Skip to content

Operate PowerDNS Internal Authority (HyOps)

Purpose: Deploy the internal authoritative DNS service used by HybridOps for private platform and workload FQDNs.
Owner: Network/platform engineering
Trigger: Shared control-plane bootstrap, on-prem secondary bootstrap, or DNS authority rebuild
Impact: Provides authoritative internal DNS for names such as postgres.dev.hyops.internal
Severity: P2
Pre-reqs: Linux target host exists, Docker-capable baseline is allowed, and POWERDNS_API_KEY is present in runtime vault or env.
Rollback strategy: Destroy the module on the target host, or re-apply with corrected inputs.

Context

Module ref: platform/network/powerdns-authority
Location: hybridops-core/modules/platform/network/powerdns-authority/spec.yml

Recommended topology:

  • shared primary PowerDNS on a dedicated Hetzner shared control-plane host
  • read-only secondary PowerDNS on-prem
  • DNS cutover automation writes to the primary only

State-driven default wiring:

  • secondaries should prefer powerdns_primary_state_ref
  • DNS cutover should prefer powerdns_state_ref
  • explicit endpoint/API overrides remain available for break-glass cases

This module can run in either mode:

  • powerdns_mode: primary
  • powerdns_mode: secondary

Examples

Primary:

hyops validate --env dev --skip-preflight \
  --module platform/network/powerdns-authority \
  --inputs "$HYOPS_CORE_ROOT/modules/platform/network/powerdns-authority/examples/inputs.primary.yml"

Secondary:

hyops validate --env dev --skip-preflight \
  --module platform/network/powerdns-authority \
  --inputs "$HYOPS_CORE_ROOT/modules/platform/network/powerdns-authority/examples/inputs.secondary.yml"

Apply:

hyops apply --env dev \
  --module platform/network/powerdns-authority \
  --inputs "$HYOPS_CORE_ROOT/modules/platform/network/powerdns-authority/examples/inputs.primary.yml"

Notes

  • This first implementation uses Docker Compose + SQLite for low cost and low operational overhead.
  • The module reuses the shared Docker Compose lifecycle role instead of carrying a one-off service wrapper.
  • It is intentionally separate from NetBox.
  • It should consume a dedicated shared control-plane host via state, not the WAN edge appliances directly.
  • It is intended to back platform/network/dns-routing with provider: powerdns-api.
  • The module publishes a reusable authority contract so other modules and blueprints can consume state by default.

References