)
+		}
+
+		ctrl.activeMounts[mountRequest.Metadata().ID()] = &mountContext{}
+
+		return nil
+	}
+
+	if st.Mode()&os.ModeSymlink != 0 {
+		// if it's already a symlink, check if it points to the right target
+		symlinkTarget, err := os.Readlink(targetPath)
+		if err != nil {
+			return fmt.Errorf("failed to read symlink target: %w", err)
+		}
+
+		if symlinkTarget == volumeStatus.TypedSpec().SymlinkSpec.SymlinkTargetPath {
+			return nil
+		}
+	}
+
+	if !volumeStatus.TypedSpec().SymlinkSpec.Force {
+		return fmt.Errorf("target path %q is not a symlink to %q", targetPath, volumeStatus.TypedSpec().SymlinkSpec.SymlinkTargetPath)
+	}
+
+	// try to remove forcefully
+	if err := os.RemoveAll(targetPath); err != nil {
+		if !st.Mode().IsDir() {
+			return fmt.Errorf("failed to remove target path, and target is not a directory %s: %w", st.Mode(), err)
+		}
+
+		// try to remove all entries if it's a directory
+		entries, err := os.ReadDir(targetPath)
+		if err != nil {
+			return fmt.Errorf("failed to read target path: %w", err)
+		}
+
+		for _, entry := range entries {
+			if err := os.RemoveAll(filepath.Join(targetPath, entry.Name())); err != nil {
+				logger.Warn("failed to remove target path entry", zap.String("entry", entry.Name()), zap.Error(err))
+			}
+		}
+
+		ctrl.activeMounts[mountRequest.Metadata().ID()] = &mountContext{}
+
+		// return early, i.e. keep this as a directory
+		return nil
+	}
+
+	if err := os.Symlink(volumeStatus.TypedSpec().SymlinkSpec.SymlinkTargetPath, targetPath); err != nil {
+		return fmt.Errorf("failed to create symlink %q: %w", targetPath, err)
+	}
+
+	ctrl.activeMounts[mountRequest.Metadata().ID()] = &mountContext{}
+
+	return nil
+}
+
+//nolint:gocyclo
+func (ctrl *MountController) updateTargetSettings(
+	targetPath string,
+	mountSpec block.MountSpec,
+) error {
+	if err := os.Chmod(targetPath, mountSpec.FileMode); err != nil {
+		return fmt.Errorf("failed to chmod %q: %w", targetPath, err)
+	}
+
+	st, err := os.Stat(targetPath)
+	if err != nil {
+		return fmt.Errorf("failed to stat %q: %w", targetPath, err)
+	}
+
+	sysStat := st.Sys().(*syscall.Stat_t)
+
+	if sysStat.Uid != uint32(mountSpec.UID) || sysStat.Gid != uint32(mountSpec.GID) {
+		if mountSpec.RecursiveRelabel {
+			err = filetree.ChownRecursive(targetPath, uint32(mountSpec.UID), uint32(mountSpec.GID))
+		} else {
+			err = os.Chown(targetPath, mountSpec.UID, mountSpec.GID)
+		}
+
+		if err != nil {
+			return fmt.Errorf("failed to chown %q: %w", targetPath, err)
+		}
+	}
+
+	currentLabel, err := selinux.GetLabel(targetPath)
+	if err != nil {
+		return fmt.Errorf("failed to get current label %q: %w", targetPath, err)
+	}
+
+	if currentLabel == mountSpec.SelinuxLabel {
+		// nothing to do
+		return nil
+	}
+
+	if mountSpec.RecursiveRelabel {
+		err = selinux.SetLabelRecursive(targetPath, mountSpec.SelinuxLabel)
+	} else {
+		err = selinux.SetLabel(targetPath, mountSpec.SelinuxLabel)
+	}
+
+	if err != nil {
+		return fmt.Errorf("error setting label %q: %w", targetPath, err)
+	}
+
 	return nil
 }
 
@@ -326,6 +483,14 @@ func (ctrl *MountController) handleDiskMountOperation(
 			return fmt.Errorf("failed to mount %q: %w", mountRequest.Metadata().ID(), err)
 		}
 
+		if !mountRequest.TypedSpec().ReadOnly {
+			if err = ctrl.updateTargetSettings(mountTarget, volumeStatus.TypedSpec().MountSpec); err != nil {
+				unmounter() //nolint:errcheck
+
+				return fmt.Errorf("failed to update target settings %q: %w", mountRequest.Metadata().ID(), err)
+			}
+		}
+
 		logger.Info("volume mount",
 			zap.String("volume", volumeStatus.Metadata().ID()),
 			zap.String("source", mountSource),
@@ -364,6 +529,52 @@ func (ctrl *MountController) handleDiskMountOperation(
 	return nil
 }
 
+func (ctrl *MountController) handleOverlayMountOperation(
+	logger *zap.Logger,
+	mountTarget string,
+	mountRequest *block.MountRequest,
+	volumeStatus *block.VolumeStatus,
+) error {
+	if _, ok := ctrl.activeMounts[mountRequest.Metadata().ID()]; ok {
+		return nil
+	}
+
+	if volumeStatus.TypedSpec().ParentID != constants.EphemeralPartitionLabel {
+		return fmt.Errorf("overlay mount is not supported for %q", volumeStatus.TypedSpec().ParentID)
+	}
+
+	mountpoint := mount.NewVarOverlay(
+		[]string{mountTarget},
+		mountTarget,
+		mount.WithFlags(unix.MS_I_VERSION),
+		mount.WithSelinuxLabel(volumeStatus.TypedSpec().MountSpec.SelinuxLabel),
+	)
+
+	unmounter, err := mountpoint.Mount(mount.WithMountPrinter(logger.Sugar().Infof))
+	if err != nil {
+		return fmt.Errorf("failed to mount %q: %w", mountRequest.Metadata().ID(), err)
+	}
+
+	if err = ctrl.updateTargetSettings(mountTarget, volumeStatus.TypedSpec().MountSpec); err != nil {
+		unmounter() //nolint:errcheck
+
+		return fmt.Errorf("failed to update target settings %q: %w", mountRequest.Metadata().ID(), err)
+	}
+
+	logger.Info("overlay mount",
+		zap.String("volume", volumeStatus.Metadata().ID()),
+		zap.String("target", mountTarget),
+		zap.String("parent", volumeStatus.TypedSpec().ParentID),
+	)
+
+	ctrl.activeMounts[mountRequest.Metadata().ID()] = &mountContext{
+		point:     mountpoint,
+		unmounter: unmounter,
+	}
+
+	return nil
+}
+
 func (ctrl *MountController) handleUnmountOperation(
 	logger *zap.Logger,
 	mountRequest *block.MountRequest,
@@ -371,23 +582,18 @@ func (ctrl *MountController) handleUnmountOperation(
 ) error {
 	switch volumeStatus.TypedSpec().Type {
 	case block.VolumeTypeDirectory:
-		return ctrl.handleDirectoryUnmountOperation(mountRequest, volumeStatus)
+		return nil
 	case block.VolumeTypeTmpfs:
 		return fmt.Errorf("not implemented yet")
-	case block.VolumeTypeDisk, block.VolumeTypePartition:
+	case block.VolumeTypeDisk, block.VolumeTypePartition, block.VolumeTypeOverlay:
 		return ctrl.handleDiskUnmountOperation(logger, mountRequest, volumeStatus)
+	case block.VolumeTypeSymlink:
+		return ctrl.handleSymlinkUmountOperation(mountRequest)
 	default:
 		return fmt.Errorf("unsupported volume type %q", volumeStatus.TypedSpec().Type)
 	}
 }
 
-func (ctrl *MountController) handleDirectoryUnmountOperation(
-	_ *block.MountRequest,
-	_ *block.VolumeStatus,
-) error {
-	return nil
-}
-
 func (ctrl *MountController) handleDiskUnmountOperation(
 	logger *zap.Logger,
 	mountRequest *block.MountRequest,
@@ -413,3 +619,11 @@ func (ctrl *MountController) handleDiskUnmountOperation(
 
 	return nil
 }
+
+func (ctrl *MountController) handleSymlinkUmountOperation(
+	mountRequest *block.MountRequest,
+) error {
+	delete(ctrl.activeMounts, mountRequest.Metadata().ID())
+
+	return nil
+}

internal/app/machined/pkg/controllers/block/mount_status_test.go

@@ -0,0 +1,90 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package block_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+
+	blockctrls "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/block"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
+	"github.com/siderolabs/talos/pkg/machinery/resources/block"
+)
+
+type MountStatusSuite struct {
+	ctest.DefaultSuite
+}
+
+func TestMountStatusSuite(t *testing.T) {
+	t.Parallel()
+
+	suite.Run(t, &MountStatusSuite{
+		DefaultSuite: ctest.DefaultSuite{
+			Timeout: 3 * time.Second,
+			AfterSetup: func(suite *ctest.DefaultSuite) {
+				suite.Require().NoError(suite.Runtime().RegisterController(&blockctrls.MountStatusController{}))
+			},
+		},
+	})
+}
+
+func (suite *MountStatusSuite) TestReconcile() {
+	mountStatus1 := block.NewMountStatus(block.NamespaceName, "volume1")
+	mountStatus1.TypedSpec().Spec = block.MountRequestSpec{
+		VolumeID:     "volume1",
+		Requesters:   []string{"requester1", "requester2"},
+		RequesterIDs: []string{"requester1/volume1", "requester2/volume1"},
+	}
+	mountStatus1.TypedSpec().Target = "/target"
+	suite.Create(mountStatus1)
+
+	// mount status is exploded into volume mount statuses
+	ctest.AssertResources(suite,
+		[]resource.ID{"requester1/volume1", "requester2/volume1"},
+		func(vms *block.VolumeMountStatus, asrt *assert.Assertions) {
+			asrt.Equal("volume1", vms.Metadata().Labels().Raw()["mount-status-id"])
+			asrt.Equal("volume1", vms.TypedSpec().VolumeID)
+			asrt.Equal("/target", vms.TypedSpec().Target)
+		},
+	)
+
+	// mount status should now have a finalizer
+	ctest.AssertResource(suite, "volume1", func(ms *block.MountStatus, asrt *assert.Assertions) {
+		asrt.True(ms.Metadata().Finalizers().Has((&blockctrls.MountStatusController{}).Name()))
+	})
+
+	// add a finalizer for volume mount status
+	suite.AddFinalizer(block.NewVolumeMountStatus(block.NamespaceName, "requester1/volume1").Metadata(), "test-finalizer")
+
+	// now, teardown the mount status
+	ready, err := suite.State().Teardown(suite.Ctx(), mountStatus1.Metadata())
+	suite.Require().NoError(err)
+	suite.Assert().False(ready)
+
+	// volume mount status without finalizer should be removed
+	ctest.AssertNoResource[*block.VolumeMountStatus](suite, "requester2/volume1")
+
+	// volume mount status with finalizer should be tearing down
+	ctest.AssertResource(suite, "requester1/volume1", func(vms *block.VolumeMountStatus, asrt *assert.Assertions) {
+		asrt.Equal(resource.PhaseTearingDown, vms.Metadata().Phase())
+	})
+
+	// remove finalizer from volume mount status
+	suite.RemoveFinalizer(block.NewVolumeMountStatus(block.NamespaceName, "requester1/volume1").Metadata(), "test-finalizer")
+
+	// volume mount status should be destroyed
+	ctest.AssertNoResource[*block.VolumeMountStatus](suite, "requester1/volume1")
+
+	// now the mount status finalizers should be empty as well
+	ctest.AssertResource(suite, "volume1", func(ms *block.MountStatus, asrt *assert.Assertions) {
+		asrt.True(ms.Metadata().Finalizers().Empty())
+	})
+
+	suite.Destroy(mountStatus1)
+}

internal/app/machined/pkg/controllers/block/mount_test.go

@@ -0,0 +1,152 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package block_test
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+
+	blockctrls "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/block"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
+	"github.com/siderolabs/talos/pkg/machinery/resources/block"
+)
+
+type MountSuite struct {
+	ctest.DefaultSuite
+}
+
+func TestMountSuite(t *testing.T) {
+	t.Parallel()
+
+	suite.Run(t, &MountSuite{
+		DefaultSuite: ctest.DefaultSuite{
+			Timeout: 3 * time.Second,
+			AfterSetup: func(suite *ctest.DefaultSuite) {
+				suite.Require().NoError(suite.Runtime().RegisterController(&blockctrls.MountController{}))
+			},
+		},
+	})
+}
+
+func (suite *MountSuite) mountVolume(volumeID string) { //nolint:unparam
+	mountRequest := block.NewMountRequest(block.NamespaceName, volumeID)
+	mountRequest.TypedSpec().RequesterIDs = []string{"requester1/" + volumeID}
+	mountRequest.TypedSpec().Requesters = []string{"requester1"}
+	mountRequest.TypedSpec().VolumeID = volumeID
+	suite.Create(mountRequest)
+
+	// wait for the mount status to be created
+	ctest.AssertResource(suite, volumeID, func(*block.MountStatus, *assert.Assertions) {})
+}
+
+func (suite *MountSuite) TestSymlinkNew() {
+	dir := suite.T().TempDir()
+	targetPath := filepath.Join(dir, "target")
+
+	volumeStatus := block.NewVolumeStatus(block.NamespaceName, "volume1")
+	volumeStatus.TypedSpec().Type = block.VolumeTypeSymlink
+	volumeStatus.TypedSpec().SymlinkSpec = block.SymlinkProvisioningSpec{
+		SymlinkTargetPath: "/run",
+		Force:             true,
+	}
+	volumeStatus.TypedSpec().MountSpec = block.MountSpec{
+		TargetPath: targetPath,
+	}
+	volumeStatus.TypedSpec().Phase = block.VolumePhaseReady
+	suite.Create(volumeStatus)
+
+	suite.mountVolume("volume1")
+
+	// verify symlink
+	path, err := os.Readlink(targetPath)
+	suite.Require().NoError(err)
+	suite.Assert().Equal("/run", path)
+}
+
+func (suite *MountSuite) TestSymlinkExists() {
+	dir := suite.T().TempDir()
+	targetPath := filepath.Join(dir, "target")
+
+	// symlink already exists
+	suite.Require().NoError(os.Symlink("/run", targetPath))
+
+	volumeStatus := block.NewVolumeStatus(block.NamespaceName, "volume1")
+	volumeStatus.TypedSpec().Type = block.VolumeTypeSymlink
+	volumeStatus.TypedSpec().SymlinkSpec = block.SymlinkProvisioningSpec{
+		SymlinkTargetPath: "/run",
+	}
+	volumeStatus.TypedSpec().MountSpec = block.MountSpec{
+		TargetPath: targetPath,
+	}
+	volumeStatus.TypedSpec().Phase = block.VolumePhaseReady
+	suite.Create(volumeStatus)
+
+	suite.mountVolume("volume1")
+
+	// verify symlink
+	path, err := os.Readlink(targetPath)
+	suite.Require().NoError(err)
+	suite.Assert().Equal("/run", path)
+}
+
+func (suite *MountSuite) TestSymlinkWrong() {
+	dir := suite.T().TempDir()
+	targetPath := filepath.Join(dir, "target")
+
+	// wrong symlink target
+	suite.Require().NoError(os.Symlink("/foo", targetPath))
+
+	volumeStatus := block.NewVolumeStatus(block.NamespaceName, "volume1")
+	volumeStatus.TypedSpec().Type = block.VolumeTypeSymlink
+	volumeStatus.TypedSpec().SymlinkSpec = block.SymlinkProvisioningSpec{
+		SymlinkTargetPath: "/run",
+		Force:             true,
+	}
+	volumeStatus.TypedSpec().MountSpec = block.MountSpec{
+		TargetPath: targetPath,
+	}
+	volumeStatus.TypedSpec().Phase = block.VolumePhaseReady
+	suite.Create(volumeStatus)
+
+	suite.mountVolume("volume1")
+
+	// verify symlink
+	path, err := os.Readlink(targetPath)
+	suite.Require().NoError(err)
+	suite.Assert().Equal("/run", path)
+}
+
+func (suite *MountSuite) TestSymlinkDirectory() {
+	dir := suite.T().TempDir()
+	targetPath := filepath.Join(dir, "target")
+
+	// non-empty directory structure
+	suite.Require().NoError(os.Mkdir(targetPath, 0o755))
+	suite.Require().NoError(os.Mkdir(filepath.Join(targetPath, "foo"), 0o755))
+
+	volumeStatus := block.NewVolumeStatus(block.NamespaceName, "volume1")
+	volumeStatus.TypedSpec().Type = block.VolumeTypeSymlink
+	volumeStatus.TypedSpec().SymlinkSpec = block.SymlinkProvisioningSpec{
+		SymlinkTargetPath: "/run",
+		Force:             true,
+	}
+	volumeStatus.TypedSpec().MountSpec = block.MountSpec{
+		TargetPath: targetPath,
+	}
+	volumeStatus.TypedSpec().Phase = block.VolumePhaseReady
+	suite.Create(volumeStatus)
+
+	suite.mountVolume("volume1")
+
+	// verify symlink
+	path, err := os.Readlink(targetPath)
+	suite.Require().NoError(err)
+	suite.Assert().Equal("/run", path)
+}

internal/app/machined/pkg/controllers/block/user_disk_config.go

@@ -216,10 +216,13 @@ func (ctrl *UserDiskConfigController) processUserDiskPartition(
 				targetPath = strings.TrimPrefix(targetPath, "/var/")
 			}
 
