diff --git a/cmd/talosctl/acompat/acompat.go b/cmd/talosctl/acompat/acompat.go
new file mode 100644
index 00000000000..4dac5a317f7
--- /dev/null
+++ b/cmd/talosctl/acompat/acompat.go
@@ -0,0 +1,14 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package acompat provides compatibility with gRPC 1.67.0 and later.
+package acompat
+
+import "os"
+
+func init() {
+	if err := os.Setenv("GRPC_ENFORCE_ALPN_ENABLED", "false"); err != nil {
+		panic(err)
+	}
+}
diff --git a/cmd/talosctl/main.go b/cmd/talosctl/main.go
index d8834e0fe91..7f295e50253 100644
--- a/cmd/talosctl/main.go
+++ b/cmd/talosctl/main.go
@@ -8,6 +8,7 @@ package main
 import (
 	"os"
 
+	_ "github.com/siderolabs/talos/cmd/talosctl/acompat"
 	"github.com/siderolabs/talos/cmd/talosctl/cmd"
 )
 
diff --git a/go.mod b/go.mod
index e021019941d..59cbf4d9e2d 100644
--- a/go.mod
+++ b/go.mod
@@ -139,7 +139,7 @@ require (
 	github.com/ryanuber/go-glob v1.0.0
 	github.com/safchain/ethtool v0.4.1
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.30
-	github.com/siderolabs/crypto v0.4.4
+	github.com/siderolabs/crypto v0.5.0
 	github.com/siderolabs/discovery-api v0.1.4
 	github.com/siderolabs/discovery-client v0.1.9
 	github.com/siderolabs/gen v0.5.0
@@ -165,7 +165,7 @@ require (
 	github.com/siderolabs/kms-client v0.1.0
 	github.com/siderolabs/net v0.4.0
 	github.com/siderolabs/protoenc v0.2.1
-	github.com/siderolabs/siderolink v0.3.10
+	github.com/siderolabs/siderolink v0.3.11
 	github.com/siderolabs/talos/pkg/machinery v1.8.0-alpha.2
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
diff --git a/go.sum b/go.sum
index 8d8a873687d..eda59b25c69 100644
--- a/go.sum
+++ b/go.sum
@@ -575,8 +575,8 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/siderolabs/coredns v1.11.53 h1:HoRPGey3HNj409+15OGnP9Jt4NNpRKsm7izjc/M/G20=
 github.com/siderolabs/coredns v1.11.53/go.mod h1:2bxje5r6+o9rO0k7bEb5BitqPz8YUYaIY8iJHD1ELtE=
-github.com/siderolabs/crypto v0.4.4 h1:Q6EDBMR2Ub2oAZW5Xl8lrKB27bM3Sn8Gkfw3rngco5U=
-github.com/siderolabs/crypto v0.4.4/go.mod h1:hsR3tJ3aaeuhCChsLF4dBd9vlJVPvmhg4vvx2ez4aD4=
+github.com/siderolabs/crypto v0.5.0 h1:+Sox0aYLCcD0PAH2cbEcx557zUrONLtuj1Ws+2MFXGc=
+github.com/siderolabs/crypto v0.5.0/go.mod h1:hsR3tJ3aaeuhCChsLF4dBd9vlJVPvmhg4vvx2ez4aD4=
 github.com/siderolabs/discovery-api v0.1.4 h1:2fMEFSMiWaD1zDiBDY5md8VxItvL1rDQRSOfeXNjYKc=
 github.com/siderolabs/discovery-api v0.1.4/go.mod h1:kaBy+G42v2xd/uAF/NIe383sjNTBE2AhxPTyi9SZI0s=
 github.com/siderolabs/discovery-client v0.1.9 h1:yDzvts++Nf/2qczdDUfU5GAibkEIgz/eo9RPG/k/rOc=
@@ -627,8 +627,8 @@ github.com/siderolabs/net v0.4.0 h1:1bOgVay/ijPkJz4qct98nHsiB/ysLQU0KLoBC4qLm7I=
 github.com/siderolabs/net v0.4.0/go.mod h1:/ibG+Hm9HU27agp5r9Q3eZicEfjquzNzQNux5uEk0kM=
 github.com/siderolabs/protoenc v0.2.1 h1:BqxEmeWQeMpNP3R6WrPqDatX8sM/r4t97OP8mFmg6GA=
 github.com/siderolabs/protoenc v0.2.1/go.mod h1:StTHxjet1g11GpNAWiATgc8K0HMKiFSEVVFOa/H0otc=
-github.com/siderolabs/siderolink v0.3.10 h1:M8OrRyfzmyyGksHalOqvRSxvb1Fwi7S3AFQx6ERap44=
