Provision On-Prem PowerDNS Secondary (HyOps Blueprint)¶
-
Purpose: Provision the on-prem read-only DNS authority that replicates the shared
hyops.internalzone. Owner: Network/platform engineering -
Trigger: On-prem control-plane bootstrap or DNS secondary rebuild
- Impact: Provides local authoritative read access when the shared control plane is degraded
-
Severity: P2 Pre-reqs: Proxmox init complete,
networking/onprem-ops-runner@v1already applied in the same env,networking/powerdns-shared-primary@v1already applied in the same env, vault decrypt working, andPOWERDNS_API_KEYavailable. -
Rollback strategy: Destroy the secondary state instance and rerun with corrected inputs.
Context¶
Blueprint ref: networking/powerdns-onprem-secondary@v1
Location: hybridops-core/blueprints/networking/powerdns-onprem-secondary@v1/blueprint.yml
Current first-pass placement:
- read-only secondary is colocated on the shared on-prem runner host
- this keeps cost down while a dedicated on-prem service-host lane is still evolving
- the blueprint consumes both the on-prem runner state and the shared primary state by default and fails clearly if either is absent
Steps¶
-
Materialize an env-scoped overlay:
hyops blueprint init --env dev \ --ref networking/powerdns-onprem-secondary@v1 \ --dest-name powerdns-onprem-secondary.yml -
Validate and preflight:
hyops blueprint validate --ref networking/powerdns-onprem-secondary@v1 hyops blueprint preflight --env dev \ --file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-onprem-secondary.yml" -
Deploy:
hyops blueprint deploy --env dev \ --file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-onprem-secondary.yml" \ --execute
Notes¶
- This first implementation uses Docker Compose + SQLite.
- It intentionally reuses the shared on-prem runner host to avoid another VM for the initial supported deployment path.
- The secondary does not replace the writable shared authority;
dns-routingshould still update the primary API only. - Explicit override of the primary endpoint should be reserved for break-glass recovery when the shared primary state contract is unavailable.