-			// TODO: label user disks
 			vc.TypedSpec().Mount = block.MountSpec{
-				TargetPath: targetPath,
+				TargetPath:   targetPath,
-				ParentID:   parentID,
+				ParentID:     parentID,
+				SelinuxLabel: constants.EphemeralSelinuxLabel,
+				FileMode:     0o755,
+				UID:          0,
+				GID:          0,
 			}
 
 			return nil

internal/app/machined/pkg/controllers/block/volume_config.go

@@ -8,6 +8,8 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
+	"path/filepath"
 
 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/safe"
@@ -198,6 +200,14 @@ func (ctrl *VolumeConfigController) Run(ctx context.Context, r controller.Runtim
 			); err != nil {
 				return fmt.Errorf("error creating ephemeral volume configuration: %w", err)
 			}
+
+			if err = ctrl.manageStandardVolumes(ctx, r); err != nil {
+				return fmt.Errorf("error creating standard volume configuration: %w", err)
+			}
+
+			if err = ctrl.manageOverlayVolumes(ctx, r); err != nil {
+				return fmt.Errorf("error creating overlay volume configuration: %w", err)
+			}
 		}
 
 		// [TODO]: this would fail as it doesn't handle finalizers properly
@@ -210,7 +220,11 @@ func (ctrl *VolumeConfigController) Run(ctx context.Context, r controller.Runtim
 func (ctrl *VolumeConfigController) manageEphemeralInContainer(vc *block.VolumeConfig) error {
 	vc.TypedSpec().Type = block.VolumeTypeDirectory
 	vc.TypedSpec().Mount = block.MountSpec{
-		TargetPath: constants.EphemeralMountPoint,
+		TargetPath:   constants.EphemeralMountPoint,
+		SelinuxLabel: constants.EphemeralSelinuxLabel,
+		FileMode:     0o755,
+		UID:          0,
+		GID:          0,
 	}
 
 	return nil
@@ -247,6 +261,9 @@ func (ctrl *VolumeConfigController) manageEphemeral(config cfg.Config) func(vc *
 		vc.TypedSpec().Mount = block.MountSpec{
 			TargetPath:          constants.EphemeralMountPoint,
 			SelinuxLabel:        constants.EphemeralSelinuxLabel,
+			FileMode:            0o755,
+			UID:                 0,
+			GID:                 0,
 			ProjectQuotaSupport: config.Machine().Features().DiskQuotaSupportEnabled(),
 		}
 
@@ -268,7 +285,11 @@ func (ctrl *VolumeConfigController) manageEphemeral(config cfg.Config) func(vc *
 func (ctrl *VolumeConfigController) manageStateInContainer(vc *block.VolumeConfig) error {
 	vc.TypedSpec().Type = block.VolumeTypeDirectory
 	vc.TypedSpec().Mount = block.MountSpec{
-		TargetPath: constants.StateMountPoint,
+		TargetPath:   constants.StateMountPoint,
+		SelinuxLabel: constants.StateSelinuxLabel,
+		FileMode:     0o700,
+		UID:          0,
+		GID:          0,
 	}
 
 	return nil
@@ -284,6 +305,9 @@ func (ctrl *VolumeConfigController) manageStateConfigPresent(config cfg.Config)
 		vc.TypedSpec().Mount = block.MountSpec{
 			TargetPath:   constants.StateMountPoint,
 			SelinuxLabel: constants.StateSelinuxLabel,
+			FileMode:     0o700,
+			UID:          0,
+			GID:          0,
 		}
 
 		vc.TypedSpec().Provisioning = block.ProvisioningSpec{
@@ -328,6 +352,9 @@ func (ctrl *VolumeConfigController) manageStateNoConfig(encryptionMeta *runtime.
 		vc.TypedSpec().Mount = block.MountSpec{
 			TargetPath:   constants.StateMountPoint,
 			SelinuxLabel: constants.StateSelinuxLabel,
+			FileMode:     0o700,
+			UID:          0,
+			GID:          0,
 		}
 
 		match := labelVolumeMatchAndNonEmpty(constants.StatePartitionLabel)
@@ -360,3 +387,184 @@ func (ctrl *VolumeConfigController) manageStateNoConfig(encryptionMeta *runtime.
 		return nil
 	}
 }
+
+func (ctrl *VolumeConfigController) manageStandardVolumes(ctx context.Context, r controller.Runtime) error {
+	if err := safe.WriterModify(ctx, r,
+		block.NewVolumeConfig(block.NamespaceName, "/var/run"),
+		func(vc *block.VolumeConfig) error {
+			vc.TypedSpec().Type = block.VolumeTypeSymlink
+			vc.TypedSpec().Symlink = block.SymlinkProvisioningSpec{
+				SymlinkTargetPath: "/run",
+				Force:             true,
+			}
+			vc.TypedSpec().Mount = block.MountSpec{
+				TargetPath: "/var/run",
+			}
+
+			return nil
+		},
+	); err != nil {
+		return fmt.Errorf("error creating symlink volume configuration for /var/run: %w", err)
+	}
+
+	parentIDs := map[string]string{
+		"/var":     constants.EphemeralPartitionLabel,
+		"/var/run": "/var/run",
+	}
+
+	for _, volume := range []struct {
+		ID           string
+		Path         string
+		Mode         os.FileMode
+		UID          int
+		GID          int
+		Recursive    bool
+		SELinuxLabel string
+	}{
+		// /var/log
+		{
+			Path:         "/var/log",
+			Mode:         0o755,
+			SELinuxLabel: "system_u:object_r:var_log_t:s0",
+		},
+		{
+			Path:         "/var/log/audit",
+			Mode:         0o700,
+			SELinuxLabel: "system_u:object_r:audit_log_t:s0",
+		},
+		{
+			Path:         constants.KubernetesAuditLogDir,
+			Mode:         0o700,
+			UID:          constants.KubernetesAPIServerRunUser,
+			GID:          constants.KubernetesAPIServerRunGroup,
+			Recursive:    true,
+			SELinuxLabel: "system_u:object_r:kube_log_t:s0",
+		},
+		{
+			Path:         "/var/log/containers",
+			Mode:         0o755,
+			SELinuxLabel: "system_u:object_r:containers_log_t:s0",
+		},
+		{
+			Path:         "/var/log/pods",
+			Mode:         0o755,
+			SELinuxLabel: "system_u:object_r:pods_log_t:s0",
+		},
+		// /var/lib
+		{
+			Path:         "/var/lib",
+			Mode:         0o700,
+			SELinuxLabel: constants.EphemeralSelinuxLabel,
+		},
+		{
+			ID:           constants.EtcdDataVolumeID,
+			Path:         constants.EtcdDataPath,
+			SELinuxLabel: constants.EtcdDataSELinuxLabel,
+			Mode:         0o700,
+			UID:          constants.EtcdUserID,
+			GID:          constants.EtcdUserID,
+			Recursive:    true,
+		},
+		{
+			Path:         "/var/lib/containerd",
+			Mode:         0o000,
+			SELinuxLabel: "system_u:object_r:containerd_state_t:s0",
+		},
+		{
+			Path:         "/var/lib/kubelet",
+			Mode:         0o700,
+			SELinuxLabel: "system_u:object_r:kubelet_state_t:s0",
+		},
+		{
+			Path:         "/var/lib/cni",
+			Mode:         0o700,
+			Recursive:    true,
+			SELinuxLabel: "system_u:object_r:cni_state_t:s0",
+		},
+		{
+			Path:         "/var/lib/kubelet/seccomp",
+			Mode:         0o700,
+			SELinuxLabel: "system_u:object_r:seccomp_profile_t:s0",
+		},
+		{
+			Path:         constants.SeccompProfilesDirectory,
+			Mode:         0o700,
+			Recursive:    true,
+			SELinuxLabel: "system_u:object_r:seccomp_profile_t:s0",
+		},
+		// /var/run
+		{
+			Path:         "/var/run/lock",
+			Mode:         0o755,
+			SELinuxLabel: "system_u:object_r:var_lock_t:s0",
+		},
+	} {
+		parentDir := filepath.Dir(volume.Path)
+		targetDir := filepath.Base(volume.Path)
+
+		parentID, ok := parentIDs[parentDir]
+		if !ok {
+			return fmt.Errorf("unknown parent directory volume %q for %q", parentDir, volume.Path)
+		}
+
+		volumeID := volume.Path
+
+		if volume.ID != "" {
+			volumeID = volume.ID
+		}
+
+		if err := safe.WriterModify(ctx, r,
+			block.NewVolumeConfig(block.NamespaceName, volumeID),
+			func(vc *block.VolumeConfig) error {
+				vc.TypedSpec().Type = block.VolumeTypeDirectory
+
+				vc.TypedSpec().Mount = block.MountSpec{
+					TargetPath:       targetDir,
+					ParentID:         parentID,
+					SelinuxLabel:     volume.SELinuxLabel,
+					FileMode:         volume.Mode,
+					UID:              volume.UID,
+					GID:              volume.GID,
+					RecursiveRelabel: volume.Recursive,
+				}
+
+				return nil
+			},
+		); err != nil {
+			return fmt.Errorf("error creating volume configuration for %q: %w", volume.Path, err)
+		}
+
+		parentIDs[volume.Path] = volumeID
+	}
+
+	return nil
+}
+
+func (ctrl *VolumeConfigController) manageOverlayVolumes(ctx context.Context, r controller.Runtime) error {
+	if ctrl.V1Alpha1Mode.InContainer() {
+		return nil
+	}
+
+	for _, overlay := range constants.Overlays {
+		if err := safe.WriterModify(ctx, r,
+			block.NewVolumeConfig(block.NamespaceName, overlay.Path),
+			func(vc *block.VolumeConfig) error {
+				vc.TypedSpec().Type = block.VolumeTypeOverlay
+				vc.TypedSpec().ParentID = constants.EphemeralPartitionLabel
+				vc.TypedSpec().Mount = block.MountSpec{
+					TargetPath:   overlay.Path,
+					SelinuxLabel: overlay.Label,
+					FileMode:     0o755,
+					UID:          0,
+					GID:          0,
+				}
+
+				return nil
+			},
+		); err != nil {
+			return fmt.Errorf("error creating volume configuration for %q: %w", overlay.Path, err)
+		}
+	}
+
+	return nil
+}

internal/app/machined/pkg/controllers/block/volume_config_test.go

@@ -10,6 +10,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-pointer"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
@@ -120,6 +122,30 @@ func (suite *VolumeConfigSuite) TestReconcileDefaults() {
 
 		asrt.Equal(constants.EphemeralMountPoint, r.TypedSpec().Mount.TargetPath)
 	})
+
+	ctest.AssertResources(suite, []resource.ID{
+		"/var/log",
+		"/var/log/audit",
+		"/var/log/containers",
+		"/var/log/pods",
+		constants.EtcdDataVolumeID,
+		"/var/lib/containerd",
+		"/var/lib/kubelet",
+		"/var/lib/cni",
+		constants.SeccompProfilesDirectory,
+		constants.KubernetesAuditLogDir,
+		"/var/run/lock",
+	}, func(r *block.VolumeConfig, asrt *assert.Assertions) {
+		asrt.Equal(block.VolumeTypeDirectory, r.TypedSpec().Type)
+	})
+
+	ctest.AssertResources(suite,
+		xslices.Map(constants.Overlays, func(target constants.SELinuxLabeledPath) resource.ID {
+			return target.Path
+		}),
+		func(r *block.VolumeConfig, asrt *assert.Assertions) {
+			asrt.Equal(block.VolumeTypeOverlay, r.TypedSpec().Type)
+		})
 }
 
 func (suite *VolumeConfigSuite) TestReconcileEncryptedSTATE() {

internal/app/machined/pkg/controllers/block/volume_manager.go

@@ -49,7 +49,7 @@ func (ctrl *VolumeManagerController) Inputs() []controller.Input {
 		{
 			Namespace: block.NamespaceName,
 			Type:      block.VolumeStatusType,
-			Kind:      controller.InputDestroyReady,
+			Kind:      controller.InputStrong,
 		},
 		{
 			Namespace: block.NamespaceName,
@@ -294,14 +294,31 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 			volumeStatus := volumeStatuses[vc.Metadata().ID()]
 			volumeLogger := logger.With(zap.String("volume", vc.Metadata().ID()))
 
+			var volumeParentStatus *block.VolumeStatus
+
+			if vc.TypedSpec().ParentID != "" {
+				volumeParentStatus = volumeStatuses[vc.TypedSpec().ParentID]
+			}
+
+			parentFinalizer := ctrl.Name() + "-" + vc.Metadata().ID()
+
 			// figure out if we are tearing down this volume or building it
 			tearingDown := (volumeStatus != nil && volumeStatus.Metadata().Phase() == resource.PhaseTearingDown) || // we started tearing down the volume, so finish doing so
 				vc.Metadata().Phase() == resource.PhaseTearingDown || // volume config is being torn down
+				volumeParentStatus != nil && volumeParentStatus.Metadata().Phase() == resource.PhaseTearingDown || // parent volume is being torn down
 				volumeLifecycleTearingDown // global volume lifecycle requires all volumes to be torn down
 
 			// volume status doesn't exist yet, figure out what to do
 			if volumeStatus == nil {
 				if tearingDown {
+					if volumeParentStatus != nil {
+						if volumeParentStatus.Metadata().Finalizers().Has(parentFinalizer) {
+							if err = r.RemoveFinalizer(ctx, volumeParentStatus.Metadata(), parentFinalizer); err != nil {
+								return fmt.Errorf("error removing finalizer from parent volume configuration: %w", err)
+							}
+						}
+					}
+
 					// happy case, we don't need to progress this volume
 					if vc.Metadata().Finalizers().Has(ctrl.Name()) {
 						if err = r.RemoveFinalizer(ctx, vc.Metadata(), ctrl.Name()); err != nil {
@@ -316,6 +333,7 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 				volumeStatus = block.NewVolumeStatus(block.NamespaceName, vc.Metadata().ID())
 				volumeStatus.TypedSpec().Phase = block.VolumePhaseWaiting
 				volumeStatus.TypedSpec().Type = vc.TypedSpec().Type
+				volumeStatus.TypedSpec().ParentID = vc.TypedSpec().ParentID
 				volumeStatuses[vc.Metadata().ID()] = volumeStatus
 			}
 
@@ -331,12 +349,15 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 
 			prevPhase := volumeStatus.TypedSpec().Phase
 
-			if err = ctrl.processVolumeConfig(
+			if err = ctrl.progressVolumeConfig(
 				ctx,
 				volumeLogger,
+				r,
 				volumes.ManagerContext{
 					Cfg:                     vc,
 					Status:                  volumeStatus.TypedSpec(),
+					ParentStatus:            volumeParentStatus,
+					ParentFinalizer:         parentFinalizer,
 					DiscoveredVolumes:       discoveredVolumesSpecs,
 					Disks:                   diskSpecs,
 					DevicesReady:            devicesReady,
@@ -373,34 +394,53 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 			}
 
 			if prevPhase != volumeStatus.TypedSpec().Phase || err != nil {
-				fields := []zap.Field{
+				suppressVolumeLogs := slices.Contains(
-					zap.String("phase", fmt.Sprintf("%s -> %s", prevPhase, volumeStatus.TypedSpec().Phase)),
+					[]block.VolumeType{
-					zap.Error(err),
+						block.VolumeTypeDirectory,
-				}
+						block.VolumeTypeOverlay,
+						block.VolumeTypeSymlink,
+					},
+					volumeStatus.TypedSpec().Type,
+				)
 
-				if volumeStatus.TypedSpec().Location != "" {
+				if !suppressVolumeLogs {
-					fields = append(fields, zap.String("location", volumeStatus.TypedSpec().Location))
+					fields := []zap.Field{
-				}
+						zap.String("phase", fmt.Sprintf("%s -> %s", prevPhase, volumeStatus.TypedSpec().Phase)),
+						zap.Error(err),
+					}
 
-				if volumeStatus.TypedSpec().MountLocation != "" && volumeStatus.TypedSpec().MountLocation != volumeStatus.TypedSpec().Location {
+					if volumeStatus.TypedSpec().Location != "" {
-					fields = append(fields, zap.String("mountLocation", volumeStatus.TypedSpec().MountLocation))
+						fields = append(fields, zap.String("location", volumeStatus.TypedSpec().Location))
-				}
+					}
 
-				if volumeStatus.TypedSpec().ParentLocation != "" {
+					if volumeStatus.TypedSpec().MountLocation != "" && volumeStatus.TypedSpec().MountLocation != volumeStatus.TypedSpec().Location {
-					fields = append(fields, zap.String("parentLocation", volumeStatus.TypedSpec().ParentLocation))
+						fields = append(fields, zap.String("mountLocation", volumeStatus.TypedSpec().MountLocation))
-				}
+					}
 
-				if len(volumeStatus.TypedSpec().EncryptionFailedSyncs) > 0 {
+					if volumeStatus.TypedSpec().ParentLocation != "" {
-					fields = append(fields, zap.Strings("encryptionFailedSyncs", volumeStatus.TypedSpec().EncryptionFailedSyncs))
+						fields = append(fields, zap.String("parentLocation", volumeStatus.TypedSpec().ParentLocation))
-				}
+					}
 
-				volumeLogger.Info("volume status", fields...)
+					if len(volumeStatus.TypedSpec().EncryptionFailedSyncs) > 0 {
+						fields = append(fields, zap.Strings("encryptionFailedSyncs", volumeStatus.TypedSpec().EncryptionFailedSyncs))
+					}
+
+					volumeLogger.Info("volume status", fields...)
+				}
 			}
 