-github.com/siderolabs/siderolink v0.3.10/go.mod h1:QbGnXpHI5MDq6qMZkCFnxYOOw5eE+lkLx53L5ZgjLMQ=
+github.com/siderolabs/siderolink v0.3.11 h1:teJ/LMjSyLekhJVy2+nDIuOBPrVRAMwusJQzxdA95K0=
+github.com/siderolabs/siderolink v0.3.11/go.mod h1:QbGnXpHI5MDq6qMZkCFnxYOOw5eE+lkLx53L5ZgjLMQ=
 github.com/siderolabs/tcpproxy v0.1.0 h1:IbkS9vRhjMOscc1US3M5P1RnsGKFgB6U5IzUk+4WkKA=
 github.com/siderolabs/tcpproxy v0.1.0/go.mod h1:onn6CPPj/w1UNqQ0U97oRPF0CqbrgEApYCw4P9IiCW8=
 github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774 h1:wLhs5zMQVjA6LN9WpF2owOdtcoRp40zL8AaQSle+9EE=
diff --git a/internal/app/machined/acompat/acompat.go b/internal/app/machined/acompat/acompat.go
new file mode 100644
index 00000000000..4dac5a317f7
--- /dev/null
+++ b/internal/app/machined/acompat/acompat.go
@@ -0,0 +1,14 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package acompat provides compatibility with gRPC 1.67.0 and later.
+package acompat
+
+import "os"
+
+func init() {
+	if err := os.Setenv("GRPC_ENFORCE_ALPN_ENABLED", "false"); err != nil {
+		panic(err)
+	}
+}
diff --git a/internal/app/machined/main.go b/internal/app/machined/main.go
index f6c8ff2af91..822f4756f25 100644
--- a/internal/app/machined/main.go
+++ b/internal/app/machined/main.go
@@ -2,335 +2,12 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-// Package machined provides machined implementation.
+// Package root provides entry point for machined.
 package main
 
 import (
-	"context"
-	"errors"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"os/signal"
-	"path/filepath"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/siderolabs/go-cmd/pkg/cmd/proc"
-	"github.com/siderolabs/go-cmd/pkg/cmd/proc/reaper"
-	debug "github.com/siderolabs/go-debug"
-	"github.com/siderolabs/go-procfs/procfs"
-	"golang.org/x/sys/unix"
-
-	"github.com/siderolabs/talos/internal/app/apid"
-	"github.com/siderolabs/talos/internal/app/dashboard"
-	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
-	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/emergency"
-	v1alpha1runtime "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1"
-	"github.com/siderolabs/talos/internal/app/machined/pkg/system"
-	"github.com/siderolabs/talos/internal/app/machined/pkg/system/services"
-	"github.com/siderolabs/talos/internal/app/maintenance"
-	"github.com/siderolabs/talos/internal/app/poweroff"
-	"github.com/siderolabs/talos/internal/app/trustd"
-	"github.com/siderolabs/talos/internal/app/wrapperd"
-	"github.com/siderolabs/talos/internal/pkg/mount"
-	"github.com/siderolabs/talos/pkg/httpdefaults"
-	"github.com/siderolabs/talos/pkg/machinery/api/common"
-	"github.com/siderolabs/talos/pkg/machinery/api/machine"
-	"github.com/siderolabs/talos/pkg/machinery/constants"
-	"github.com/siderolabs/talos/pkg/startup"
+	_ "github.com/siderolabs/talos/internal/app/machined/acompat"
+	"github.com/siderolabs/talos/internal/app/machined/root"
 )
 
-func init() {
-	// Patch a default HTTP client with updated transport to handle cases when default client is being used.
