Blueprint Index

Operator entry point: copy a blueprint with hyops blueprint init --env <env> --ref <blueprint_ref>, then run the env-local file with hyops blueprint deploy --env <env> --file <runtime-blueprint>.yml --execute

Normative references

• Run records and redaction
• Runtime root and packaging
• Naming and path conventions

---

Blueprints

26 blueprints sourced from hybridops-core/blueprints/.

Blueprint	Title	Steps	Runbook	Source
dr/postgresql-cloudsql-failback-onprem@v1	PostgreSQL Managed DR Failback to On-Prem	3	Runbook	blueprint.yml
dr/postgresql-cloudsql-promote-gcp@v1	PostgreSQL Managed DR Promote in GCP (Cloud SQL)	4	Runbook	blueprint.yml
dr/postgresql-cloudsql-standby-gcp@v1	PostgreSQL Managed DR Standby in GCP (Cloud SQL)	3	Runbook	blueprint.yml
dr/postgresql-ha-backup-gcp@v1	PostgreSQL HA Backup to GCP (GCS Object Repo)	2	Runbook	blueprint.yml
dr/postgresql-ha-failback-onprem@v1	PostgreSQL HA DR Failback to On-Prem (pgBackRest restore)	6	Runbook	blueprint.yml
dr/postgresql-ha-failover-gcp@v1	PostgreSQL HA DR Failover to GCP (pgBackRest restore)	6	Runbook	blueprint.yml
gcp/eve-ng@v1	GCP EVE-NG Lab Host	3	Runbook	blueprint.yml
gcp/gke-burst@v1	GCP GKE Burst Cluster	4	Runbook	blueprint.yml
gcp/linux-desktop@v1	GCP Linux Desktop (XFCE + XRDP)	3	Runbook	blueprint.yml
gcp/windows-desktop@v1	GCP Windows Desktop	2	Runbook	blueprint.yml
networking/edge-control-plane@v1	Edge Control Plane (VyOS WAN + Observability + Decisions)	16	Runbook	blueprint.yml
networking/gcp-ops-runner@v1	GCP Ops Runner	3	Runbook	blueprint.yml
networking/hetzner-vyos-edge@v1	Provision Hetzner VyOS Edge	4	Runbook	blueprint.yml
networking/onprem-ops-runner@v1	On-Prem Ops Runner	3	Runbook	blueprint.yml
networking/onprem-site-extension@v1	On-Prem Site Extension	2	Runbook	blueprint.yml
networking/onprem-vyos-edge@v1	On-Prem VyOS Edge	2	Runbook	blueprint.yml
networking/powerdns-onprem-secondary@v1	PowerDNS On-Prem Secondary	1	Runbook	blueprint.yml
networking/powerdns-shared-primary@v1	PowerDNS Shared Primary	1	Runbook	blueprint.yml
networking/wan-hub-edge@v1	WAN Hub to Edge (GCP + Hetzner VyOS)	6	Runbook	blueprint.yml
onprem/authoritative-foundation@v1	On-Prem Authoritative Foundation	5	Runbook	blueprint.yml
onprem/bootstrap-netbox@v1	On-Prem Bootstrap: SDN + NetBox	5	Runbook	blueprint.yml
onprem/eve-ng@v1	On-Prem EVE-NG Platform Stack	4	Runbook	blueprint.yml
onprem/netbox-ha-cutover@v1	On-Prem NetBox DB Cutover to PostgreSQL HA	1	Runbook	blueprint.yml
onprem/postgresql-ha@v1	On-Prem PostgreSQL HA (Patroni + etcd)	3	Runbook	blueprint.yml
onprem/rke2-workloads@v1	On-Prem RKE2 + Workloads Bootstrap	5	Runbook	blueprint.yml
onprem/rke2@v1	On-Prem RKE2 Cluster	3	Runbook	blueprint.yml

---

Blueprint details

DR

dr/postgresql-cloudsql-failback-onprem@v1

Details

Description Require explicit acknowledgement that the managed cloud primary has been fenced and the on-prem PostgreSQL HA lane has been rebuilt or reseeded, then cut the stable PostgreSQL service endpoint back on-prem.

Outcome Application traffic is redirected back to the on-prem PostgreSQL HA endpoint after a controlled managed-cloud DR event.

Steps

1. failback_gate → core/shared/manual-gate deploy
2. postgresql_dns_cutback → platform/network/dns-routing deploy
3. postgresql_dns_status → platform/network/dns-routing deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

dr/postgresql-cloudsql-promote-gcp@v1

Details

Description Require explicit operator fencing and provider-native promotion acknowledgement, then cut the stable PostgreSQL service endpoint to the managed GCP standby.

Outcome Application traffic is redirected to the managed GCP PostgreSQL endpoint after an operator confirms promotion and source fencing.