 			// when closing, ignore META volume, we want it to stay longer, so no problem if is not closed yet
 			allClosed = allClosed && (volumeStatus.TypedSpec().Phase == block.VolumePhaseClosed || vc.Metadata().ID() == constants.MetaPartitionLabel)
 
 			if shouldCloseVolume && volumeStatus.TypedSpec().Phase == block.VolumePhaseClosed {
+				if volumeParentStatus != nil {
+					if volumeParentStatus.Metadata().Finalizers().Has(parentFinalizer) {
+						if err = r.RemoveFinalizer(ctx, volumeParentStatus.Metadata(), parentFinalizer); err != nil {
+							return fmt.Errorf("error removing finalizer from parent volume configuration: %w", err)
+						}
+					}
+				}
+
 				// we can destroy the volume status now
 				if err = r.Destroy(ctx, volumeStatus.Metadata()); err != nil {
 					return fmt.Errorf("error destroying volume status: %w", err)
@@ -430,6 +470,25 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 	}
 }
 
+func (ctrl *VolumeManagerController) progressVolumeConfig(ctx context.Context, logger *zap.Logger, r controller.Runtime, volumeContext volumes.ManagerContext) error {
+	if !volumeContext.ShouldCloseVolume {
+		if volumeContext.Cfg.TypedSpec().ParentID != "" {
+			if volumeContext.ParentStatus == nil {
+				// not ready yet
+				return nil
+			}
+
+			if !volumeContext.ParentStatus.Metadata().Finalizers().Has(volumeContext.ParentFinalizer) {
+				if err := r.AddFinalizer(ctx, volumeContext.ParentStatus.Metadata(), volumeContext.ParentFinalizer); err != nil {
+					return fmt.Errorf("error adding finalizer to parent volume configuration: %w", err)
+				}
+			}
+		}
+	}
+
+	return ctrl.processVolumeConfig(ctx, logger, volumeContext)
+}
+
 // processVolumeConfig implements the volume configuration automata.
 //
 //	Initial -> { Waiting }  ----> { Missing } // volume is not found (by locator)

internal/app/machined/pkg/controllers/cri/image_cache_config.go

@@ -82,6 +82,11 @@ func (ctrl *ImageCacheConfigController) Inputs() []controller.Input {
 			Type:      block.VolumeMountStatusType,
 			Kind:      controller.InputStrong,
 		},
+		{
+			Namespace: block.NamespaceName,
+			Type:      block.VolumeMountRequestType,
+			Kind:      controller.InputDestroyReady,
+		},
 	}
 }
 
@@ -252,7 +257,12 @@ func (ctrl *ImageCacheConfigController) createVolumeConfigISO(ctx context.Contex
 		volumeCfg.TypedSpec().Locator = block.LocatorSpec{
 			Match: *boolExpr,
 		}
-		volumeCfg.TypedSpec().Mount.TargetPath = constants.ImageCacheISOMountPoint
+		volumeCfg.TypedSpec().Mount = block.MountSpec{
+			TargetPath: constants.ImageCacheISOMountPoint,
+			FileMode:   0o700,
+			UID:        0,
+			GID:        0,
+		}
 
 		return nil
 	})
@@ -305,7 +315,12 @@ func (ctrl *ImageCacheConfigController) createVolumeConfigDisk(ctx context.Conte
 			volumeCfg.TypedSpec().Provisioning.FilesystemSpec.Type = block.FilesystemTypeEXT4
 		}
 
-		volumeCfg.TypedSpec().Mount.TargetPath = constants.ImageCacheDiskMountPoint
+		volumeCfg.TypedSpec().Mount = block.MountSpec{
+			TargetPath: constants.ImageCacheDiskMountPoint,
+			FileMode:   0o700,
+			UID:        0,
+			GID:        0,
+		}
 
 		return nil
 	})

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer.go

@@ -217,17 +217,9 @@ func (*Sequencer) Boot(r runtime.Runtime) []runtime.Phase {
 		r.State().Platform().Mode() == runtime.ModeContainer,
 		"sharedFilesystems",
 		SetupSharedFilesystems,
-	).AppendWhen(
+	).Append(
-		r.State().Platform().Mode() != runtime.ModeContainer,
 		"ephemeral",
 		MountEphemeralPartition,
-	).Append(
-		"var",
-		SetupVarDirectory,
-	).AppendWhen(
-		r.State().Platform().Mode() != runtime.ModeContainer,
-		"overlay",
-		MountOverlayFilesystems,
 	).AppendWhen(
 		r.State().Platform().Mode() != runtime.ModeContainer,
 		"udevSetup",
@@ -455,7 +447,6 @@ func (*Sequencer) Upgrade(r runtime.Runtime, in *machineapi.UpgradeRequest) []ru
 			StopServicesEphemeral,
 		).Append(
 			"unmount",
-			UnmountOverlayFilesystems,
 			UnmountPodMounts,
 		).Append(
 			"unmountBind",
@@ -503,7 +494,6 @@ func stopAllPhaselist(r runtime.Runtime, enableKexec bool) PhaseList {
 			StopServicesEphemeral,
 		).Append(
 			"umount",
-			UnmountOverlayFilesystems,
 			UnmountPodMounts,
 		).Append(
 			"unmountBind",

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -509,15 +509,6 @@ func StopAllServices(runtime.Sequence, any) (runtime.TaskExecutionFunc, string)
 	}, "stopAllServices"
 }
 
-// MountOverlayFilesystems represents the MountOverlayFilesystems task.
-func MountOverlayFilesystems(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
-	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		_, err = mountv2.OverlayMountPoints().Mount()
-
-		return err
-	}, "mountOverlayFilesystems"
-}
-
 // SetupSharedFilesystems represents the SetupSharedFilesystems task.
 func SetupSharedFilesystems(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
@@ -532,132 +523,6 @@ func SetupSharedFilesystems(runtime.Sequence, any) (runtime.TaskExecutionFunc, s
 	}, "setupSharedFilesystems"
 }
 
-// CreateDirectory is a structure describing properties of a directory to be initialized.
-type CreateDirectory struct {
-	Path          string
-	Mode          os.FileMode
-	UID, GID      int
-	SELinuxLabel  string
-	ExcludeLabels []string
-}
-
-// InitializeDirectoryStructure creates directories and sets security options on them.
-func InitializeDirectoryStructure(directories []CreateDirectory) error {
-	for _, dir := range directories {
-		if err := os.MkdirAll(dir.Path, dir.Mode); err != nil {
-			return err
-		}
-
-		if err := os.Chmod(dir.Path, dir.Mode); err != nil {
-			return err
-		}
-
-		if err := selinux.SetLabelRecursive(dir.Path, dir.SELinuxLabel, dir.ExcludeLabels...); err != nil {
-			return err
-		}
-
-		if dir.UID != 0 || dir.GID != 0 {
-			if err := os.Chown(dir.Path, dir.UID, dir.GID); err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-// SetupVarDirectory represents the SetupVarDirectory task.
-func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
-	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
-		if err := setupVarRun(logger); err != nil {
-			return err
-		}
-
-		directoryConfigurations := []CreateDirectory{
-			{
-				Path:         "/var/log",
-				Mode:         0o755,
-				SELinuxLabel: "system_u:object_r:var_log_t:s0",
-			},
-			{
-				Path:         "/var/log/audit",
-				Mode:         0o700,
-				SELinuxLabel: "system_u:object_r:audit_log_t:s0",
-			},
-			{
-				Path:         "/var/log/containers",
-				Mode:         0o755,
-				SELinuxLabel: "system_u:object_r:containers_log_t:s0",
-			},
-			{
-				Path:         "/var/log/pods",
-				Mode:         0o755,
-				SELinuxLabel: "system_u:object_r:pods_log_t:s0",
-			},
-			{
-				Path:         "/var/lib/containerd",
-				Mode:         0o000,
-				SELinuxLabel: "system_u:object_r:containerd_state_t:s0",
-			},
-			{
-				Path:         "/var/lib/kubelet",
-				Mode:         0o700,
-				SELinuxLabel: "system_u:object_r:kubelet_state_t:s0",
-			},
-			{
-				Path:         "/var/lib/cni",
-				Mode:         0o700,
-				SELinuxLabel: "system_u:object_r:cni_state_t:s0",
-			},
-			{
-				Path:         "/var/run/lock",
-				Mode:         0o755,
-				SELinuxLabel: "system_u:object_r:var_lock_t:s0",
-			},
-			{
-				Path:         constants.SeccompProfilesDirectory,
-				Mode:         0o700,
-				SELinuxLabel: "system_u:object_r:seccomp_profile_t:s0",
-			},
-			{
-				Path:         constants.KubernetesAuditLogDir,
-				Mode:         0o700,
-				UID:          constants.KubernetesAPIServerRunUser,
-				GID:          constants.KubernetesAPIServerRunGroup,
-				SELinuxLabel: "system_u:object_r:kube_log_t:s0",
-			},
-		}
-
-		return InitializeDirectoryStructure(directoryConfigurations)
-	}, "setupVarDirectory"
-}
-
-func setupVarRun(logger *log.Logger) error {
-	// handle '/var/run' - if that exists after an upgrade, and is a directory, clean it up
-	// if it doesn't exist, create as a symlink to '/run'
-	runSt, err := os.Lstat("/var/run")
-	if err == nil && runSt.IsDir() {
-		// old Talos versions had '/var/run' as a directory, clean it up on boot
-		entries, err := os.ReadDir("/var/run")
-		if err != nil {
-			return fmt.Errorf("failed to read /var/run: %w", err)
-		}
-
-		for _, e := range entries {
-			if err = os.RemoveAll(filepath.Join("/var/run", e.Name())); err != nil {
-				logger.Printf("failed to remove %s: %s", e.Name(), err)
-			}
-		}
-	} else if err != nil && os.IsNotExist(err) {
-		// '/var/run' doesn't exist, create as a symlink to '/run'
-		if err = os.Symlink("/run", "/var/run"); err != nil {
-			return fmt.Errorf("failed to create /var/run symlink: %w", err)
-		}
-	}
-
-	return nil
-}
-
 // MountUserDisks represents the MountUserDisks task.
 func MountUserDisks(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
@@ -865,13 +730,6 @@ func existsAndIsFile(p string) (err error) {
 	return nil
 }
 
-// UnmountOverlayFilesystems represents the UnmountOverlayFilesystems task.
-func UnmountOverlayFilesystems(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
-	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		return mountv2.OverlayMountPoints().Unmount()
-	}, "unmountOverlayFilesystems"
-}
-
 // UnmountPodMounts represents the UnmountPodMounts task.
 func UnmountPodMounts(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
@@ -910,18 +768,24 @@ func UnmountPodMounts(runtime.Sequence, any) (runtime.TaskExecutionFunc, string)
 }
 
 // UnmountSystemDiskBindMounts represents the UnmountSystemDiskBindMounts task.
+//
+//nolint:gocyclo
 func UnmountSystemDiskBindMounts(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		systemDisk, err := blockres.GetSystemDisk(ctx, r.State().V1Alpha2().Resources())
+		ephemeralStatus, err := safe.StateGetByID[*blockres.VolumeStatus](ctx, r.State().V1Alpha2().Resources(), constants.EphemeralPartitionLabel)
-		if err != nil {
+		if err != nil && !state.IsNotFoundError(err) {
 			return err
 		}
 
-		if systemDisk == nil {
+		if ephemeralStatus == nil {
 			return nil
 		}
 
-		devname := systemDisk.DevPath
+		devname := ephemeralStatus.TypedSpec().MountLocation
+
+		if devname == "" {
+			return nil
+		}
 
 		f, err := os.Open("/proc/mounts")
 		if err != nil {
@@ -938,18 +802,19 @@ func UnmountSystemDiskBindMounts(runtime.Sequence, any) (runtime.TaskExecutionFu
 				continue
 			}
 
-			device := strings.ReplaceAll(fields[0], "/dev/mapper", "/dev")
+			device, mountpoint := fields[0], fields[1]
-			mountpoint := fields[1]
 
-			if strings.HasPrefix(device, devname) && device != devname {
+			if device != devname || mountpoint == constants.EphemeralMountPoint {
-				logger.Printf("unmounting %s\n", mountpoint)
+				continue
+			}
 
-				if err = mountv2.SafeUnmount(ctx, logger.Printf, mountpoint); err != nil {
+			logger.Printf("unmounting %s\n", mountpoint)
-					if errors.Is(err, syscall.EINVAL) {
+
-						log.Printf("ignoring unmount error %s: %v", mountpoint, err)
+			if err = mountv2.SafeUnmount(ctx, logger.Printf, mountpoint); err != nil {
-					} else {
+				if errors.Is(err, syscall.EINVAL) {
-						return fmt.Errorf("error unmounting %s: %w", mountpoint, err)
+					log.Printf("ignoring unmount error %s: %v", mountpoint, err)
-					}
+				} else {
+					return fmt.Errorf("error unmounting %s: %w", mountpoint, err)
 				}
 			}
 		}
@@ -1617,21 +1482,16 @@ func UnmountEphemeralPartition(runtime.Sequence, any) (runtime.TaskExecutionFunc
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
 		mountRequest := blockres.NewVolumeMountRequest(blockres.NamespaceName, constants.EphemeralPartitionLabel).Metadata()
 
-		_, err := r.State().V1Alpha2().Resources().Teardown(ctx, mountRequest)
+		err := r.State().V1Alpha2().Resources().Destroy(ctx, mountRequest)
 		if err != nil {
 			if state.IsNotFoundError(err) {
 				return nil
 			}
 
-			return fmt.Errorf("failed to teardown EPHEMERAL mount request: %w", err)
+			return fmt.Errorf("failed to destroy EPHEMERAL mount request: %w", err)
 		}
 
-		_, err = r.State().V1Alpha2().Resources().WatchFor(ctx, mountRequest, state.WithFinalizerEmpty())
+		return nil
-		if err != nil {
-			return fmt.Errorf("failed to wait for EPHEMERAL teardown: %w", err)
-		}
-
-		return r.State().V1Alpha2().Resources().Destroy(ctx, mountRequest)
 	}, "unmountEphemeralPartition"
 }
 

internal/app/machined/pkg/startup/startup.go

@@ -40,7 +40,6 @@ func DefaultTasks() []Task {
 		LogMode,
 		MountPseudoLate,
 		SetupSystemDirectories,
-		SetupSystemSubdirectories,
 		InitVolumeLifecycle,
 		MountCgroups,
 		SetRLimit,

internal/app/machined/pkg/startup/tasks.go

@@ -17,7 +17,6 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
-	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1"
 	"github.com/siderolabs/talos/internal/pkg/environment"
 	"github.com/siderolabs/talos/internal/pkg/mount/v2"
 	"github.com/siderolabs/talos/internal/pkg/selinux"
@@ -34,61 +33,27 @@ func LogMode(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next Next
 
 // SetupSystemDirectories creates system default directories.
 func SetupSystemDirectories(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next NextTaskFunc) error {
-	for _, path := range []string{constants.SystemEtcPath, constants.SystemVarPath, constants.StateMountPoint} {
+	for _, dir := range []struct {
-		if err := os.MkdirAll(path, 0o700); err != nil {
+		path  string
+		perm  os.FileMode
+		label string
+	}{
+		{constants.SystemEtcPath, 0o700, constants.EtcSelinuxLabel},
+		{constants.SystemVarPath, 0o700, constants.SystemVarSelinuxLabel},
+		{constants.StateMountPoint, 0o700, ""},
+		{constants.SystemRunPath, 0o751, "system_u:object_r:system_run_t:s0"},
+		{"/system/run/containerd", 0o711, "system_u:object_r:sys_containerd_run_t:s0"},
+		{"/run/containerd", 0o711, "system_u:object_r:pod_containerd_run_t:s0"},
+	} {
+		if err := os.MkdirAll(dir.path, dir.perm); err != nil {
 			return fmt.Errorf("setupSystemDirectories: %w", err)
 		}
 
-		var label string
+		if dir.label != "" {
-
+			if err := selinux.SetLabel(dir.path, dir.label); err != nil {
-		switch path {
+				return fmt.Errorf("setupSystemDirectories: %w", err)
-		case constants.SystemEtcPath:
+			}
-			label = constants.EtcSelinuxLabel
-		case constants.SystemVarPath:
-			label = constants.SystemVarSelinuxLabel
-		default: // /system/state is another mount
-			label = ""
 		}
-
-		if err := selinux.SetLabel(path, label); err != nil {
-			return err
-		}
-	}
-
-	for _, path := range []string{constants.SystemRunPath} {
-		if err := os.MkdirAll(path, 0o751); err != nil {
-			return fmt.Errorf("setupSystemDirectories: %w", err)
-		}
-	}
-
-	return next()(ctx, log, rt, next)
-}
-
-// SetupSystemSubdirectories creates and configures subdirectories under /system.
-func SetupSystemSubdirectories(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next NextTaskFunc) error {
-	directoryConfigurations := []v1alpha1.CreateDirectory{
-		{
-			Path:         "/system/run",
-			Mode:         0o751,
-			SELinuxLabel: "system_u:object_r:system_run_t:s0",
-		},
-		{
-			Path:          "/system/run/containerd",
-			Mode:          0o711,
-			SELinuxLabel:  "system_u:object_r:sys_containerd_run_t:s0",
-			ExcludeLabels: []string{"system_u:object_r:sys_containerd_socket_t:s0"},
-		},
-		{
-			Path:          "/run/containerd",
-			Mode:          0o711,
-			SELinuxLabel:  "system_u:object_r:pod_containerd_run_t:s0",
-			ExcludeLabels: []string{"system_u:object_r:pod_containerd_socket_t:s0"},
-		},
-	}
-
-	err := v1alpha1.InitializeDirectoryStructure(directoryConfigurations)
-	if err != nil {
-		return err
 	}
 
 	return next()(ctx, log, rt, next)

internal/app/machined/pkg/system/integration_test.go

@@ -70,7 +70,7 @@ func (TestService) DependsOn(runtime.Runtime) []string {
 	return nil
 }
 