-	http.DefaultClient.Transport = httpdefaults.PatchTransport(cleanhttp.DefaultPooledTransport())
-}
-
-func recovery(ctx context.Context) {
-	if r := recover(); r != nil {
-		var (
-			err error
-			ok  bool
-		)
-
-		err, ok = r.(error)
-		if ok {
-			handle(ctx, err)
-		}
-	}
-}
-
-// syncNonVolatileStorageBuffers invokes unix.Sync and waits up to 30 seconds
-// for it to finish.
-//
-// See http://man7.org/linux/man-pages/man2/reboot.2.html.
-func syncNonVolatileStorageBuffers() {
-	syncdone := make(chan struct{})
-
-	go func() {
-		defer close(syncdone)
-
-		unix.Sync()
-	}()
-
-	log.Printf("waiting for sync...")
-
-	for i := 29; i >= 0; i-- {
-		select {
-		case <-syncdone:
-			log.Printf("sync done")
-
-			return
-		case <-time.After(time.Second):
-		}
-
-		if i != 0 {
-			log.Printf("waiting %d more seconds for sync to finish", i)
-		}
-	}
-
-	log.Printf("sync hasn't completed in time, aborting...")
-}
-
-//nolint:gocyclo
-func handle(ctx context.Context, err error) {
-	rebootCmd := int(emergency.RebootCmd.Load())
-
-	var rebootErr runtime.RebootError
-
-	if errors.As(err, &rebootErr) {
-		// not a failure, but wrapped reboot command
-		rebootCmd = rebootErr.Cmd
-
-		err = nil
-	}
-
-	if err != nil {
-		log.Print(err)
-		revertBootloader(ctx)
-
-		if p := procfs.ProcCmdline().Get(constants.KernelParamPanic).First(); p != nil {
-			if *p == "0" {
-				log.Printf("panic=0 kernel flag found, sleeping forever")
-
-				rebootCmd = 0
-			}
-		}
-
-		if rebootCmd == unix.LINUX_REBOOT_CMD_RESTART {
-			for i := 10; i >= 0; i-- {
-				log.Printf("rebooting in %d seconds\n", i)
-				time.Sleep(1 * time.Second)
-			}
-		}
-	}
-
-	if err = proc.KillAll(); err != nil {
-		log.Printf("error killing all procs: %s", err)
-	}
-
-	if err = mount.UnmountAll(); err != nil {
-		log.Printf("error unmounting: %s", err)
-	}
-
-	syncNonVolatileStorageBuffers()
-
-	if rebootCmd == 0 {
-		exitSignal := make(chan os.Signal, 1)
-
-		signal.Notify(exitSignal, syscall.SIGINT, syscall.SIGTERM)
-
-		<-exitSignal
-	} else if unix.Reboot(rebootCmd) == nil {
-		// Wait forever.
-		select {}
-	}
-}
-
-func runDebugServer(ctx context.Context) {
-	const debugAddr = ":9982"
-
-	debugLogFunc := func(msg string) {
-		log.Print(msg)
-	}
-
-	if err := debug.ListenAndServe(ctx, debugAddr, debugLogFunc); err != nil {
-		log.Fatalf("failed to start debug server: %s", err)
-	}
-}
-
-//nolint:gocyclo
-func run() error {
-	errCh := make(chan error)
-
-	// Limit GOMAXPROCS.
-	startup.LimitMaxProcs(constants.MachinedMaxProcs)
-
-	// Set the PATH env var.
-	if err := os.Setenv("PATH", constants.PATH); err != nil {
-		return errors.New("error setting PATH")
-	}
-
-	// Initialize the controller without a config.
