Provision On-Prem PowerDNS Secondary (HyOps Blueprint)¶
Purpose: Provision the on-prem read-only DNS authority that replicates the shared hyops.internal zone.
Owner: Network/platform engineering
Trigger: On-prem control-plane bootstrap or DNS secondary rebuild
Impact: Provides local authoritative read access when the shared control plane is degraded
Severity: P2
Pre-reqs: Proxmox init complete, networking/onprem-ops-runner@v1 already applied in the same env, networking/powerdns-shared-primary@v1 already applied in the same env, vault decrypt working, and POWERDNS_API_KEY available.
Rollback strategy: Destroy the secondary state instance and rerun with corrected inputs.
Context¶
Blueprint ref: networking/powerdns-onprem-secondary@v1
Location: hybridops-core/blueprints/networking/powerdns-onprem-secondary@v1/blueprint.yml
Current first-pass placement:
- read-only secondary is colocated on the shared on-prem runner host
- this keeps cost down while a dedicated on-prem service-host lane is still evolving
- the blueprint consumes both the on-prem runner state and the shared primary state by default and fails clearly if either is absent
Steps¶
- Materialize an env-scoped overlay:
hyops blueprint init --env dev \
--ref networking/powerdns-onprem-secondary@v1 \
--dest-name powerdns-onprem-secondary.yml
- Validate and preflight:
hyops blueprint validate --ref networking/powerdns-onprem-secondary@v1
hyops blueprint preflight --env dev \
--file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-onprem-secondary.yml"
- Deploy:
hyops blueprint deploy --env dev \
--file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-onprem-secondary.yml" \
--execute
Notes¶
- This first implementation uses Docker Compose + SQLite.
- It intentionally reuses the shared on-prem runner host to avoid another VM for first-pass product proof.
- The secondary does not replace the writable shared authority;
dns-routingshould still update the primary API only. - Explicit override of the primary endpoint should be reserved for break-glass recovery when the shared primary state contract is unavailable.