Skip to content

Provision Shared PowerDNS Primary (HyOps Blueprint)

  • Purpose: Provision the writable internal DNS authority used for HybridOps private platform and workload FQDNs. Owner: Network/platform engineering

  • Trigger: Shared control-plane bootstrap or DNS authority rebuild

  • Impact: Reconciles the primary PowerDNS authority for hyops.internal on the shared control host used by the edge control plane.

  • Severity: P2 Pre-reqs: hyops init hetzner completed for target env, org/hetzner/shared-control-host#edge_control_host already applied in the same env, vault decrypt working, and POWERDNS_API_KEY available in runtime vault or env.

  • Rollback strategy: Destroy the PowerDNS state instance and rerun with corrected inputs.

Context

Blueprint ref: networking/powerdns-shared-primary@v1 Location: hybridops-core/blueprints/networking/powerdns-shared-primary@v1/blueprint.yml

Current placement:

  • the blueprint consumes org/hetzner/shared-control-host#edge_control_host
  • the PowerDNS primary is deployed on that existing shared control host
  • deploy reruns reconcile live host drift instead of trusting historical green state

Steps

  1. Materialize an env-scoped overlay:

    hyops blueprint init --env dev \
  --ref networking/powerdns-shared-primary@v1 \
  --dest-name powerdns-shared-primary.yml

  2. Validate and preflight:

    hyops blueprint validate --ref networking/powerdns-shared-primary@v1
hyops blueprint preflight --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-shared-primary.yml"

  3. Deploy:

    hyops blueprint deploy --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/powerdns-shared-primary.yml" \
  --execute

Outputs

The authority publishes:

  • powerdns_state
  • powerdns_mode
  • powerdns_zone_name
  • powerdns_api_url
  • powerdns_private_host
  • powerdns_public_host
  • cap.net.dns_authority

Notes

  • This first implementation uses Docker Compose + SQLite.
  • It is intentionally separate from NetBox.
  • It intentionally avoids landing shared services on the WAN edge appliances.
  • platform/network/dns-routing should target the primary API only.
  • The shipped blueprint is state-driven by default; explicit override should be reserved for exceptional cases.

References