diff --git a/cmd/dkl-dir2config/main.go b/cmd/dkl-dir2config/main.go
index e63dc8d..d597caf 100644
--- a/cmd/dkl-dir2config/main.go
+++ b/cmd/dkl-dir2config/main.go
@@ -77,6 +77,12 @@ func main() {
 
 		dst.Hosts = append(dst.Hosts, &localconfig.Host{
 			Name: host.Name,
+
+			ClusterName: ctx.Cluster.Name,
+
+			Labels:      ctx.Labels,
+			Annotations: ctx.Annotations,
+
 			MACs: macs,
 			IPs:  ips,
 
diff --git a/cmd/dkl-dir2config/render-cluster.go b/cmd/dkl-dir2config/render-cluster.go
index d507753..a83417d 100644
--- a/cmd/dkl-dir2config/render-cluster.go
+++ b/cmd/dkl-dir2config/render-cluster.go
@@ -77,7 +77,7 @@ func renderClusterTemplates(cluster *clustersconfig.Cluster, setName string,
 
 	funcs := clusterFuncs(cluster)
 
-	log.Print("rendering cluster templates in ", setName, " with ", clusterAsMap)
+	log.Print("rendering cluster templates in ", setName)
 
 	buf := &bytes.Buffer{}
 
diff --git a/cmd/dkl-dir2config/render-context.go b/cmd/dkl-dir2config/render-context.go
index 3f5f786..388811f 100644
--- a/cmd/dkl-dir2config/render-context.go
+++ b/cmd/dkl-dir2config/render-context.go
@@ -2,6 +2,8 @@ package main
 
 import (
 	"bytes"
+	"crypto/sha1"
+	"encoding/hex"
 	"fmt"
 	"log"
 	"path"
@@ -14,6 +16,9 @@ import (
 )
 
 type renderContext struct {
+	Labels      map[string]string
+	Annotations map[string]string
+
 	Host               *clustersconfig.Host
 	Group              *clustersconfig.Group
 	Cluster            *clustersconfig.Cluster
@@ -47,9 +52,10 @@ func newRenderContext(host *clustersconfig.Host, cfg *clustersconfig.Config) (ct
 		mapMerge(vars, oVars)
 	}
 
-	log.Print("vars: ", vars)
-
 	return &renderContext{
+		Labels:      mergeLabels(cluster.Labels, group.Labels, host.Labels),
+		Annotations: mergeLabels(cluster.Annotations, group.Annotations, host.Annotations),
+
 		Host:               host,
 		Group:              group,
 		Cluster:            cluster,
@@ -61,6 +67,18 @@ func newRenderContext(host *clustersconfig.Host, cfg *clustersconfig.Config) (ct
 	}, nil
 }
 
+func mergeLabels(sources ...map[string]string) map[string]string {
+	ret := map[string]string{}
+
+	for _, src := range sources {
+		for k, v := range src {
+			ret[k] = v
+		}
+	}
+
+	return ret
+}
+
 func mapMerge(target, source map[string]interface{}) {
 	for k, v := range source {
 		target[k] = genericMerge(target[k], v)
@@ -179,6 +197,11 @@ func (ctx *renderContext) Config() string {
 		return string(ba), err
 	}
 
+	extraFuncs["machine_id"] = func() string {
+		ba := sha1.Sum([]byte(ctx.Cluster.Name + "/" + ctx.Host.Name)) // TODO: check semantics of machine-id
+		return hex.EncodeToString(ba[:])
+	}
+
 	buf := bytes.NewBuffer(make([]byte, 0, 4096))
 	if err := ctx.ConfigTemplate.Execute(ctxName, "config", buf, ctxMap, extraFuncs); err != nil {
 		log.Fatalf("failed to render config %q for host %q: %v", ctx.Group.Config, ctx.Host.Name, err)
diff --git a/cmd/dkl-local-server/ws-clusters.go b/cmd/dkl-local-server/ws-clusters.go
index ec6562d..66bdba3 100644
--- a/cmd/dkl-local-server/ws-clusters.go
+++ b/cmd/dkl-local-server/ws-clusters.go
@@ -101,6 +101,23 @@ func wsClusterSetPassword(req *restful.Request, resp *restful.Response) {
 	}
 }
 