-func (TestService) Volumes() []string {
+func (TestService) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/mocks_test.go

@@ -64,7 +64,7 @@ func (m *MockService) DependsOn(runtime.Runtime) []string {
 	return m.dependencies
 }
 
-func (m *MockService) Volumes() []string {
+func (m *MockService) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/service.go

@@ -30,7 +30,7 @@ type Service interface {
 	// DependsOn returns list of service IDs this service depends on.
 	DependsOn(runtime.Runtime) []string
 	// Volumes returns a list of volume IDs the service needs.
-	Volumes() []string
+	Volumes(runtime.Runtime) []string
 }
 
 // HealthcheckedService is a service which provides health check.

internal/app/machined/pkg/system/service_runner.go

@@ -219,7 +219,7 @@ func (svcrunner *ServiceRunner) Run(notifyChannels ...chan<- struct{}) error {
 		condition = conditions.WaitForAll(serviceDependencies, condition)
 	}
 
-	if volumeIDs := svcrunner.service.Volumes(); len(volumeIDs) > 0 && !svcrunner.runtime.State().Platform().Mode().InContainer() {
+	if volumeIDs := svcrunner.service.Volumes(svcrunner.runtime); len(volumeIDs) > 0 {
 		// create volume mount request for each volume requested
 		volumeRequestIDs := make([]string, 0, len(volumeIDs))
 
@@ -241,8 +241,11 @@ func (svcrunner *ServiceRunner) Run(notifyChannels ...chan<- struct{}) error {
 
 		// cleanup volume mounts
 		defer func() {
-			if err := svcrunner.deleteVolumeMountRequest(ctx, volumeRequestIDs); err != nil {
+			cleanupCtx, cleanupCancel := context.WithTimeout(context.Background(), 10*time.Second)
-				svcrunner.UpdateState(ctx, events.StateFailed, "Failed to clean up volumes: %v", err)
+			defer cleanupCancel()
+
+			if err := svcrunner.deleteVolumeMountRequest(cleanupCtx, volumeRequestIDs); err != nil {
+				svcrunner.UpdateState(cleanupCtx, events.StateFailed, "Failed to clean up volumes: %v", err)
 			}
 		}()
 	}

internal/app/machined/pkg/system/services/apid.go

@@ -135,7 +135,7 @@ func (o *APID) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (o *APID) Volumes() []string {
+func (o *APID) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/auditd.go

@@ -51,7 +51,7 @@ func (s *Auditd) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (s *Auditd) Volumes() []string {
+func (s *Auditd) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/containerd.go

@@ -79,7 +79,7 @@ func (c *Containerd) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (c *Containerd) Volumes() []string {
+func (c *Containerd) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/cri.go

@@ -11,6 +11,7 @@ import (
 
 	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/defaults"
+	"github.com/siderolabs/gen/xslices"
 	"google.golang.org/grpc/health/grpc_health_v1"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
@@ -81,8 +82,24 @@ func (c *CRI) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (c *CRI) Volumes() []string {
+func (c *CRI) Volumes(r runtime.Runtime) []string {
-	return []string{constants.EphemeralPartitionLabel}
+	volumes := []string{
+		"/var/lib",
+		"/var/lib/cni",
+		"/var/lib/containerd",
+		"/var/run",
+		"/var/run/lock",
+	}
+
+	if !r.State().Platform().Mode().InContainer() {
+		volumes = append(volumes,
+			xslices.Map(constants.Overlays, func(target constants.SELinuxLabeledPath) string {
+				return target.Path
+			})...,
+		)
+	}
+
+	return volumes
 }
 
 // Runner implements the Service interface.

internal/app/machined/pkg/system/services/dashboard.go

@@ -51,7 +51,7 @@ func (d *Dashboard) DependsOn(_ runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (d *Dashboard) Volumes() []string {
+func (d *Dashboard) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/etcd.go

@@ -40,7 +40,6 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/containers/image"
 	"github.com/siderolabs/talos/internal/pkg/environment"
 	"github.com/siderolabs/talos/internal/pkg/etcd"
-	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/argsbuilder"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/filetree"
@@ -86,25 +85,6 @@ func (e *Etcd) ID(runtime.Runtime) string {
 //
 //nolint:gocyclo
 func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error {
-	if err := os.MkdirAll(constants.EtcdDataPath, 0o700); err != nil {
-		return err
-	}
-
-	// Data path might exist after upgrade from previous version of Talos.
-	if err := os.Chmod(constants.EtcdDataPath, 0o700); err != nil {
-		return err
-	}
-
-	// Relabel in case of upgrade from older version or SELinux being disabled and then enabled.
-	if err := selinux.SetLabel(constants.EtcdDataPath, constants.EtcdDataSELinuxLabel); err != nil {
-		return err
-	}
-
-	// Make sure etcd user can access files in the data directory.
-	if err := filetree.ChownRecursive(constants.EtcdDataPath, constants.EtcdUserID, constants.EtcdUserID); err != nil {
-		return err
-	}
-
 	client, err := containerdapi.New(constants.CRIContainerdAddress)
 	if err != nil {
 		return err
@@ -185,8 +165,11 @@ func (e *Etcd) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (e *Etcd) Volumes() []string {
+func (e *Etcd) Volumes(runtime.Runtime) []string {
-	return nil
+	return []string{
+		"/var/lib",
+		constants.EtcdDataVolumeID,
+	}
 }
 
 // Runner implements the Service interface.

internal/app/machined/pkg/system/services/extension.go

@@ -113,7 +113,7 @@ func (svc *Extension) DependsOn(r runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (svc *Extension) Volumes() []string {
+func (svc *Extension) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/kubelet.go

@@ -106,8 +106,18 @@ func (k *Kubelet) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (k *Kubelet) Volumes() []string {
+func (k *Kubelet) Volumes(runtime.Runtime) []string {
-	return nil
+	return []string{
+		"/var/lib",
+		"/var/lib/kubelet",
+		"/var/log",
+		"/var/log/audit",
+		"/var/log/containers",
+		"/var/log/pods",
+		"/var/lib/kubelet/seccomp",
+		constants.SeccompProfilesDirectory,
+		constants.KubernetesAuditLogDir,
+	}
 }
 
 // Runner implements the Service interface.
@@ -236,13 +246,11 @@ func kubeletSeccomp(seccomp *specs.LinuxSeccomp) {
 }
 
 func simpleHealthCheck(ctx context.Context, url string) error {
-	req, err := http.NewRequest(http.MethodGet, url, nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return err
 	}
 
-	req = req.WithContext(ctx)
-
 	resp, err := http.DefaultClient.Do(req) //nolint:bodyclose
 	if err != nil {
 		return err

internal/app/machined/pkg/system/services/machined.go

@@ -228,7 +228,7 @@ func (m *Machined) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (m *Machined) Volumes() []string {
+func (m *Machined) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/registryd.go

@@ -39,7 +39,7 @@ func (r *registryD) PreFunc(context.Context, runtime.Runtime) error      { retur
 func (r *registryD) PostFunc(runtime.Runtime, events.ServiceState) error { return nil }
 func (r *registryD) Condition(runtime.Runtime) conditions.Condition      { return nil }
 func (r *registryD) DependsOn(runtime.Runtime) []string                  { return nil }
-func (r *registryD) Volumes() []string                                   { return nil }
+func (r *registryD) Volumes(runtime.Runtime) []string                    { return nil }
 
 func (r *registryD) HealthFunc(runtime.Runtime) health.Check {
 	return func(ctx context.Context) error {

internal/app/machined/pkg/system/services/syslogd.go

@@ -51,7 +51,7 @@ func (s *Syslogd) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (s *Syslogd) Volumes() []string {
+func (s *Syslogd) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/trustd.go

@@ -136,7 +136,7 @@ func (t *Trustd) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (t *Trustd) Volumes() []string {
+func (t *Trustd) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/services/udevd.go

@@ -67,7 +67,7 @@ func (c *Udevd) DependsOn(runtime.Runtime) []string {
 }
 
 // Volumes implements the Service interface.
-func (c *Udevd) Volumes() []string {
+func (c *Udevd) Volumes(runtime.Runtime) []string {
 	return nil
 }
 

internal/app/machined/pkg/system/volumes.go

@@ -44,20 +44,9 @@ func (svcrunner *ServiceRunner) deleteVolumeMountRequest(ctx context.Context, re
 	}
 
 	for _, requestID := range requestIDs {
-		_, err := st.Teardown(ctx, block.NewVolumeMountRequest(block.NamespaceName, requestID).Metadata())
+		err := st.Destroy(ctx, block.NewVolumeMountRequest(block.NamespaceName, requestID).Metadata())
 		if err != nil {
-			return fmt.Errorf("failed to teardown mount request %q: %w", requestID, err)
+			return fmt.Errorf("failed to destroy volume mount request %q: %w", requestID, err)
-		}
-	}
-
-	for _, requestID := range requestIDs {
-		_, err := st.WatchFor(ctx, block.NewVolumeMountRequest(block.NamespaceName, requestID).Metadata(), state.WithFinalizerEmpty())
-		if err != nil {
-			return fmt.Errorf("failed to wait for teardown of mount request %q: %w", requestID, err)
-		}
-
-		if err = st.Destroy(ctx, block.NewVolumeMountRequest(block.NamespaceName, requestID).Metadata()); err != nil {
-			return fmt.Errorf("failed to destroy mount request %q: %w", requestID, err)
 		}
 	}
 

internal/integration/api/selinux.go

@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"github.com/cosi-project/runtime/pkg/resource/rtestutils"
+	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/siderolabs/go-pointer"
 	"github.com/siderolabs/go-procfs/procfs"
 	"github.com/stretchr/testify/assert"
@@ -76,8 +77,6 @@ func (suite *SELinuxSuite) getLabel(nodeCtx context.Context, pid int32) string {
 // to ensure SELinux labels for files are set when they are created and FS's are mounted with correct labels.
 // FIXME: cancel the test in case system was upgraded.
 func (suite *SELinuxSuite) TestFileMountLabels() {
-	suite.T().Skip("skipping this test until it becomes stable enough")
-
 	workers := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeWorker)
 	controlplanes := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeControlPlane)
 
@@ -85,9 +84,12 @@ func (suite *SELinuxSuite) TestFileMountLabels() {
 		// Mounts
 		constants.SystemPath:          constants.SystemSelinuxLabel,
 		constants.EphemeralMountPoint: constants.EphemeralSelinuxLabel,
-		constants.StateMountPoint:     constants.StateSelinuxLabel,
+		constants.StateMountPoint:     constants.SystemSelinuxLabel,
 		constants.SystemVarPath:       constants.SystemVarSelinuxLabel,
 		constants.RunPath:             constants.RunSelinuxLabel,
+		"/run/containerd":             "system_u:object_r:pod_containerd_run_t:s0",
+		"/run/lock":                   "system_u:object_r:var_lock_t:s0",
+		constants.SystemRunPath:       "system_u:object_r:system_run_t:s0",
 		"/var/run":                    constants.RunSelinuxLabel,
 		// Runtime files
 		constants.APIRuntimeSocketPath:  constants.APIRuntimeSocketLabel,
@@ -104,8 +106,15 @@ func (suite *SELinuxSuite) TestFileMountLabels() {
 		"/opt/cni":                        "system_u:object_r:cni_plugin_t:s0",
 		"/opt/containerd":                 "system_u:object_r:containerd_plugin_t:s0",
 		// Directories
-		"/var/lib/containerd": "system_u:object_r:containerd_state_t:s0",
+		"/var/lib/containerd":           "system_u:object_r:containerd_state_t:s0",
-		"/var/lib/kubelet":    "system_u:object_r:kubelet_state_t:s0",
+		"/var/lib/cni":                  "system_u:object_r:cni_state_t:s0",
+		"/var/lib/kubelet":              "system_u:object_r:kubelet_state_t:s0",
+		"/var/lib/kubelet/seccomp":      "system_u:object_r:seccomp_profile_t:s0",
+		"/var/log":                      "system_u:object_r:var_log_t:s0",
+		"/var/log/audit":                "system_u:object_r:audit_log_t:s0",
+		constants.KubernetesAuditLogDir: "system_u:object_r:kube_log_t:s0",
+		"/var/log/containers":           "system_u:object_r:containers_log_t:s0",
+		"/var/log/pods":                 "system_u:object_r:pods_log_t:s0",
 		// Mounts and runtime-generated files
 		constants.SystemEtcPath: constants.EtcSelinuxLabel,
 		"/etc":                  constants.EtcSelinuxLabel,
@@ -157,55 +166,69 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
 			suite.T().Skip("skipping SELinux test since SELinux is disabled")
 		}
 
-		// We should check both folders and their contents for proper labels
+		extensions, err := safe.StateListAll[*runtimeres.ExtensionStatus](nodeCtx, suite.Client.COSI)
-		for _, dir := range []bool{true, false} {
+		suite.Require().NoError(err)
-			for path, label := range expectedLabels {
-				req := &machineapi.ListRequest{
-					Root:         path,
-					ReportXattrs: true,
-				}
-				if dir {
-					req.Types = []machineapi.ListRequest_Type{machineapi.ListRequest_DIRECTORY}
-				}
 
-				stream, err := suite.Client.LS(nodeCtx, req)
+		if extensions.Len() > 0 {
+			suite.T().Skip("skipping SELinux test since extensions are running")
+		}
 
-				suite.Require().NoError(err)
+		for path, label := range expectedLabels {
+			req := &machineapi.ListRequest{
+				Root:         path,
+				ReportXattrs: true,
+			}
 
-				err = helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
+			stream, err := suite.Client.LS(nodeCtx, req)
-					// E.g. /var/lib should inherit /var label, while /var/run is a new mountpoint
-					if slices.Contains(paths, info.Name) && info.Name != path {
-						return nil
-					}
 
-					suite.Require().NotNil(info.Xattrs)
+			suite.Require().NoError(err)
-
-					found := false
-
-					for _, l := range info.Xattrs {
-						if l.Name == "security.selinux" {
-							got := string(bytes.Trim(l.Data, "\x00\n"))
-							suite.Require().Contains(got, label, "expected %s to have label %s, got %s", path, label, got)
-
-							found = true
-
-							break
-						}
-					}
-
-					suite.Require().True(found)
 
+			err = helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
+				// E.g. /var/lib should inherit /var label, while /var/run is a new mountpoint
+				if slices.Contains(paths, info.Name) && info.Name != path {
 					return nil
-				})
-
-				if allowMissing {
-					if err != nil {
-						suite.Require().Contains(err.Error(), "lstat")
-						suite.Require().Contains(err.Error(), "no such file or directory")
-					}
-				} else {
-					suite.Require().NoError(err)
 				}
+
+				if slices.Contains(
+					[]string{
+						constants.RunPath,
+						constants.SystemRunPath,
+						"/run/containerd",
+						"/var/run",
+						"/var/log/containers",
+					},
+					path,
+				) && info.Name != path {
+					return nil
+				}
+
+				suite.Require().NotNil(info.Xattrs)
+
+				found := false
+
+				for _, l := range info.Xattrs {
+					if l.Name == "security.selinux" {
+						got := string(bytes.Trim(l.Data, "\x00\n"))
+						suite.Require().Contains(got, label, "expected %s to have label %s, got %s (checking %s)", info.Name, label, got, path)
+
+						found = true
+
+						break
+					}
+				}
+
+				suite.Require().True(found)
+
+				return nil
+			})
+
+			if allowMissing {
+				if err != nil {
+					suite.Require().Contains(err.Error(), "lstat")
+					suite.Require().Contains(err.Error(), "no such file or directory")
+				}
+			} else {
+				suite.Require().NoError(err)
 			}
 		}
 	}

internal/integration/k8s/tink.go

@@ -22,6 +22,7 @@ import (
 	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-pointer"
 	"github.com/siderolabs/go-retry/retry"
+	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -203,7 +204,11 @@ func (suite *TinkSuite) TestDeploy() {
 
 	suite.T().Log("bootstrapping")
 
-	suite.Require().NoError(talosClient.Bootstrap(ctx, &machineapi.BootstrapRequest{}))
+	suite.Require().EventuallyWithT(func(collect *assert.CollectT) {
+		asrt := assert.New(collect)
+
+		asrt.NoError(talosClient.Bootstrap(ctx, &machineapi.BootstrapRequest{}))
+	}, time.Minute, 100*time.Millisecond)
 
 	clusterAccess := &tinkClusterAccess{
 		KubernetesClient: cluster.KubernetesClient{

internal/pkg/mount/v2/overlay.go

@@ -1,20 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package mount
-
-import (
-	"github.com/siderolabs/gen/xslices"
-	"golang.org/x/sys/unix"
-
-	"github.com/siderolabs/talos/pkg/machinery/constants"
-)
-
-// OverlayMountPoints returns the mountpoints required to boot the system.
-// These mountpoints are used as overlays on top of the read only rootfs.
-func OverlayMountPoints() Points {
-	return xslices.Map(constants.Overlays, func(target constants.SELinuxLabeledPath) *Point {
-		return NewVarOverlay([]string{target.Path}, target.Path, WithFlags(unix.MS_I_VERSION), WithSelinuxLabel(target.Label))
-	})
-}

internal/pkg/selinux/selinux.go

@@ -49,6 +49,25 @@ var IsEnforcing = sync.OnceValue(func() bool {
 	return val != nil && *val == "1"
 })
 