-	c, err := v1alpha1runtime.NewController()
-	if err != nil {
-		return err
-	}
-
-	revertSetState(c.Runtime().State().V1Alpha2().Resources())
-
-	var controllerWaitGroup sync.WaitGroup
-	defer controllerWaitGroup.Wait() // wait for controller-runtime to finish before rebooting
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	drainer := runtime.NewDrainer()
-	defer func() {
-		drainCtx, drainCtxCancel := context.WithTimeout(context.Background(), time.Second*10)
-		defer drainCtxCancel()
-
-		if e := drainer.Drain(drainCtx); e != nil {
-			log.Printf("WARNING: failed to drain controllers: %s", e)
-		}
-	}()
-
-	go runDebugServer(ctx)
-
-	// Schedule service shutdown on any return.
-	defer system.Services(c.Runtime()).Shutdown(ctx)
-
-	// Start signal and ACPI listeners.
-	go func() {
-		if e := c.ListenForEvents(ctx); e != nil {
-			log.Printf("WARNING: signals and ACPI events will be ignored: %s", e)
-		}
-	}()
-
-	controllerWaitGroup.Add(1)
-
-	// Start v2 controller runtime.
-	go func() {
-		defer controllerWaitGroup.Done()
-
-		if e := c.V1Alpha2().Run(ctx, drainer); e != nil {
-			ctrlErr := fmt.Errorf("fatal controller runtime error: %s", e)
-
-			log.Printf("controller runtime goroutine error: %s", ctrlErr)
-
-			errCh <- ctrlErr
-		}
-
-		log.Printf("controller runtime finished")
-	}()
-
-	// Inject controller into maintenance service.
-	maintenance.InjectController(c)
-
-	// Load machined service.
-	system.Services(c.Runtime()).Load(
-		&services.Machined{Controller: c},
-	)
-
-	initializeCanceled := false
-
-	// Initialize the machine.
-	if err = c.Run(ctx, runtime.SequenceInitialize, nil); err != nil {
-		if errors.Is(err, context.Canceled) {
-			initializeCanceled = true
-		} else {
-			return err
-		}
-	}
-
-	// If Initialize sequence was canceled, don't run any other sequence.
-	if !initializeCanceled {
-		// Perform an installation if required.
-		if err = c.Run(ctx, runtime.SequenceInstall, nil); err != nil {
-			return err
-		}
-
-		// Start the machine API.
-		system.Services(c.Runtime()).LoadAndStart(
-			&services.APID{},
-		)
-
-		// Boot the machine.
-		if err = c.Run(ctx, runtime.SequenceBoot, nil); err != nil && !errors.Is(err, context.Canceled) {
-			return err
-		}
-	}
-
-	// Watch and handle runtime events.
-	//nolint:errcheck
-	_ = c.Runtime().Events().Watch(
-		func(events <-chan runtime.EventInfo) {
-			for {
-				for event := range events {
-					switch msg := event.Payload.(type) {
-					case *machine.SequenceEvent:
-						if msg.Error != nil {
-							if msg.Error.GetCode() == common.Code_LOCKED ||
-								msg.Error.GetCode() == common.Code_CANCELED {
-								// ignore sequence lock and canceled errors, they're not fatal
-								continue
-							}
-
-							errCh <- fmt.Errorf(
-								"fatal sequencer error in %q sequence: %v",
-								msg.GetSequence(),
-								msg.GetError().String(),
-							)
-						}
-					case *machine.RestartEvent:
-						errCh <- runtime.RebootError{Cmd: int(msg.Cmd)}
-					}
-				}
-			}
-		},
-	)
-
-	return <-errCh
-}
-
-func main() {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	switch filepath.Base(os.Args[0]) {
-	case "apid":
-		apid.Main()
-
-		return
-	case "trustd":
-		trustd.Main()
-
-		return
-	// Azure uses the hv_utils kernel module to shutdown the node in hyper-v by calling perform_shutdown which will call orderly_poweroff which will call /sbin/poweroff.
-	case "poweroff", "shutdown":
-		poweroff.Main(os.Args)
-
-		return
-	case "wrapperd":
-		wrapperd.Main()
-
-		return
-	case "dashboard":
-		dashboard.Main()
-
-		return
-	default:
-	}
-
-	// Setup panic handler.
