Skip to content

Provision Shared PowerDNS Primary (HyOps Blueprint)

Purpose: Provision the writable internal DNS authority used for HybridOps private platform and workload FQDNs.
Owner: Network/platform engineering
Trigger: Shared control-plane bootstrap or DNS authority rebuild
Impact: Creates the dedicated shared control-plane host and the primary PowerDNS authority for hyops.internal
Severity: P2
Pre-reqs: hyops init hetzner completed for target env, org/hetzner/vyos-edge-foundation already applied in the same env, vault decrypt working, and POWERDNS_API_KEY available in runtime vault or env.
Rollback strategy: Destroy the PowerDNS state instance and rerun with corrected inputs.

Context

Blueprint ref: networking/powerdns-shared-primary@v1
Location: hybridops-core/blueprints/networking/powerdns-shared-primary@v1/blueprint.yml

Current placement:

  • a dedicated Hetzner shared control-plane host is provisioned first
  • the PowerDNS primary is then deployed on that host
  • the blueprint consumes Hetzner WAN foundation state by default and fails clearly if that foundation state is absent

Steps

  1. Materialize an env-scoped overlay:
hyops blueprint init --env dev \
  --ref networking/powerdns-shared-primary@v1 \
  --dest-name powerdns-shared-primary.yml
  1. Validate and preflight:
hyops blueprint validate --ref networking/powerdns-shared-primary@v1
hyops blueprint preflight --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-shared-primary.yml"
  1. Deploy:
hyops blueprint deploy --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-shared-primary.yml" \
  --execute

Outputs

The authority publishes:

  • powerdns_state
  • powerdns_mode
  • powerdns_zone_name
  • powerdns_api_url
  • powerdns_private_host
  • powerdns_public_host
  • cap.net.dns_authority

Notes

  • This first implementation uses Docker Compose + SQLite.
  • It is intentionally separate from NetBox.
  • It intentionally avoids landing shared services on the WAN edge appliances.
  • platform/network/dns-routing should target the primary API only.
  • The shipped blueprint is state-driven by default; explicit override should be reserved for exceptional cases.

References