+// GetLabel gets label for file, directory or symlink (not following symlinks)
+// It does not perform the operation in case SELinux is disabled.
+func GetLabel(filename string) (string, error) {
+	if !IsEnabled() {
+		return "", nil
+	}
+
+	label, err := xattr.LGet(filename, "security.selinux")
+	if err != nil {
+		return "", err
+	}
+
+	if label == nil {
+		return "", nil
+	}
+
+	return string(bytes.Trim(label, "\x00\n")), nil
+}
+
 // SetLabel sets label for file, directory or symlink (not following symlinks)
 // It does not perform the operation in case SELinux is disabled, provided label is empty or already set.
 func SetLabel(filename string, label string, excludeLabels ...string) error {
@@ -56,22 +75,22 @@ func SetLabel(filename string, label string, excludeLabels ...string) error {
 		return nil
 	}
 
-	// We use LGet/LSet so that we manipulate label on the exact path, not the symlink target.
+	currentLabel, err := GetLabel(filename)
-	currentLabel, err := xattr.LGet(filename, "security.selinux")
 	if err != nil {
 		return err
 	}
 
 	// Skip extra FS transactions when labels are okay.
-	if string(bytes.Trim(currentLabel, "\x00\n")) == label {
+	if currentLabel == label {
 		return nil
 	}
 
 	// Skip setting label if it's in excludeLabels.
-	if currentLabel != nil && slices.Contains(excludeLabels, string(bytes.Trim(currentLabel, "\x00\n"))) {
+	if currentLabel != "" && slices.Contains(excludeLabels, currentLabel) {
 		return nil
 	}
 
+	// We use LGet/LSet so that we manipulate label on the exact path, not the symlink target.
 	if err := xattr.LSet(filename, "security.selinux", []byte(label)); err != nil {
 		return err
 	}

pkg/machinery/api/resource/definitions/block/block.pb.go

@@ -983,6 +983,10 @@ type MountSpec struct {
 	SelinuxLabel        string                 `protobuf:"bytes,2,opt,name=selinux_label,json=selinuxLabel,proto3" json:"selinux_label,omitempty"`
 	ProjectQuotaSupport bool                   `protobuf:"varint,3,opt,name=project_quota_support,json=projectQuotaSupport,proto3" json:"project_quota_support,omitempty"`
 	ParentId            string                 `protobuf:"bytes,4,opt,name=parent_id,json=parentId,proto3" json:"parent_id,omitempty"`
+	FileMode            uint32                 `protobuf:"varint,5,opt,name=file_mode,json=fileMode,proto3" json:"file_mode,omitempty"`
+	Uid                 int64                  `protobuf:"varint,6,opt,name=uid,proto3" json:"uid,omitempty"`
+	Gid                 int64                  `protobuf:"varint,7,opt,name=gid,proto3" json:"gid,omitempty"`
+	RecursiveRelabel    bool                   `protobuf:"varint,8,opt,name=recursive_relabel,json=recursiveRelabel,proto3" json:"recursive_relabel,omitempty"`
 	unknownFields       protoimpl.UnknownFields
 	sizeCache           protoimpl.SizeCache
 }
@@ -1045,6 +1049,34 @@ func (x *MountSpec) GetParentId() string {
 	return ""
 }
 
+func (x *MountSpec) GetFileMode() uint32 {
+	if x != nil {
+		return x.FileMode
+	}
+	return 0
+}
+
+func (x *MountSpec) GetUid() int64 {
+	if x != nil {
+		return x.Uid
+	}
+	return 0
+}
+
+func (x *MountSpec) GetGid() int64 {
+	if x != nil {
+		return x.Gid
+	}
+	return 0
+}
+
+func (x *MountSpec) GetRecursiveRelabel() bool {
+	if x != nil {
+		return x.RecursiveRelabel
+	}
+	return false
+}
+
 // MountStatusSpec is the spec for MountStatus.
 type MountStatusSpec struct {
 	state               protoimpl.MessageState            `protogen:"open.v1"`
@@ -1284,6 +1316,59 @@ func (x *ProvisioningSpec) GetFilesystemSpec() *FilesystemSpec {
 	return nil
 }
 
+// SymlinkProvisioningSpec is the spec for volume symlink.
+type SymlinkProvisioningSpec struct {
+	state             protoimpl.MessageState `protogen:"open.v1"`
+	SymlinkTargetPath string                 `protobuf:"bytes,1,opt,name=symlink_target_path,json=symlinkTargetPath,proto3" json:"symlink_target_path,omitempty"`
+	Force             bool                   `protobuf:"varint,2,opt,name=force,proto3" json:"force,omitempty"`
+	unknownFields     protoimpl.UnknownFields
+	sizeCache         protoimpl.SizeCache
+}
+
+func (x *SymlinkProvisioningSpec) Reset() {
+	*x = SymlinkProvisioningSpec{}
+	mi := &file_resource_definitions_block_block_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SymlinkProvisioningSpec) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SymlinkProvisioningSpec) ProtoMessage() {}
+
+func (x *SymlinkProvisioningSpec) ProtoReflect() protoreflect.Message {
+	mi := &file_resource_definitions_block_block_proto_msgTypes[15]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SymlinkProvisioningSpec.ProtoReflect.Descriptor instead.
+func (*SymlinkProvisioningSpec) Descriptor() ([]byte, []int) {
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{15}
+}
+
+func (x *SymlinkProvisioningSpec) GetSymlinkTargetPath() string {
+	if x != nil {
+		return x.SymlinkTargetPath
+	}
+	return ""
+}
+
+func (x *SymlinkProvisioningSpec) GetForce() bool {
+	if x != nil {
+		return x.Force
+	}
+	return false
+}
+
 // SymlinkSpec is the spec for Symlinks resource.
 type SymlinkSpec struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -1294,7 +1379,7 @@ type SymlinkSpec struct {
 
 func (x *SymlinkSpec) Reset() {
 	*x = SymlinkSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[15]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[16]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1306,7 +1391,7 @@ func (x *SymlinkSpec) String() string {
 func (*SymlinkSpec) ProtoMessage() {}
 
 func (x *SymlinkSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[15]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[16]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1319,7 +1404,7 @@ func (x *SymlinkSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SymlinkSpec.ProtoReflect.Descriptor instead.
 func (*SymlinkSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{15}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{16}
 }
 
 func (x *SymlinkSpec) GetPaths() []string {
@@ -1340,7 +1425,7 @@ type SystemDiskSpec struct {
 
 func (x *SystemDiskSpec) Reset() {
 	*x = SystemDiskSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[16]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1352,7 +1437,7 @@ func (x *SystemDiskSpec) String() string {
 func (*SystemDiskSpec) ProtoMessage() {}
 
 func (x *SystemDiskSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[16]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1365,7 +1450,7 @@ func (x *SystemDiskSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SystemDiskSpec.ProtoReflect.Descriptor instead.
 func (*SystemDiskSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{16}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{17}
 }
 
 func (x *SystemDiskSpec) GetDiskId() string {
@@ -1393,7 +1478,7 @@ type UserDiskConfigStatusSpec struct {
 
 func (x *UserDiskConfigStatusSpec) Reset() {
 	*x = UserDiskConfigStatusSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[17]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1405,7 +1490,7 @@ func (x *UserDiskConfigStatusSpec) String() string {
 func (*UserDiskConfigStatusSpec) ProtoMessage() {}
 
 func (x *UserDiskConfigStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[17]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1418,7 +1503,7 @@ func (x *UserDiskConfigStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use UserDiskConfigStatusSpec.ProtoReflect.Descriptor instead.
 func (*UserDiskConfigStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{17}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{18}
 }
 
 func (x *UserDiskConfigStatusSpec) GetReady() bool {
@@ -1437,20 +1522,21 @@ func (x *UserDiskConfigStatusSpec) GetTornDown() bool {
 
 // VolumeConfigSpec is the spec for VolumeConfig resource.
 type VolumeConfigSpec struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
+	state         protoimpl.MessageState   `protogen:"open.v1"`
-	ParentId      string                 `protobuf:"bytes,1,opt,name=parent_id,json=parentId,proto3" json:"parent_id,omitempty"`
+	ParentId      string                   `protobuf:"bytes,1,opt,name=parent_id,json=parentId,proto3" json:"parent_id,omitempty"`
-	Type          enums.BlockVolumeType  `protobuf:"varint,2,opt,name=type,proto3,enum=talos.resource.definitions.enums.BlockVolumeType" json:"type,omitempty"`
+	Type          enums.BlockVolumeType    `protobuf:"varint,2,opt,name=type,proto3,enum=talos.resource.definitions.enums.BlockVolumeType" json:"type,omitempty"`
-	Provisioning  *ProvisioningSpec      `protobuf:"bytes,3,opt,name=provisioning,proto3" json:"provisioning,omitempty"`
+	Provisioning  *ProvisioningSpec        `protobuf:"bytes,3,opt,name=provisioning,proto3" json:"provisioning,omitempty"`
-	Locator       *LocatorSpec           `protobuf:"bytes,4,opt,name=locator,proto3" json:"locator,omitempty"`
+	Locator       *LocatorSpec             `protobuf:"bytes,4,opt,name=locator,proto3" json:"locator,omitempty"`
-	Mount         *MountSpec             `protobuf:"bytes,5,opt,name=mount,proto3" json:"mount,omitempty"`
+	Mount         *MountSpec               `protobuf:"bytes,5,opt,name=mount,proto3" json:"mount,omitempty"`
-	Encryption    *EncryptionSpec        `protobuf:"bytes,6,opt,name=encryption,proto3" json:"encryption,omitempty"`
+	Encryption    *EncryptionSpec          `protobuf:"bytes,6,opt,name=encryption,proto3" json:"encryption,omitempty"`
+	Symlink       *SymlinkProvisioningSpec `protobuf:"bytes,7,opt,name=symlink,proto3" json:"symlink,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
 func (x *VolumeConfigSpec) Reset() {
 	*x = VolumeConfigSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[18]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1462,7 +1548,7 @@ func (x *VolumeConfigSpec) String() string {
 func (*VolumeConfigSpec) ProtoMessage() {}
 
 func (x *VolumeConfigSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[18]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1475,7 +1561,7 @@ func (x *VolumeConfigSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use VolumeConfigSpec.ProtoReflect.Descriptor instead.
 func (*VolumeConfigSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{18}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{19}
 }
 
 func (x *VolumeConfigSpec) GetParentId() string {
@@ -1520,6 +1606,13 @@ func (x *VolumeConfigSpec) GetEncryption() *EncryptionSpec {
 	return nil
 }
 
+func (x *VolumeConfigSpec) GetSymlink() *SymlinkProvisioningSpec {
+	if x != nil {
+		return x.Symlink
+	}
+	return nil
+}
+
 // VolumeMountRequestSpec is the spec for VolumeMountRequest.
 type VolumeMountRequestSpec struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -1532,7 +1625,7 @@ type VolumeMountRequestSpec struct {
 
 func (x *VolumeMountRequestSpec) Reset() {
 	*x = VolumeMountRequestSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[19]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1544,7 +1637,7 @@ func (x *VolumeMountRequestSpec) String() string {
 func (*VolumeMountRequestSpec) ProtoMessage() {}
 
 func (x *VolumeMountRequestSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[19]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1557,7 +1650,7 @@ func (x *VolumeMountRequestSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use VolumeMountRequestSpec.ProtoReflect.Descriptor instead.
 func (*VolumeMountRequestSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{19}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{20}
 }
 
 func (x *VolumeMountRequestSpec) GetVolumeId() string {
@@ -1594,7 +1687,7 @@ type VolumeMountStatusSpec struct {
 
 func (x *VolumeMountStatusSpec) Reset() {
 	*x = VolumeMountStatusSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[20]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1606,7 +1699,7 @@ func (x *VolumeMountStatusSpec) String() string {
 func (*VolumeMountStatusSpec) ProtoMessage() {}
 
 func (x *VolumeMountStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[20]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1619,7 +1712,7 @@ func (x *VolumeMountStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use VolumeMountStatusSpec.ProtoReflect.Descriptor instead.
 func (*VolumeMountStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{20}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{21}
 }
 
 func (x *VolumeMountStatusSpec) GetVolumeId() string {
@@ -1670,13 +1763,15 @@ type VolumeStatusSpec struct {
 	MountSpec                *MountSpec                        `protobuf:"bytes,15,opt,name=mount_spec,json=mountSpec,proto3" json:"mount_spec,omitempty"`
 	Type                     enums.BlockVolumeType             `protobuf:"varint,16,opt,name=type,proto3,enum=talos.resource.definitions.enums.BlockVolumeType" json:"type,omitempty"`
 	ConfiguredEncryptionKeys []string                          `protobuf:"bytes,17,rep,name=configured_encryption_keys,json=configuredEncryptionKeys,proto3" json:"configured_encryption_keys,omitempty"`
+	SymlinkSpec              *SymlinkProvisioningSpec          `protobuf:"bytes,18,opt,name=symlink_spec,json=symlinkSpec,proto3" json:"symlink_spec,omitempty"`
+	ParentId                 string                            `protobuf:"bytes,19,opt,name=parent_id,json=parentId,proto3" json:"parent_id,omitempty"`
 	unknownFields            protoimpl.UnknownFields
 	sizeCache                protoimpl.SizeCache
 }
 
 func (x *VolumeStatusSpec) Reset() {
 	*x = VolumeStatusSpec{}
-	mi := &file_resource_definitions_block_block_proto_msgTypes[21]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1688,7 +1783,7 @@ func (x *VolumeStatusSpec) String() string {
 func (*VolumeStatusSpec) ProtoMessage() {}
 
 func (x *VolumeStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_block_block_proto_msgTypes[21]
+	mi := &file_resource_definitions_block_block_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1701,7 +1796,7 @@ func (x *VolumeStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use VolumeStatusSpec.ProtoReflect.Descriptor instead.
 func (*VolumeStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{21}
+	return file_resource_definitions_block_block_proto_rawDescGZIP(), []int{22}
 }
 
 func (x *VolumeStatusSpec) GetPhase() enums.BlockVolumePhase {
@@ -1823,6 +1918,20 @@ func (x *VolumeStatusSpec) GetConfiguredEncryptionKeys() []string {
 	return nil
 }
 
+func (x *VolumeStatusSpec) GetSymlinkSpec() *SymlinkProvisioningSpec {
+	if x != nil {
+		return x.SymlinkSpec
+	}
+	return nil
+}
+
+func (x *VolumeStatusSpec) GetParentId() string {
+	if x != nil {
+		return x.ParentId
+	}
+	return ""
+}
+
 var File_resource_definitions_block_block_proto protoreflect.FileDescriptor
 