-	defer recovery(ctx)
-
-	// Initialize the process reaper.
-	reaper.Run()
-	defer reaper.Shutdown()
-
-	handle(ctx, run())
-}
+func main() { root.Run() }
diff --git a/internal/app/machined/revert.go b/internal/app/machined/root/revert.go
similarity index 99%
rename from internal/app/machined/revert.go
rename to internal/app/machined/root/revert.go
index ef96c48c82d..98660bd6b7e 100644
--- a/internal/app/machined/revert.go
+++ b/internal/app/machined/root/revert.go
@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-package main
+package root
 
 import (
 	"context"
diff --git a/internal/app/machined/root/root.go b/internal/app/machined/root/root.go
new file mode 100644
index 00000000000..0ee0cb179d2
--- /dev/null
+++ b/internal/app/machined/root/root.go
@@ -0,0 +1,337 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package root provides machined implementation.
+package root
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/siderolabs/go-cmd/pkg/cmd/proc"
+	"github.com/siderolabs/go-cmd/pkg/cmd/proc/reaper"
+	debug "github.com/siderolabs/go-debug"
+	"github.com/siderolabs/go-procfs/procfs"
+	"golang.org/x/sys/unix"
+
+	"github.com/siderolabs/talos/internal/app/apid"
+	"github.com/siderolabs/talos/internal/app/dashboard"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/emergency"
+	v1alpha1runtime "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/system"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/system/services"
+	"github.com/siderolabs/talos/internal/app/maintenance"
+	"github.com/siderolabs/talos/internal/app/poweroff"
+	"github.com/siderolabs/talos/internal/app/trustd"
+	"github.com/siderolabs/talos/internal/app/wrapperd"
+	"github.com/siderolabs/talos/internal/pkg/mount"
+	"github.com/siderolabs/talos/pkg/httpdefaults"
+	"github.com/siderolabs/talos/pkg/machinery/api/common"
+	"github.com/siderolabs/talos/pkg/machinery/api/machine"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/startup"
+)
+
+func init() {
+	// Patch a default HTTP client with updated transport to handle cases when default client is being used.
+	http.DefaultClient.Transport = httpdefaults.PatchTransport(cleanhttp.DefaultPooledTransport())
+}
+
+func recovery(ctx context.Context) {
+	if r := recover(); r != nil {
+		var (
+			err error
+			ok  bool
+		)
+
+		err, ok = r.(error)
+		if ok {
+			handle(ctx, err)
+		}
+	}
+}
+
+// syncNonVolatileStorageBuffers invokes unix.Sync and waits up to 30 seconds
+// for it to finish.
+//
+// See http://man7.org/linux/man-pages/man2/reboot.2.html.
+func syncNonVolatileStorageBuffers() {
+	syncdone := make(chan struct{})
+
+	go func() {
+		defer close(syncdone)
+
+		unix.Sync()
+	}()
+
+	log.Printf("waiting for sync...")
+
+	for i := 29; i >= 0; i-- {
+		select {
+		case <-syncdone:
+			log.Printf("sync done")
+
+			return
+		case <-time.After(time.Second):
+		}
+
+		if i != 0 {
+			log.Printf("waiting %d more seconds for sync to finish", i)
+		}
+	}
+
+	log.Printf("sync hasn't completed in time, aborting...")