+func wsClusterToken(req *restful.Request, resp *restful.Response) {
+	cluster := wsReadCluster(req, resp)
+	if cluster == nil {
+		return
+	}
+
+	name := req.PathParameter("token-name")
+
+	token, err := secretData.Token(cluster.Name, name)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	resp.WriteEntity(token)
+}
+
 func wsClusterBootstrapPods(req *restful.Request, resp *restful.Response) {
 	cluster := wsReadCluster(req, resp)
 	if cluster == nil {
diff --git a/cmd/dkl-local-server/ws-host.go b/cmd/dkl-local-server/ws-host.go
index db57a0e..200de1c 100644
--- a/cmd/dkl-local-server/ws-host.go
+++ b/cmd/dkl-local-server/ws-host.go
@@ -27,7 +27,8 @@ func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteB
 
 	for _, rb := range []*restful.RouteBuilder{
 		rws.GET(ws.prefix).To(ws.get).
-			Doc("Get the " + ws.hostDoc + "'s details"),
+			Doc("Get the "+ws.hostDoc+"'s details").
+			Returns(200, "OK", localconfig.Host{}),
 
 		// raw configuration
 		b("config").
diff --git a/cmd/dkl-local-server/ws.go b/cmd/dkl-local-server/ws.go
index beab3f5..b861cd1 100644
--- a/cmd/dkl-local-server/ws.go
+++ b/cmd/dkl-local-server/ws.go
@@ -48,6 +48,9 @@ func registerWS(rest *restful.Container) {
 	ws.Route(ws.PUT("/clusters/{cluster-name}/passwords/{password-name}").To(wsClusterSetPassword).
 		Doc("Set cluster's password"))
 
+	ws.Route(ws.GET("/clusters/{cluster-name}/tokens/{token-name}").To(wsClusterToken).
+		Doc("Get cluster's token"))
+
 	ws.Route(ws.GET("/hosts").To(wsListHosts).
 		Doc("List hosts"))
 
diff --git a/go.mod b/go.mod
index d1f7328..450afab 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.2.4
 	k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d
-	novit.nc/direktil/pkg v0.0.0-20191009054056-6e432c2a06e6
+	novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2
 )
 
 go 1.13
diff --git a/go.sum b/go.sum
index c09c409..8bac425 100644
--- a/go.sum
+++ b/go.sum
@@ -250,5 +250,9 @@ k8s.io/kube-openapi v0.0.0-20190816220812-743ec37842bf/go.mod h1:1TqjTSzOxsLGIKf
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
 novit.nc/direktil/pkg v0.0.0-20191009054056-6e432c2a06e6 h1:zJFvtQXH8euAzEvbJRME7EhIy7hyyNRMIVYc9tNc/oo=
 novit.nc/direktil/pkg v0.0.0-20191009054056-6e432c2a06e6/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
+novit.nc/direktil/pkg v0.0.0-20191211135749-9b2e3dd362b1 h1:+5BJJAbOjMg5kmMsKq+xhTsgUXsZsEekyv7hnJ8Gy7I=
+novit.nc/direktil/pkg v0.0.0-20191211135749-9b2e3dd362b1/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
+novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc=
+novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
diff --git a/pkg/clustersconfig/clustersconfig.go b/pkg/clustersconfig/clustersconfig.go
index 6f66487..0fdc21c 100644
--- a/pkg/clustersconfig/clustersconfig.go
+++ b/pkg/clustersconfig/clustersconfig.go
@@ -210,7 +210,11 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
 // Host represents a host served by this server.
 type Host struct {
 	WithRev
-	Name    string
+
+	Name        string
+	Labels      map[string]string
+	Annotations map[string]string
+
 	MAC     string
 	IP      string
 	IPs     []string
@@ -222,7 +226,11 @@ type Host struct {
 // Group represents a group of hosts and provides their configuration.
 type Group struct {
 	WithRev
-	Name       string
+
+	Name        string
+	Labels      map[string]string
+	Annotations map[string]string
+
 	Master     bool
 	IPXE       string
 	Kernel     string
@@ -239,7 +247,11 @@ type Vars map[string]interface{}
 // Cluster represents a cluster of hosts, allowing for cluster-wide variables.
 type Cluster struct {
 	WithRev
-	Name          string
+
+	Name        string
+	Labels      map[string]string
+	Annotations map[string]string
+
 	Domain        string
 	Addons        string
 	BootstrapPods string `yaml:"bootstrap_pods"`