 var file_resource_definitions_block_block_proto_rawDesc = string([]byte{
@@ -1995,7 +2104,7 @@ var file_resource_definitions_block_block_proto_rawDesc = string([]byte{
 	0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x49,
 	0x44, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x6f, 0x6e, 0x6c, 0x79, 0x18,
 	0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x61, 0x64, 0x4f, 0x6e, 0x6c, 0x79, 0x22,
-	0xa2, 0x01, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1f, 0x0a,
+	0x90, 0x02, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1f, 0x0a,
 	0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x23,
 	0x0a, 0x0d, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x5f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18,
@@ -2005,182 +2114,208 @@ var file_resource_definitions_block_block_proto_rawDesc = string([]byte{
 	0x28, 0x08, 0x52, 0x13, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x51, 0x75, 0x6f, 0x74, 0x61,
 	0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e,
 	0x74, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65,
-	0x6e, 0x74, 0x49, 0x64, 0x22, 0xa1, 0x03, 0x0a, 0x0f, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74,
+	0x6e, 0x74, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x6d, 0x6f, 0x64,
-	0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x46, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63,
+	0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x4d, 0x6f, 0x64,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
+	0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
+	0x75, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03,
-	0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52,
+	0x52, 0x03, 0x67, 0x69, 0x64, 0x12, 0x2b, 0x0a, 0x11, 0x72, 0x65, 0x63, 0x75, 0x72, 0x73, 0x69,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63,
+	0x76, 0x65, 0x5f, 0x72, 0x65, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08,
-	0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x10, 0x72, 0x65, 0x63, 0x75, 0x72, 0x73, 0x69, 0x76, 0x65, 0x52, 0x65, 0x6c, 0x61, 0x62,
-	0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72,
+	0x65, 0x6c, 0x22, 0xa1, 0x03, 0x0a, 0x0f, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74,
-	0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x46, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x01,
-	0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73,
 	0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c,
+	0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x71,
-	0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c,
+	0x75, 0x65, 0x73, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x12, 0x16,
-	0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65, 0x61, 0x64, 0x5f,
+	0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x6f, 0x6e, 0x6c, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x61, 0x64,
+	0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x4f, 0x6e, 0x6c, 0x79, 0x12, 0x32, 0x0a, 0x15, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x5f,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x55,
-	0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20,
+	0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x04, 0x20, 0x01,
-	0x01, 0x28, 0x08, 0x52, 0x13, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x51, 0x75, 0x6f, 0x74,
+	0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75,
-	0x61, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18,
-	0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e,
-	0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
-	0x54, 0x79, 0x70, 0x65, 0x52, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72,
-	0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69,
-	0x6e, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69,
-	0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65,
-	0x12, 0x12, 0x0a, 0x04, 0x67, 0x72, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04,
-	0x67, 0x72, 0x6f, 0x77, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79,
-	0x70, 0x65, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74,
-	0x79, 0x70, 0x65, 0x55, 0x75, 0x69, 0x64, 0x22, 0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76,
-	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d,
-	0x64, 0x69, 0x73, 0x6b, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63,
-	0x74, 0x6f, 0x72, 0x52, 0x0c, 0x64, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f,
-	0x72, 0x12, 0x56, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73,
-	0x70, 0x65, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f,
-	0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72,
-	0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76,
-	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a,
-	0x0f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63,
-	0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79,
-	0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79,
-	0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63, 0x22, 0x23, 0x0a, 0x0b, 0x53, 0x79, 0x6d, 0x6c,
-	0x69, 0x6e, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x70, 0x61, 0x74, 0x68, 0x73,
-	0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x22, 0x44, 0x0a,
-	0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12,
-	0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x65, 0x76, 0x5f,
-	0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x76, 0x50,
-	0x61, 0x74, 0x68, 0x22, 0x4d, 0x0a, 0x18, 0x55, 0x73, 0x65, 0x72, 0x44, 0x69, 0x73, 0x6b, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12,
-	0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05,
-	0x72, 0x65, 0x61, 0x64, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x6f, 0x72, 0x6e, 0x5f, 0x64, 0x6f,
-	0x77, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x74, 0x6f, 0x72, 0x6e, 0x44, 0x6f,
-	0x77, 0x6e, 0x22, 0xac, 0x03, 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e,
-	0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65,
-	0x6e, 0x74, 0x49, 0x64, 0x12, 0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75,
 	0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
-	0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d,
+	0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c, 0x65, 0x73,
-	0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70,
+	0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73,
-	0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x6f, 0x6e,
-	0x0b, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x6c, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x61, 0x64, 0x4f, 0x6e,
-	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
+	0x6c, 0x79, 0x12, 0x32, 0x0a, 0x15, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x71, 0x75,
-	0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e,
+	0x6f, 0x74, 0x61, 0x5f, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28,
-	0x67, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e,
+	0x08, 0x52, 0x13, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x53,
-	0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x04,
+	0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73,
+	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x07, 0x20,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x53,
-	0x70, 0x65, 0x63, 0x52, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05,
-	0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61,
-	0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
-	0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d,
-	0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12,
-	0x50, 0x0a, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x22, 0x70, 0x0a, 0x16, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x76,
-	0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
-	0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x49, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x6f,
-	0x6e, 0x6c, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x61, 0x64, 0x4f,
-	0x6e, 0x6c, 0x79, 0x22, 0x87, 0x01, 0x0a, 0x15, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d, 0x6f,
-	0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a,
-	0x09, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x49, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67,
-	0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74,
-	0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x6f, 0x6e, 0x6c, 0x79, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x61, 0x64, 0x4f, 0x6e, 0x6c, 0x79, 0x22, 0xb0, 0x07,
-	0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70,
-	0x65, 0x63, 0x12, 0x48, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
-	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65,
-	0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
-	0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08,
-	0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
-	0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f,
-	0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a,
-	0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69,
-	0x64, 0x12, 0x25, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75,
-	0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69,
-	0x74, 0x69, 0x6f, 0x6e, 0x55, 0x75, 0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f,
-	0x66, 0x61, 0x69, 0x6c, 0x5f, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e,
-	0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
-	0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e,
-	0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50,
-	0x68, 0x61, 0x73, 0x65, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61,
-	0x73, 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72,
-	0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70,
-	0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08,
-	0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49,
-	0x6e, 0x64, 0x65, 0x78, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01,
-	0x28, 0x04, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65,
-	0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74,
-	0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65,
-	0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e,
-	0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54,
-	0x79, 0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12,
-	0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20,
 	0x01, 0x28, 0x0e, 0x32, 0x3d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
 	0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
 	0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72,
 	0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79,
 	0x70, 0x65, 0x52, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72,
-	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69,
-	0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65,
+	0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f,
-	0x74, 0x74, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x65, 0x6e, 0x63, 0x72, 0x79,
+	0x73, 0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x5f, 0x73, 0x79, 0x6e,
+	0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18,
-	0x63, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12,
-	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x53, 0x79, 0x6e, 0x63, 0x73, 0x12,
+	0x0a, 0x04, 0x67, 0x72, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72,
-	0x4a, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x0f, 0x20,
+	0x6f, 0x77, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
+	0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65,
+	0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70,
+	0x65, 0x55, 0x75, 0x69, 0x64, 0x22, 0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73,
+	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69,
+	0x73, 0x6b, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x2e, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
+	0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f,
+	0x72, 0x52, 0x0c, 0x64, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12,
+	0x56, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65,
+	0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e,
+	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69,
+	0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66,
+	0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
+	0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74,
+	0x65, 0x6d, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74,
+	0x65, 0x6d, 0x53, 0x70, 0x65, 0x63, 0x22, 0x5f, 0x0a, 0x17, 0x53, 0x79, 0x6d, 0x6c, 0x69, 0x6e,
+	0x6b, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65,
+	0x63, 0x12, 0x2e, 0x0a, 0x13, 0x73, 0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x5f, 0x74, 0x61, 0x72,
+	0x67, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11,
+	0x73, 0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74,
+	0x68, 0x12, 0x14, 0x0a, 0x05, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08,
+	0x52, 0x05, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x22, 0x23, 0x0a, 0x0b, 0x53, 0x79, 0x6d, 0x6c, 0x69,
+	0x6e, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x22, 0x44, 0x0a, 0x0e,
+	0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17,
+	0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x65, 0x76, 0x5f, 0x70,
+	0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x76, 0x50, 0x61,
+	0x74, 0x68, 0x22, 0x4d, 0x0a, 0x18, 0x55, 0x73, 0x65, 0x72, 0x44, 0x69, 0x73, 0x6b, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14,
+	0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x72,
+	0x65, 0x61, 0x64, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x6f, 0x72, 0x6e, 0x5f, 0x64, 0x6f, 0x77,
+	0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x74, 0x6f, 0x72, 0x6e, 0x44, 0x6f, 0x77,
+	0x6e, 0x22, 0x81, 0x04, 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74,
+	0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e,
+	0x74, 0x49, 0x64, 0x12, 0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65,
+	0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
+	0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c,
+	0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67,
+	0x53, 0x70, 0x65, 0x63, 0x52, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69,
+	0x6e, 0x67, 0x12, 0x47, 0x0a, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
 	0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63,
+	0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70,
-	0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x45, 0x0a, 0x04, 0x74,
+	0x65, 0x63, 0x52, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d,
-	0x79, 0x70, 0x65, 0x18, 0x10, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f,
+	0x6f, 0x75, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c,
-	0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e,
+	0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f,
+	0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f,
-	0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
+	0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50,
-	0x70, 0x65, 0x12, 0x3c, 0x0a, 0x1a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x65, 0x64,
+	0x0a, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01,
-	0x5f, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x73,
+	0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75,
-	0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, 0x18, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72,
+	0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
-	0x65, 0x64, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x73,
+	0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70,
+	0x53, 0x70, 0x65, 0x63, 0x52, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e,
+	0x12, 0x53, 0x0a, 0x07, 0x73, 0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x07, 0x20, 0x01, 0x28,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x5a, 0x48, 0x67, 0x69,
+	0x0b, 0x32, 0x39, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
-	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c,
+	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
-	0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61,
+	0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x53, 0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x50, 0x72, 0x6f, 0x76,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f,
+	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07, 0x73, 0x79,
-	0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
+	0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x22, 0x70, 0x0a, 0x16, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d,
-	0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12,
+	0x1b, 0x0a, 0x09, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x49, 0x64, 0x12, 0x1c, 0x0a, 0x09,
+	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x09, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65,
+	0x61, 0x64, 0x5f, 0x6f, 0x6e, 0x6c, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72,
+	0x65, 0x61, 0x64, 0x4f, 0x6e, 0x6c, 0x79, 0x22, 0x87, 0x01, 0x0a, 0x15, 0x56, 0x6f, 0x6c, 0x75,
+	0x6d, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65,
+	0x63, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x49, 0x64, 0x12, 0x1c,
+	0x0a, 0x09, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06,
+	0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61,
+	0x72, 0x67, 0x65, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x6f, 0x6e, 0x6c,
+	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x61, 0x64, 0x4f, 0x6e, 0x6c,
+	0x79, 0x22, 0xab, 0x08, 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x53, 0x74, 0x61, 0x74,
+	0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x48, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f,
+	0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f,
+	0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65,
+	0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d,
+	0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
+	0x65, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x25, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69,
+	0x6f, 0x6e, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70,
+	0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x75, 0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e,
+	0x70, 0x72, 0x65, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x5f, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x06,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
+	0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c,
+	0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x46, 0x61, 0x69,
+	0x6c, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74,
+	0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0e, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+	0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64,
+	0x65, 0x78, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65,
+	0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a,
+	0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x35, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e,
+	0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73,
+	0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73,
+	0x74, 0x65, 0x6d, 0x12, 0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75,
+	0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
+	0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e,
+	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64,
+	0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x52, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69,
+	0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72,
+	0x65, 0x74, 0x74, 0x79, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x65,
+	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64,
+	0x5f, 0x73, 0x79, 0x6e, 0x63, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x65, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x53, 0x79,
+	0x6e, 0x63, 0x73, 0x12, 0x4a, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x73, 0x70, 0x65,
+	0x63, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e,
+	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74,
+	0x53, 0x70, 0x65, 0x63, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12,
+	0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x10, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e,
+	0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64,
+	0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73,
+	0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65,
+	0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x3c, 0x0a, 0x1a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x75, 0x72, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+	0x6b, 0x65, 0x79, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, 0x18, 0x63, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x75, 0x72, 0x65, 0x64, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e,
+	0x4b, 0x65, 0x79, 0x73, 0x12, 0x5c, 0x0a, 0x0c, 0x73, 0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x5f,
+	0x73, 0x70, 0x65, 0x63, 0x18, 0x12, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x74, 0x61, 0x6c,
+	0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
+	0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x53, 0x79,
+	0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e,
+	0x67, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0b, 0x73, 0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x53, 0x70,
+	0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18,
+	0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x42,
+	0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69,
+	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x5a, 0x48, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61,
+	0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
+	0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 
 var (
@@ -2195,7 +2330,7 @@ func file_resource_definitions_block_block_proto_rawDescGZIP() []byte {
 	return file_resource_definitions_block_block_proto_rawDescData
 }
 
-var file_resource_definitions_block_block_proto_msgTypes = make([]protoimpl.MessageInfo, 22)
+var file_resource_definitions_block_block_proto_msgTypes = make([]protoimpl.MessageInfo, 23)
 var file_resource_definitions_block_block_proto_goTypes = []any{
 	(*DeviceSpec)(nil),                     // 0: talos.resource.definitions.block.DeviceSpec
 	(*DiscoveredVolumeSpec)(nil),           // 1: talos.resource.definitions.block.DiscoveredVolumeSpec
@@ -2212,49 +2347,52 @@ var file_resource_definitions_block_block_proto_goTypes = []any{
 	(*MountStatusSpec)(nil),                // 12: talos.resource.definitions.block.MountStatusSpec
 	(*PartitionSpec)(nil),                  // 13: talos.resource.definitions.block.PartitionSpec
 	(*ProvisioningSpec)(nil),               // 14: talos.resource.definitions.block.ProvisioningSpec
-	(*SymlinkSpec)(nil),                    // 15: talos.resource.definitions.block.SymlinkSpec
+	(*SymlinkProvisioningSpec)(nil),        // 15: talos.resource.definitions.block.SymlinkProvisioningSpec
-	(*SystemDiskSpec)(nil),                 // 16: talos.resource.definitions.block.SystemDiskSpec
+	(*SymlinkSpec)(nil),                    // 16: talos.resource.definitions.block.SymlinkSpec
-	(*UserDiskConfigStatusSpec)(nil),       // 17: talos.resource.definitions.block.UserDiskConfigStatusSpec
+	(*SystemDiskSpec)(nil),                 // 17: talos.resource.definitions.block.SystemDiskSpec
-	(*VolumeConfigSpec)(nil),               // 18: talos.resource.definitions.block.VolumeConfigSpec
+	(*UserDiskConfigStatusSpec)(nil),       // 18: talos.resource.definitions.block.UserDiskConfigStatusSpec
-	(*VolumeMountRequestSpec)(nil),         // 19: talos.resource.definitions.block.VolumeMountRequestSpec
+	(*VolumeConfigSpec)(nil),               // 19: talos.resource.definitions.block.VolumeConfigSpec
-	(*VolumeMountStatusSpec)(nil),          // 20: talos.resource.definitions.block.VolumeMountStatusSpec
+	(*VolumeMountRequestSpec)(nil),         // 20: talos.resource.definitions.block.VolumeMountRequestSpec
-	(*VolumeStatusSpec)(nil),               // 21: talos.resource.definitions.block.VolumeStatusSpec
+	(*VolumeMountStatusSpec)(nil),          // 21: talos.resource.definitions.block.VolumeMountStatusSpec
-	(*v1alpha1.CheckedExpr)(nil),           // 22: google.api.expr.v1alpha1.CheckedExpr
+	(*VolumeStatusSpec)(nil),               // 22: talos.resource.definitions.block.VolumeStatusSpec
-	(enums.BlockEncryptionKeyType)(0),      // 23: talos.resource.definitions.enums.BlockEncryptionKeyType
+	(*v1alpha1.CheckedExpr)(nil),           // 23: google.api.expr.v1alpha1.CheckedExpr
-	(enums.BlockEncryptionProviderType)(0), // 24: talos.resource.definitions.enums.BlockEncryptionProviderType
+	(enums.BlockEncryptionKeyType)(0),      // 24: talos.resource.definitions.enums.BlockEncryptionKeyType
-	(enums.BlockFilesystemType)(0),         // 25: talos.resource.definitions.enums.BlockFilesystemType
+	(enums.BlockEncryptionProviderType)(0), // 25: talos.resource.definitions.enums.BlockEncryptionProviderType
-	(enums.BlockVolumeType)(0),             // 26: talos.resource.definitions.enums.BlockVolumeType
+	(enums.BlockFilesystemType)(0),         // 26: talos.resource.definitions.enums.BlockFilesystemType
-	(enums.BlockVolumePhase)(0),            // 27: talos.resource.definitions.enums.BlockVolumePhase
+	(enums.BlockVolumeType)(0),             // 27: talos.resource.definitions.enums.BlockVolumeType
+	(enums.BlockVolumePhase)(0),            // 28: talos.resource.definitions.enums.BlockVolumePhase
 }
 var file_resource_definitions_block_block_proto_depIdxs = []int32{
-	22, // 0: talos.resource.definitions.block.DiskSelector.match:type_name -> google.api.expr.v1alpha1.CheckedExpr
+	23, // 0: talos.resource.definitions.block.DiskSelector.match:type_name -> google.api.expr.v1alpha1.CheckedExpr
-	23, // 1: talos.resource.definitions.block.EncryptionKey.type:type_name -> talos.resource.definitions.enums.BlockEncryptionKeyType
+	24, // 1: talos.resource.definitions.block.EncryptionKey.type:type_name -> talos.resource.definitions.enums.BlockEncryptionKeyType
-	24, // 2: talos.resource.definitions.block.EncryptionSpec.provider:type_name -> talos.resource.definitions.enums.BlockEncryptionProviderType
+	25, // 2: talos.resource.definitions.block.EncryptionSpec.provider:type_name -> talos.resource.definitions.enums.BlockEncryptionProviderType
 	6,  // 3: talos.resource.definitions.block.EncryptionSpec.keys:type_name -> talos.resource.definitions.block.EncryptionKey
-	25, // 4: talos.resource.definitions.block.FilesystemSpec.type:type_name -> talos.resource.definitions.enums.BlockFilesystemType
+	26, // 4: talos.resource.definitions.block.FilesystemSpec.type:type_name -> talos.resource.definitions.enums.BlockFilesystemType
-	22, // 5: talos.resource.definitions.block.LocatorSpec.match:type_name -> google.api.expr.v1alpha1.CheckedExpr
+	23, // 5: talos.resource.definitions.block.LocatorSpec.match:type_name -> google.api.expr.v1alpha1.CheckedExpr
 	10, // 6: talos.resource.definitions.block.MountStatusSpec.spec:type_name -> talos.resource.definitions.block.MountRequestSpec
-	25, // 7: talos.resource.definitions.block.MountStatusSpec.filesystem:type_name -> talos.resource.definitions.enums.BlockFilesystemType
+	26, // 7: talos.resource.definitions.block.MountStatusSpec.filesystem:type_name -> talos.resource.definitions.enums.BlockFilesystemType
-	24, // 8: talos.resource.definitions.block.MountStatusSpec.encryption_provider:type_name -> talos.resource.definitions.enums.BlockEncryptionProviderType
+	25, // 8: talos.resource.definitions.block.MountStatusSpec.encryption_provider:type_name -> talos.resource.definitions.enums.BlockEncryptionProviderType
 	4,  // 9: talos.resource.definitions.block.ProvisioningSpec.disk_selector:type_name -> talos.resource.definitions.block.DiskSelector
 	13, // 10: talos.resource.definitions.block.ProvisioningSpec.partition_spec:type_name -> talos.resource.definitions.block.PartitionSpec
 	8,  // 11: talos.resource.definitions.block.ProvisioningSpec.filesystem_spec:type_name -> talos.resource.definitions.block.FilesystemSpec
-	26, // 12: talos.resource.definitions.block.VolumeConfigSpec.type:type_name -> talos.resource.definitions.enums.BlockVolumeType
+	27, // 12: talos.resource.definitions.block.VolumeConfigSpec.type:type_name -> talos.resource.definitions.enums.BlockVolumeType
 	14, // 13: talos.resource.definitions.block.VolumeConfigSpec.provisioning:type_name -> talos.resource.definitions.block.ProvisioningSpec
 	9,  // 14: talos.resource.definitions.block.VolumeConfigSpec.locator:type_name -> talos.resource.definitions.block.LocatorSpec
 	11, // 15: talos.resource.definitions.block.VolumeConfigSpec.mount:type_name -> talos.resource.definitions.block.MountSpec
 	7,  // 16: talos.resource.definitions.block.VolumeConfigSpec.encryption:type_name -> talos.resource.definitions.block.EncryptionSpec
-	27, // 17: talos.resource.definitions.block.VolumeStatusSpec.phase:type_name -> talos.resource.definitions.enums.BlockVolumePhase
+	15, // 17: talos.resource.definitions.block.VolumeConfigSpec.symlink:type_name -> talos.resource.definitions.block.SymlinkProvisioningSpec
-	27, // 18: talos.resource.definitions.block.VolumeStatusSpec.pre_fail_phase:type_name -> talos.resource.definitions.enums.BlockVolumePhase
+	28, // 18: talos.resource.definitions.block.VolumeStatusSpec.phase:type_name -> talos.resource.definitions.enums.BlockVolumePhase
-	25, // 19: talos.resource.definitions.block.VolumeStatusSpec.filesystem:type_name -> talos.resource.definitions.enums.BlockFilesystemType
+	28, // 19: talos.resource.definitions.block.VolumeStatusSpec.pre_fail_phase:type_name -> talos.resource.definitions.enums.BlockVolumePhase
-	24, // 20: talos.resource.definitions.block.VolumeStatusSpec.encryption_provider:type_name -> talos.resource.definitions.enums.BlockEncryptionProviderType
+	26, // 20: talos.resource.definitions.block.VolumeStatusSpec.filesystem:type_name -> talos.resource.definitions.enums.BlockFilesystemType
-	11, // 21: talos.resource.definitions.block.VolumeStatusSpec.mount_spec:type_name -> talos.resource.definitions.block.MountSpec
+	25, // 21: talos.resource.definitions.block.VolumeStatusSpec.encryption_provider:type_name -> talos.resource.definitions.enums.BlockEncryptionProviderType
-	26, // 22: talos.resource.definitions.block.VolumeStatusSpec.type:type_name -> talos.resource.definitions.enums.BlockVolumeType
+	11, // 22: talos.resource.definitions.block.VolumeStatusSpec.mount_spec:type_name -> talos.resource.definitions.block.MountSpec
-	23, // [23:23] is the sub-list for method output_type
+	27, // 23: talos.resource.definitions.block.VolumeStatusSpec.type:type_name -> talos.resource.definitions.enums.BlockVolumeType
-	23, // [23:23] is the sub-list for method input_type
+	15, // 24: talos.resource.definitions.block.VolumeStatusSpec.symlink_spec:type_name -> talos.resource.definitions.block.SymlinkProvisioningSpec
-	23, // [23:23] is the sub-list for extension type_name
+	25, // [25:25] is the sub-list for method output_type
-	23, // [23:23] is the sub-list for extension extendee
+	25, // [25:25] is the sub-list for method input_type
-	0,  // [0:23] is the sub-list for field type_name
+	25, // [25:25] is the sub-list for extension type_name
+	25, // [25:25] is the sub-list for extension extendee
+	0,  // [0:25] is the sub-list for field type_name
 }
 