+}
+
+//nolint:gocyclo
+func handle(ctx context.Context, err error) {
+	rebootCmd := int(emergency.RebootCmd.Load())
+
+	var rebootErr runtime.RebootError
+
+	if errors.As(err, &rebootErr) {
+		// not a failure, but wrapped reboot command
+		rebootCmd = rebootErr.Cmd
+
+		err = nil
+	}
+
+	if err != nil {
+		log.Print(err)
+		revertBootloader(ctx)
+
+		if p := procfs.ProcCmdline().Get(constants.KernelParamPanic).First(); p != nil {
+			if *p == "0" {
+				log.Printf("panic=0 kernel flag found, sleeping forever")
+
+				rebootCmd = 0
+			}
+		}
+
+		if rebootCmd == unix.LINUX_REBOOT_CMD_RESTART {
+			for i := 10; i >= 0; i-- {
+				log.Printf("rebooting in %d seconds\n", i)
+				time.Sleep(1 * time.Second)
+			}
+		}
+	}
+
+	if err = proc.KillAll(); err != nil {
+		log.Printf("error killing all procs: %s", err)
+	}
+
+	if err = mount.UnmountAll(); err != nil {
+		log.Printf("error unmounting: %s", err)
+	}
+
+	syncNonVolatileStorageBuffers()
+
+	if rebootCmd == 0 {
+		exitSignal := make(chan os.Signal, 1)
+
+		signal.Notify(exitSignal, syscall.SIGINT, syscall.SIGTERM)
+
+		<-exitSignal
+	} else if unix.Reboot(rebootCmd) == nil {
+		// Wait forever.
+		select {}
+	}
+}
+
+func runDebugServer(ctx context.Context) {
+	const debugAddr = ":9982"
+
+	debugLogFunc := func(msg string) {
+		log.Print(msg)
+	}
+
+	if err := debug.ListenAndServe(ctx, debugAddr, debugLogFunc); err != nil {
+		log.Fatalf("failed to start debug server: %s", err)
+	}
+}
+
+//nolint:gocyclo
+func run() error {
+	errCh := make(chan error)
+
+	// Limit GOMAXPROCS.
+	startup.LimitMaxProcs(constants.MachinedMaxProcs)
+
+	// Set the PATH env var.
+	if err := os.Setenv("PATH", constants.PATH); err != nil {
+		return errors.New("error setting PATH")
+	}
+
+	// Initialize the controller without a config.
+	c, err := v1alpha1runtime.NewController()
+	if err != nil {
+		return err
+	}
+
+	revertSetState(c.Runtime().State().V1Alpha2().Resources())
+
+	var controllerWaitGroup sync.WaitGroup
+	defer controllerWaitGroup.Wait() // wait for controller-runtime to finish before rebooting
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	drainer := runtime.NewDrainer()
+	defer func() {
+		drainCtx, drainCtxCancel := context.WithTimeout(context.Background(), time.Second*10)
+		defer drainCtxCancel()
+
+		if e := drainer.Drain(drainCtx); e != nil {
+			log.Printf("WARNING: failed to drain controllers: %s", e)
+		}
+	}()
+
+	go runDebugServer(ctx)
+
+	// Schedule service shutdown on any return.
+	defer system.Services(c.Runtime()).Shutdown(ctx)
+
+	// Start signal and ACPI listeners.
+	go func() {
+		if e := c.ListenForEvents(ctx); e != nil {
+			log.Printf("WARNING: signals and ACPI events will be ignored: %s", e)
+		}
+	}()
+
+	controllerWaitGroup.Add(1)
+
+	// Start v2 controller runtime.
+	go func() {
+		defer controllerWaitGroup.Done()
+
+		if e := c.V1Alpha2().Run(ctx, drainer); e != nil {
+			ctrlErr := fmt.Errorf("fatal controller runtime error: %s", e)
+
+			log.Printf("controller runtime goroutine error: %s", ctrlErr)
+
+			errCh <- ctrlErr
+		}
+
+		log.Printf("controller runtime finished")
+	}()
+
+	// Inject controller into maintenance service.
+	maintenance.InjectController(c)
+
+	// Load machined service.
+	system.Services(c.Runtime()).Load(
+		&services.Machined{Controller: c},
+	)
+
+	initializeCanceled := false
+
+	// Initialize the machine.
+	if err = c.Run(ctx, runtime.SequenceInitialize, nil); err != nil {
+		if errors.Is(err, context.Canceled) {
+			initializeCanceled = true
+		} else {
+			return err
+		}
+	}
+
+	// If Initialize sequence was canceled, don't run any other sequence.
+	if !initializeCanceled {
+		// Perform an installation if required.
+		if err = c.Run(ctx, runtime.SequenceInstall, nil); err != nil {
+			return err
+		}
+
+		// Start the machine API.