 func init() { file_resource_definitions_block_block_proto_init() }
@@ -2268,7 +2406,7 @@ func file_resource_definitions_block_block_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_resource_definitions_block_block_proto_rawDesc), len(file_resource_definitions_block_block_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   22,
+			NumMessages:   23,
 			NumExtensions: 0,
 			NumServices:   0,
 		},

pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go

@@ -924,6 +924,31 @@ func (m *MountSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if m.RecursiveRelabel {
+		i--
+		if m.RecursiveRelabel {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x40
+	}
+	if m.Gid != 0 {
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(m.Gid))
+		i--
+		dAtA[i] = 0x38
+	}
+	if m.Uid != 0 {
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(m.Uid))
+		i--
+		dAtA[i] = 0x30
+	}
+	if m.FileMode != 0 {
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(m.FileMode))
+		i--
+		dAtA[i] = 0x28
+	}
 	if len(m.ParentId) > 0 {
 		i -= len(m.ParentId)
 		copy(dAtA[i:], m.ParentId)
@@ -1180,6 +1205,56 @@ func (m *ProvisioningSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *SymlinkProvisioningSpec) MarshalVT() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SymlinkProvisioningSpec) MarshalToVT(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *SymlinkProvisioningSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if m.Force {
+		i--
+		if m.Force {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x10
+	}
+	if len(m.SymlinkTargetPath) > 0 {
+		i -= len(m.SymlinkTargetPath)
+		copy(dAtA[i:], m.SymlinkTargetPath)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.SymlinkTargetPath)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *SymlinkSpec) MarshalVT() (dAtA []byte, err error) {
 	if m == nil {
 		return nil, nil
@@ -1352,6 +1427,16 @@ func (m *VolumeConfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if m.Symlink != nil {
+		size, err := m.Symlink.MarshalToSizedBufferVT(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+		i--
+		dAtA[i] = 0x3a
+	}
 	if m.Encryption != nil {
 		size, err := m.Encryption.MarshalToSizedBufferVT(dAtA[:i])
 		if err != nil {
@@ -1558,6 +1643,27 @@ func (m *VolumeStatusSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.ParentId) > 0 {
+		i -= len(m.ParentId)
+		copy(dAtA[i:], m.ParentId)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.ParentId)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x9a
+	}
+	if m.SymlinkSpec != nil {
+		size, err := m.SymlinkSpec.MarshalToSizedBufferVT(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x92
+	}
 	if len(m.ConfiguredEncryptionKeys) > 0 {
 		for iNdEx := len(m.ConfiguredEncryptionKeys) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.ConfiguredEncryptionKeys[iNdEx])
@@ -2079,6 +2185,18 @@ func (m *MountSpec) SizeVT() (n int) {
 	if l > 0 {
 		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
 	}
+	if m.FileMode != 0 {
+		n += 1 + protohelpers.SizeOfVarint(uint64(m.FileMode))
+	}
+	if m.Uid != 0 {
+		n += 1 + protohelpers.SizeOfVarint(uint64(m.Uid))
+	}
+	if m.Gid != 0 {
+		n += 1 + protohelpers.SizeOfVarint(uint64(m.Gid))
+	}
+	if m.RecursiveRelabel {
+		n += 2
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -2169,6 +2287,23 @@ func (m *ProvisioningSpec) SizeVT() (n int) {
 	return n
 }
 
+func (m *SymlinkProvisioningSpec) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.SymlinkTargetPath)
+	if l > 0 {
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	if m.Force {
+		n += 2
+	}
+	n += len(m.unknownFields)
+	return n
+}
+
 func (m *SymlinkSpec) SizeVT() (n int) {
 	if m == nil {
 		return 0
@@ -2248,6 +2383,10 @@ func (m *VolumeConfigSpec) SizeVT() (n int) {
 		l = m.Encryption.SizeVT()
 		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
 	}
+	if m.Symlink != nil {
+		l = m.Symlink.SizeVT()
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -2369,6 +2508,14 @@ func (m *VolumeStatusSpec) SizeVT() (n int) {
 			n += 2 + l + protohelpers.SizeOfVarint(uint64(l))
 		}
 	}
+	if m.SymlinkSpec != nil {
+		l = m.SymlinkSpec.SizeVT()
+		n += 2 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	l = len(m.ParentId)
+	if l > 0 {
+		n += 2 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -4937,6 +5084,83 @@ func (m *MountSpec) UnmarshalVT(dAtA []byte) error {
 			}
 			m.ParentId = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FileMode", wireType)
+			}
+			m.FileMode = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.FileMode |= uint32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Uid", wireType)
+			}
+			m.Uid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Uid |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Gid", wireType)
+			}
+			m.Gid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Gid |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RecursiveRelabel", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RecursiveRelabel = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
@@ -5539,6 +5763,109 @@ func (m *ProvisioningSpec) UnmarshalVT(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *SymlinkProvisioningSpec) UnmarshalVT(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return protohelpers.ErrIntOverflow
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SymlinkProvisioningSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SymlinkProvisioningSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SymlinkTargetPath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SymlinkTargetPath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Force", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Force = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *SymlinkSpec) UnmarshalVT(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -6052,6 +6379,42 @@ func (m *VolumeConfigSpec) UnmarshalVT(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Symlink", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Symlink == nil {
+				m.Symlink = &SymlinkProvisioningSpec{}
+			}
+			if err := m.Symlink.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
@@ -6862,6 +7225,74 @@ func (m *VolumeStatusSpec) UnmarshalVT(dAtA []byte) error {
 			}
 			m.ConfiguredEncryptionKeys = append(m.ConfiguredEncryptionKeys, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 18:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SymlinkSpec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SymlinkSpec == nil {
+				m.SymlinkSpec = &SymlinkProvisioningSpec{}
+			}
+			if err := m.SymlinkSpec.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ParentId", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ParentId = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])

pkg/machinery/api/resource/definitions/enums/enums.pb.go

@@ -2108,6 +2108,8 @@ const (
 	BlockVolumeType_VOLUME_TYPE_DISK      BlockVolumeType = 1
 	BlockVolumeType_VOLUME_TYPE_TMPFS     BlockVolumeType = 2
 	BlockVolumeType_VOLUME_TYPE_DIRECTORY BlockVolumeType = 3
+	BlockVolumeType_VOLUME_TYPE_SYMLINK   BlockVolumeType = 4
+	BlockVolumeType_VOLUME_TYPE_OVERLAY   BlockVolumeType = 5
 )
 
 // Enum value maps for BlockVolumeType.
@@ -2117,12 +2119,16 @@ var (
 		1: "VOLUME_TYPE_DISK",
 		2: "VOLUME_TYPE_TMPFS",
 		3: "VOLUME_TYPE_DIRECTORY",
+		4: "VOLUME_TYPE_SYMLINK",
+		5: "VOLUME_TYPE_OVERLAY",
 	}
 	BlockVolumeType_value = map[string]int32{
 		"VOLUME_TYPE_PARTITION": 0,
 		"VOLUME_TYPE_DISK":      1,
 		"VOLUME_TYPE_TMPFS":     2,
 		"VOLUME_TYPE_DIRECTORY": 3,
+		"VOLUME_TYPE_SYMLINK":   4,
+		"VOLUME_TYPE_OVERLAY":   5,
 	}
 )
 