+		system.Services(c.Runtime()).LoadAndStart(
+			&services.APID{},
+		)
+
+		// Boot the machine.
+		if err = c.Run(ctx, runtime.SequenceBoot, nil); err != nil && !errors.Is(err, context.Canceled) {
+			return err
+		}
+	}
+
+	// Watch and handle runtime events.
+	//nolint:errcheck
+	_ = c.Runtime().Events().Watch(
+		func(events <-chan runtime.EventInfo) {
+			for {
+				for event := range events {
+					switch msg := event.Payload.(type) {
+					case *machine.SequenceEvent:
+						if msg.Error != nil {
+							if msg.Error.GetCode() == common.Code_LOCKED ||
+								msg.Error.GetCode() == common.Code_CANCELED {
+								// ignore sequence lock and canceled errors, they're not fatal
+								continue
+							}
+
+							errCh <- fmt.Errorf(
+								"fatal sequencer error in %q sequence: %v",
+								msg.GetSequence(),
+								msg.GetError().String(),
+							)
+						}
+					case *machine.RestartEvent:
+						errCh <- runtime.RebootError{Cmd: int(msg.Cmd)}
+					}
+				}
+			}
+		},
+	)
+
+	return <-errCh
+}
+
+// Run starts the machined service.
+func Run() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	switch filepath.Base(os.Args[0]) {
+	case "apid":
+		apid.Main()
+
+		return
+	case "trustd":
+		trustd.Main()
+
+		return
+	// Azure uses the hv_utils kernel module to shutdown the node in hyper-v by calling perform_shutdown which will call orderly_poweroff which will call /sbin/poweroff.
+	case "poweroff", "shutdown":
+		poweroff.Main(os.Args)
+
+		return
+	case "wrapperd":
+		wrapperd.Main()
+
+		return
+	case "dashboard":
+		dashboard.Main()
+
+		return
+	default:
+	}
+
+	// Setup panic handler.
+	defer recovery(ctx)
+
+	// Initialize the process reaper.
+	reaper.Run()
+	defer reaper.Shutdown()
+
+	handle(ctx, run())
+}
diff --git a/pkg/machinery/go.mod b/pkg/machinery/go.mod
index e30039dd9cb..7c03164fe23 100644
--- a/pkg/machinery/go.mod
+++ b/pkg/machinery/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
-	github.com/siderolabs/crypto v0.4.4
+	github.com/siderolabs/crypto v0.5.0
 	github.com/siderolabs/gen v0.5.0
 	github.com/siderolabs/go-api-signature v0.3.6
 	github.com/siderolabs/go-blockdevice v0.4.7
diff --git a/pkg/machinery/go.sum b/pkg/machinery/go.sum
index d9d07edfc51..b54ac0d3308 100644
--- a/pkg/machinery/go.sum
+++ b/pkg/machinery/go.sum
@@ -101,8 +101,8 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/siderolabs/crypto v0.4.4 h1:Q6EDBMR2Ub2oAZW5Xl8lrKB27bM3Sn8Gkfw3rngco5U=
-github.com/siderolabs/crypto v0.4.4/go.mod h1:hsR3tJ3aaeuhCChsLF4dBd9vlJVPvmhg4vvx2ez4aD4=
+github.com/siderolabs/crypto v0.5.0 h1:+Sox0aYLCcD0PAH2cbEcx557zUrONLtuj1Ws+2MFXGc=
+github.com/siderolabs/crypto v0.5.0/go.mod h1:hsR3tJ3aaeuhCChsLF4dBd9vlJVPvmhg4vvx2ez4aD4=
 github.com/siderolabs/gen v0.5.0 h1:Afdjx+zuZDf53eH5DB+E+T2JeCwBXGinV66A6osLgQI=
 github.com/siderolabs/gen v0.5.0/go.mod h1:1GUMBNliW98Xeq8GPQeVMYqQE09LFItE8enR3wgMh3Q=
 github.com/siderolabs/go-api-signature v0.3.6 h1:wDIsXbpl7Oa/FXvxB6uz4VL9INA9fmr3EbmjEZYFJrU=