@@ -2941,87 +2947,90 @@ var file_resource_definitions_enums_enums_proto_rawDesc = string([]byte{
 	0x50, 0x52, 0x45, 0x50, 0x41, 0x52, 0x45, 0x44, 0x10, 0x05, 0x12, 0x16, 0x0a, 0x12, 0x56, 0x4f,
 	0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x50, 0x48, 0x41, 0x53, 0x45, 0x5f, 0x52, 0x45, 0x41, 0x44, 0x59,
 	0x10, 0x06, 0x12, 0x17, 0x0a, 0x13, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x50, 0x48, 0x41,
-	0x53, 0x45, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x44, 0x10, 0x07, 0x2a, 0x74, 0x0a, 0x0f, 0x42,
+	0x53, 0x45, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x44, 0x10, 0x07, 0x2a, 0xa6, 0x01, 0x0a, 0x0f,
-	0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x19,
+	0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x0a, 0x15, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x50, 0x41,
+	0x19, 0x0a, 0x15, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x50,
-	0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x00, 0x12, 0x14, 0x0a, 0x10, 0x56, 0x4f, 0x4c,
+	0x41, 0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x00, 0x12, 0x14, 0x0a, 0x10, 0x56, 0x4f,
-	0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x44, 0x49, 0x53, 0x4b, 0x10, 0x01, 0x12,
+	0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x44, 0x49, 0x53, 0x4b, 0x10, 0x01,
-	0x15, 0x0a, 0x11, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x54,
+	0x12, 0x15, 0x0a, 0x11, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x4d, 0x50, 0x46, 0x53, 0x10, 0x02, 0x12, 0x19, 0x0a, 0x15, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45,
+	0x54, 0x4d, 0x50, 0x46, 0x53, 0x10, 0x02, 0x12, 0x19, 0x0a, 0x15, 0x56, 0x4f, 0x4c, 0x55, 0x4d,
-	0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x4f, 0x52, 0x59, 0x10,
+	0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x4f, 0x52, 0x59,
-	0x03, 0x2a, 0x96, 0x01, 0x0a, 0x13, 0x43, 0x72, 0x69, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x43, 0x61,
+	0x10, 0x03, 0x12, 0x17, 0x0a, 0x13, 0x56, 0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50,
-	0x63, 0x68, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1e, 0x0a, 0x1a, 0x49, 0x4d, 0x41,
+	0x45, 0x5f, 0x53, 0x59, 0x4d, 0x4c, 0x49, 0x4e, 0x4b, 0x10, 0x04, 0x12, 0x17, 0x0a, 0x13, 0x56,
-	0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f,
+	0x4f, 0x4c, 0x55, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4f, 0x56, 0x45, 0x52, 0x4c,
-	0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x1f, 0x0a, 0x1b, 0x49, 0x4d, 0x41,
+	0x41, 0x59, 0x10, 0x05, 0x2a, 0x96, 0x01, 0x0a, 0x13, 0x43, 0x72, 0x69, 0x49, 0x6d, 0x61, 0x67,
-	0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f,
+	0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1e, 0x0a, 0x1a,
-	0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c, 0x49, 0x4d,
-	0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
-	0x5f, 0x50, 0x52, 0x45, 0x50, 0x41, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x1c, 0x0a, 0x18,
 	0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54,
-	0x55, 0x53, 0x5f, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x03, 0x2a, 0xab, 0x01, 0x0a, 0x17, 0x43,
+	0x55, 0x53, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x1f, 0x0a, 0x1b,
-	0x72, 0x69, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x43, 0x6f, 0x70, 0x79,
+	0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54,
-	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x23, 0x0a, 0x1f, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f,
+	0x55, 0x53, 0x5f, 0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a,
-	0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x43, 0x4f, 0x50, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55,
+	0x1c, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53, 0x54, 0x41,
-	0x53, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x49,
+	0x54, 0x55, 0x53, 0x5f, 0x50, 0x52, 0x45, 0x50, 0x41, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12,
-	0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x43, 0x4f, 0x50, 0x59, 0x5f,
+	0x1c, 0x0a, 0x18, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x53,
-	0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x4b, 0x49, 0x50, 0x50, 0x45, 0x44, 0x10, 0x01,
+	0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x03, 0x2a, 0xab, 0x01,
-	0x12, 0x23, 0x0a, 0x1f, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f,
+	0x0a, 0x17, 0x43, 0x72, 0x69, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x43,
-	0x43, 0x4f, 0x50, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45, 0x4e, 0x44,
+	0x6f, 0x70, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x23, 0x0a, 0x1f, 0x49, 0x4d, 0x41,
-	0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x21, 0x0a, 0x1d, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43,
+	0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x43, 0x4f, 0x50, 0x59, 0x5f, 0x53, 0x54,
-	0x41, 0x43, 0x48, 0x45, 0x5f, 0x43, 0x4f, 0x50, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
+	0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x23,
-	0x5f, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x03, 0x2a, 0x53, 0x0a, 0x11, 0x4b, 0x75, 0x62, 0x65,
+	0x0a, 0x1f, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x43, 0x4f,
-	0x73, 0x70, 0x61, 0x6e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x16, 0x0a,
+	0x50, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x4b, 0x49, 0x50, 0x50, 0x45,
-	0x12, 0x50, 0x45, 0x45, 0x52, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e,
+	0x44, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x49, 0x4d, 0x41, 0x47, 0x45, 0x5f, 0x43, 0x41, 0x43,
-	0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x11, 0x0a, 0x0d, 0x50, 0x45, 0x45, 0x52, 0x5f, 0x53, 0x54,
+	0x48, 0x45, 0x5f, 0x43, 0x4f, 0x50, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x50,
-	0x41, 0x54, 0x45, 0x5f, 0x55, 0x50, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x50, 0x45, 0x45, 0x52,
+	0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x21, 0x0a, 0x1d, 0x49, 0x4d, 0x41, 0x47,
-	0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x02, 0x2a, 0x88, 0x01,
+	0x45, 0x5f, 0x43, 0x41, 0x43, 0x48, 0x45, 0x5f, 0x43, 0x4f, 0x50, 0x59, 0x5f, 0x53, 0x54, 0x41,
-	0x0a, 0x12, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4c,
+	0x54, 0x55, 0x53, 0x5f, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x03, 0x2a, 0x53, 0x0a, 0x11, 0x4b,
-	0x61, 0x79, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x0e, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x44,
+	0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65,
-	0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x43, 0x4f, 0x4e, 0x46,
+	0x12, 0x16, 0x0a, 0x12, 0x50, 0x45, 0x45, 0x52, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x55,
-	0x49, 0x47, 0x5f, 0x43, 0x4d, 0x44, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f,
+	0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x11, 0x0a, 0x0d, 0x50, 0x45, 0x45, 0x52,
-	0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x50, 0x4c, 0x41, 0x54, 0x46, 0x4f, 0x52, 0x4d, 0x10,
+	0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x55, 0x50, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x50,
-	0x02, 0x12, 0x13, 0x0a, 0x0f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52,
+	0x45, 0x45, 0x52, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x02,
-	0x41, 0x54, 0x4f, 0x52, 0x10, 0x03, 0x12, 0x20, 0x0a, 0x1c, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47,
+	0x2a, 0x88, 0x01, 0x0a, 0x12, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x43, 0x6f, 0x6e, 0x66,
-	0x5f, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x55,
+	0x69, 0x67, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x0e, 0x43, 0x4f, 0x4e, 0x46, 0x49,
-	0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x04, 0x2a, 0x4b, 0x0a, 0x0f, 0x4e, 0x65, 0x74, 0x77,
+	0x47, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x43,
-	0x6f, 0x72, 0x6b, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x12, 0x0a, 0x0e, 0x4f,
+	0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x43, 0x4d, 0x44, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x01, 0x12,
-	0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x44, 0x48, 0x43, 0x50, 0x34, 0x10, 0x00, 0x12,
+	0x13, 0x0a, 0x0f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x50, 0x4c, 0x41, 0x54, 0x46, 0x4f,
-	0x12, 0x0a, 0x0e, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x44, 0x48, 0x43, 0x50,
+	0x52, 0x4d, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x4f,
-	0x36, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f,
+	0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x10, 0x03, 0x12, 0x20, 0x0a, 0x1c, 0x43, 0x4f, 0x4e,
-	0x56, 0x49, 0x50, 0x10, 0x02, 0x2a, 0x9b, 0x02, 0x0a, 0x13, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d,
+	0x46, 0x49, 0x47, 0x5f, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46,
-	0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x53, 0x74, 0x61, 0x67, 0x65, 0x12, 0x19, 0x0a,
+	0x49, 0x47, 0x55, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x04, 0x2a, 0x4b, 0x0a, 0x0f, 0x4e,
-	0x15, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x55,
+	0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x12,
-	0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x4d, 0x41, 0x43, 0x48,
+	0x0a, 0x0e, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x44, 0x48, 0x43, 0x50, 0x34,
-	0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x42, 0x4f, 0x4f, 0x54, 0x49, 0x4e,
+	0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x44,
-	0x47, 0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53,
+	0x48, 0x43, 0x50, 0x36, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54,
-	0x54, 0x41, 0x47, 0x45, 0x5f, 0x49, 0x4e, 0x53, 0x54, 0x41, 0x4c, 0x4c, 0x49, 0x4e, 0x47, 0x10,
+	0x4f, 0x52, 0x5f, 0x56, 0x49, 0x50, 0x10, 0x02, 0x2a, 0x9b, 0x02, 0x0a, 0x13, 0x52, 0x75, 0x6e,
-	0x02, 0x12, 0x1d, 0x0a, 0x19, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41,
+	0x74, 0x69, 0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x53, 0x74, 0x61, 0x67, 0x65,
-	0x47, 0x45, 0x5f, 0x4d, 0x41, 0x49, 0x4e, 0x54, 0x45, 0x4e, 0x41, 0x4e, 0x43, 0x45, 0x10, 0x03,
 	0x12, 0x19, 0x0a, 0x15, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47,
-	0x45, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x04, 0x12, 0x1b, 0x0a, 0x17, 0x4d,
+	0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x4d,
-	0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x52, 0x45, 0x42,
+	0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x42, 0x4f, 0x4f,
-	0x4f, 0x4f, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x05, 0x12, 0x1f, 0x0a, 0x1b, 0x4d, 0x41, 0x43, 0x48,
+	0x54, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e,
-	0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x53, 0x48, 0x55, 0x54, 0x54, 0x49,
+	0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x49, 0x4e, 0x53, 0x54, 0x41, 0x4c, 0x4c, 0x49,
-	0x4e, 0x47, 0x5f, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x06, 0x12, 0x1b, 0x0a, 0x17, 0x4d, 0x41, 0x43,
+	0x4e, 0x47, 0x10, 0x02, 0x12, 0x1d, 0x0a, 0x19, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f,
-	0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x52, 0x45, 0x53, 0x45, 0x54,
+	0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x4d, 0x41, 0x49, 0x4e, 0x54, 0x45, 0x4e, 0x41, 0x4e, 0x43,
-	0x54, 0x49, 0x4e, 0x47, 0x10, 0x07, 0x12, 0x1b, 0x0a, 0x17, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e,
+	0x45, 0x10, 0x03, 0x12, 0x19, 0x0a, 0x15, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53,
-	0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x55, 0x50, 0x47, 0x52, 0x41, 0x44, 0x49, 0x4e,
+	0x54, 0x41, 0x47, 0x45, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x04, 0x12, 0x1b,
-	0x47, 0x10, 0x08, 0x2a, 0x6f, 0x0a, 0x13, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x45,
+	0x0a, 0x17, 0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f,
-	0x4c, 0x69, 0x6e, 0x75, 0x78, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x45,
+	0x52, 0x45, 0x42, 0x4f, 0x4f, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x05, 0x12, 0x1f, 0x0a, 0x1b, 0x4d,
-	0x5f, 0x4c, 0x49, 0x4e, 0x55, 0x58, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x44, 0x49, 0x53,
+	0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x53, 0x48, 0x55,
-	0x41, 0x42, 0x4c, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x53, 0x45, 0x5f, 0x4c, 0x49,
+	0x54, 0x54, 0x49, 0x4e, 0x47, 0x5f, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x06, 0x12, 0x1b, 0x0a, 0x17,
-	0x4e, 0x55, 0x58, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53,
+	0x4d, 0x41, 0x43, 0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x52, 0x45,
-	0x53, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x53, 0x45, 0x5f, 0x4c, 0x49, 0x4e,
+	0x53, 0x45, 0x54, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x07, 0x12, 0x1b, 0x0a, 0x17, 0x4d, 0x41, 0x43,
-	0x55, 0x58, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x49,
+	0x48, 0x49, 0x4e, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x5f, 0x55, 0x50, 0x47, 0x52, 0x41,
-	0x4e, 0x47, 0x10, 0x02, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f,
+	0x44, 0x49, 0x4e, 0x47, 0x10, 0x08, 0x2a, 0x6f, 0x0a, 0x13, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d,
-	0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64,
+	0x65, 0x53, 0x45, 0x4c, 0x69, 0x6e, 0x75, 0x78, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a,
-	0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73,
+	0x17, 0x53, 0x45, 0x5f, 0x4c, 0x49, 0x4e, 0x55, 0x58, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f,
-	0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64,
+	0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x53, 0x45,
-	0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b,
+	0x5f, 0x4c, 0x49, 0x4e, 0x55, 0x58, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x50, 0x45, 0x52,
-	0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x53, 0x45, 0x5f,
-	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
+	0x4c, 0x49, 0x4e, 0x55, 0x58, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x45, 0x4e, 0x46, 0x4f,
-	0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x52, 0x43, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74,
-	0x6f, 0x33,
+	0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e,
+	0x75, 0x6d, 0x73, 0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73,
+	0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69,
+	0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 
 var (

pkg/machinery/constants/constants.go

@@ -477,6 +477,9 @@ const (
 	// EtcdDataPath is the path where etcd stores its' data.
 	EtcdDataPath = "/var/lib/etcd"
 
+	// EtcdDataVolumeID is the ID of the etcd data volume.
+	EtcdDataVolumeID = "ETCD"
+
 	// EtcdDataSELinuxLabel is the SELinux label for the etcd data directory.
 	EtcdDataSELinuxLabel = "system_u:object_r:etcd_data_t:s0"
 

pkg/machinery/gendata/data/pkgs

@@ -1 +1 @@
-v1.10.0-alpha.0-69-g665f782
+v1.10.0-alpha.0-72-g7d7323b

pkg/machinery/resources/block/volume_config.go

@@ -5,6 +5,8 @@
 package block
 
 import (
+	"os"
+
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/cosi-project/runtime/pkg/resource/meta"
 	"github.com/cosi-project/runtime/pkg/resource/protobuf"
@@ -41,6 +43,9 @@ type VolumeConfigSpec struct {
 
 	// Mount options for the volume.
 	Mount MountSpec `yaml:"mount,omitempty" protobuf:"5"`
+
+	// Symlink options for the volume.
+	Symlink SymlinkProvisioningSpec `yaml:"symlink,omitempty" protobuf:"7"`
 }
 
 // Wave constants.
@@ -154,6 +159,24 @@ type MountSpec struct {
 	ProjectQuotaSupport bool `yaml:"projectQuotaSupport" protobuf:"3"`
 	// Parent mount request ID.
 	ParentID string `yaml:"parentId,omitempty" protobuf:"4"`
+	// FileMode is the file mode for the mount target.
+	FileMode os.FileMode `yaml:"fileMode,omitempty" protobuf:"5"`
+	// UID is the user ID for the mount target.
+	UID int `yaml:"uid,omitempty" protobuf:"6"`
+	// GID is the group ID for the mount target.
+	GID int `yaml:"gid,omitempty" protobuf:"7"`
+	// RecursiveRelabel is the recursive relabel/chown flag for the mount target.
+	RecursiveRelabel bool `yaml:"recursiveRelabel,omitempty" protobuf:"8"`
+}
+
+// SymlinkProvisioningSpec is the spec for volume symlink.
+//
+//gotagsrewrite:gen
+type SymlinkProvisioningSpec struct {
+	// Symlink target path for the volume.
+	SymlinkTargetPath string `yaml:"symlinkTargetPath" protobuf:"1"`
+	// Force symlink creation.
+	Force bool `yaml:"force" protobuf:"2"`
 }
 
 // NewVolumeConfig initializes a BlockVolumeConfig resource.

pkg/machinery/resources/block/volume_status.go

@@ -27,7 +27,8 @@ type VolumeStatusSpec struct {
 	Phase        VolumePhase `yaml:"phase" protobuf:"1"`
 	PreFailPhase VolumePhase `yaml:"preFailPhase,omitempty" protobuf:"6"`
 
-	Type VolumeType `yaml:"type" protobuf:"16"`
+	Type     VolumeType `yaml:"type" protobuf:"16"`
+	ParentID string     `yaml:"parentID,omitempty" protobuf:"19"`
 
 	// Location is the path to the block device (raw).
 	Location string `yaml:"location,omitempty" protobuf:"2"`
@@ -56,6 +57,9 @@ type VolumeStatusSpec struct {
 	// MountSpec is the mount specification.
 	MountSpec MountSpec `yaml:"mountSpec,omitempty" protobuf:"15"`
 
+	// Symlink is the symlink specification.
+	SymlinkSpec SymlinkProvisioningSpec `yaml:"symlink,omitempty" protobuf:"18"`
+
 	ErrorMessage string `yaml:"errorMessage,omitempty" protobuf:"3"`
 }
 

pkg/machinery/resources/block/volumetype.go

@@ -15,4 +15,6 @@ const (
 	VolumeTypeDisk                        // disk
 	VolumeTypeTmpfs                       // tmpfs
 	VolumeTypeDirectory                   // directory
+	VolumeTypeSymlink                     // symlink
+	VolumeTypeOverlay                     // overlay
 )

pkg/machinery/resources/block/volumetype_enumer.go

@@ -7,11 +7,11 @@ import (
 	"strings"
 )
 
-const _VolumeTypeName = "partitiondisktmpfsdirectory"
+const _VolumeTypeName = "partitiondisktmpfsdirectorysymlinkoverlay"
 
-var _VolumeTypeIndex = [...]uint8{0, 9, 13, 18, 27}
+var _VolumeTypeIndex = [...]uint8{0, 9, 13, 18, 27, 34, 41}
 
-const _VolumeTypeLowerName = "partitiondisktmpfsdirectory"
+const _VolumeTypeLowerName = "partitiondisktmpfsdirectorysymlinkoverlay"
 
 func (i VolumeType) String() string {
 	if i < 0 || i >= VolumeType(len(_VolumeTypeIndex)-1) {
@@ -28,9 +28,11 @@ func _VolumeTypeNoOp() {
 	_ = x[VolumeTypeDisk-(1)]
 	_ = x[VolumeTypeTmpfs-(2)]
 	_ = x[VolumeTypeDirectory-(3)]
+	_ = x[VolumeTypeSymlink-(4)]
+	_ = x[VolumeTypeOverlay-(5)]
 }
 
-var _VolumeTypeValues = []VolumeType{VolumeTypePartition, VolumeTypeDisk, VolumeTypeTmpfs, VolumeTypeDirectory}
+var _VolumeTypeValues = []VolumeType{VolumeTypePartition, VolumeTypeDisk, VolumeTypeTmpfs, VolumeTypeDirectory, VolumeTypeSymlink, VolumeTypeOverlay}
 
 var _VolumeTypeNameToValueMap = map[string]VolumeType{
 	_VolumeTypeName[0:9]:        VolumeTypePartition,
@@ -41,6 +43,10 @@ var _VolumeTypeNameToValueMap = map[string]VolumeType{
 	_VolumeTypeLowerName[13:18]: VolumeTypeTmpfs,
 	_VolumeTypeName[18:27]:      VolumeTypeDirectory,
 	_VolumeTypeLowerName[18:27]: VolumeTypeDirectory,
+	_VolumeTypeName[27:34]:      VolumeTypeSymlink,
+	_VolumeTypeLowerName[27:34]: VolumeTypeSymlink,
+	_VolumeTypeName[34:41]:      VolumeTypeOverlay,
+	_VolumeTypeLowerName[34:41]: VolumeTypeOverlay,
 }
 
 var _VolumeTypeNames = []string{
@@ -48,6 +54,8 @@ var _VolumeTypeNames = []string{
 	_VolumeTypeName[9:13],
 	_VolumeTypeName[13:18],
 	_VolumeTypeName[18:27],
+	_VolumeTypeName[27:34],
+	_VolumeTypeName[34:41],
 }
 
 // VolumeTypeString retrieves an enum value from the enum constants string name.

website/content/v1.10/reference/api.md

@@ -42,6 +42,7 @@ description: Talos gRPC API reference.
     - [MountStatusSpec](#talos.resource.definitions.block.MountStatusSpec)
     - [PartitionSpec](#talos.resource.definitions.block.PartitionSpec)
     - [ProvisioningSpec](#talos.resource.definitions.block.ProvisioningSpec)
+    - [SymlinkProvisioningSpec](#talos.resource.definitions.block.SymlinkProvisioningSpec)
     - [SymlinkSpec](#talos.resource.definitions.block.SymlinkSpec)
     - [SystemDiskSpec](#talos.resource.definitions.block.SystemDiskSpec)
     - [UserDiskConfigStatusSpec](#talos.resource.definitions.block.UserDiskConfigStatusSpec)
@@ -1058,6 +1059,10 @@ MountSpec is the spec for volume mount.
 | selinux_label | [string](#string) |  |  |
 | project_quota_support | [bool](#bool) |  |  |
 | parent_id | [string](#string) |  |  |
+| file_mode | [uint32](#uint32) |  |  |
+| uid | [int64](#int64) |  |  |
+| gid | [int64](#int64) |  |  |
+| recursive_relabel | [bool](#bool) |  |  |
 
 
 
@@ -1122,6 +1127,22 @@ ProvisioningSpec is the spec for volume provisioning.
 
 
 
+<a name="talos.resource.definitions.block.SymlinkProvisioningSpec"></a>
+
+### SymlinkProvisioningSpec
+SymlinkProvisioningSpec is the spec for volume symlink.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| symlink_target_path | [string](#string) |  |  |
+| force | [bool](#bool) |  |  |
+
+
+
+
+
+
 <a name="talos.resource.definitions.block.SymlinkSpec"></a>
 
 ### SymlinkSpec
@@ -1183,6 +1204,7 @@ VolumeConfigSpec is the spec for VolumeConfig resource.
 | locator | [LocatorSpec](#talos.resource.definitions.block.LocatorSpec) |  |  |
 | mount | [MountSpec](#talos.resource.definitions.block.MountSpec) |  |  |
 | encryption | [EncryptionSpec](#talos.resource.definitions.block.EncryptionSpec) |  |  |
+| symlink | [SymlinkProvisioningSpec](#talos.resource.definitions.block.SymlinkProvisioningSpec) |  |  |
 
 
 
@@ -1249,6 +1271,8 @@ VolumeStatusSpec is the spec for VolumeStatus resource.
 | mount_spec | [MountSpec](#talos.resource.definitions.block.MountSpec) |  |  |
 | type | [talos.resource.definitions.enums.BlockVolumeType](#talos.resource.definitions.enums.BlockVolumeType) |  |  |
 | configured_encryption_keys | [string](#string) | repeated |  |
+| symlink_spec | [SymlinkProvisioningSpec](#talos.resource.definitions.block.SymlinkProvisioningSpec) |  |  |
+| parent_id | [string](#string) |  |  |
 
 
 
@@ -1654,6 +1678,8 @@ BlockVolumeType describes volume type.
 | VOLUME_TYPE_DISK | 1 |  |
 | VOLUME_TYPE_TMPFS | 2 |  |
 | VOLUME_TYPE_DIRECTORY | 3 |  |
+| VOLUME_TYPE_SYMLINK | 4 |  |
+| VOLUME_TYPE_OVERLAY | 5 |  |