Steps

1. managed_standby_status → org/gcp/cloudsql-external-replica deploy
2. promotion_gate → core/shared/manual-gate deploy
3. postgresql_dns_cutover → platform/network/dns-routing deploy
4. postgresql_dns_status → platform/network/dns-routing deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

dr/postgresql-cloudsql-standby-gcp@v1

Details

Description Assess the on-prem source contract and establish the managed Cloud SQL external replication lane without cutting application traffic.

Outcome A managed standby lane exists in GCP and publishes the same client-facing endpoint contract used by the self-managed PostgreSQL HA lane.

Steps

1. postgresql_source_contract → platform/onprem/postgresql-dr-source deploy
2. cloudsql_managed_standby → org/gcp/cloudsql-external-replica deploy
3. managed_standby_status → org/gcp/cloudsql-external-replica deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

dr/postgresql-ha-backup-gcp@v1

Details

Description Provision a GCS object repository and configure pgBackRest backups for an existing on-prem PostgreSQL HA cluster by consuming module state contracts rather than duplicating bucket or host IP details.

Outcome The on-prem PostgreSQL HA cluster is wired to a GCS-backed pgBackRest repository and publishes backup readiness outputs.

Steps

1. gcp_backup_repo → org/gcp/object-repo deploy
2. postgresql_ha_backup → platform/postgresql-ha-backup deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

dr/postgresql-ha-failback-onprem@v1

Details

Description Rebuild an on-prem Patroni + etcd PostgreSQL HA cluster on a shared SDN foundation and restore from a pgBackRest repository. This blueprint is intended for controlled failback after a cloud failover.

Outcome On-prem PostgreSQL HA is restored from backups and publishes standard DB connection outputs.

Steps

1. template_image_rocky9 → core/onprem/template-image deploy
2. postgres_ha_vms → platform/onprem/platform-vm deploy
3. postgresql_restore → platform/postgresql-ha deploy
4. postgresql_backup_config → platform/postgresql-ha-backup deploy
5. postgresql_dns_cutover → platform/network/dns-routing deploy
6. postgresql_dns_status → platform/network/dns-routing deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

dr/postgresql-ha-failover-gcp@v1

Details

Description Provision GCP VMs, then restore a Patroni + etcd PostgreSQL cluster from pgBackRest (S3/GCS) backups. This blueprint does not modify the on-prem primary cluster; it assumes DR conditions and requires explicit restore confirmation.

Outcome A new PostgreSQL primary is restored in GCP and publishes standard DB connection outputs.

Steps

1. gcp_pg_egress → org/gcp/wan-cloud-nat deploy
2. gcp_pg_vms → platform/gcp/platform-vm deploy
3. postgresql_restore → platform/postgresql-ha deploy
4. postgresql_backup_config → platform/postgresql-ha-backup deploy
5. postgresql_dns_cutover → platform/network/dns-routing deploy
6. postgresql_dns_status → platform/network/dns-routing deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

GCP

gcp/eve-ng@v1

Details

Description Provision a single nested-virtualization-capable GCP VM and configure EVE-NG over IAP.

Outcome A private EVE-NG host exists in GCP and is configured for governed lab use.

Steps

1. gcp_eve_ng_vm → platform/gcp/platform-vm deploy
2. gcp_eve_ng_config → platform/linux/eve-ng deploy
3. gcp_eve_ng_healthcheck → platform/linux/eve-ng-healthcheck deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

gcp/gke-burst@v1

Details

Description Creates a governed GKE burst cluster on the shared hub network, fetches kubeconfig, then bootstraps Argo CD against the public burst workloads target.

Outcome A burst-ready GKE cluster is available, rooted on the public workloads baseline under clusters/burst.

Steps

1. gke_burst_cluster → platform/gcp/gke-cluster deploy
2. gke_burst_kubeconfig → platform/gcp/gke-kubeconfig deploy
3. gitops_workloads → platform/k8s/argocd-bootstrap deploy
4. gke_burst_secret_store → platform/k8s/gcp-secret-store deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

gcp/linux-desktop@v1

Details

Description Provision an Ubuntu 22.04 GCP VM with a public IP, open RDP and SSH, and configure XFCE4 + XRDP for remote desktop access.

Outcome An Ubuntu VM is running in GCP with XFCE4 and XRDP installed. Connect via any RDP client on port 3389.

Steps

1. gcp_linux_desktop_firewall → platform/gcp/vm-firewall-rules deploy
2. gcp_linux_desktop_vm → platform/gcp/platform-vm deploy
3. gcp_linux_desktop_config → platform/linux/desktop-xrdp deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

gcp/windows-desktop@v1

Details

Description Provision a Windows Server GCP VM with a public IP and RDP access scoped to allowed source ranges.

Outcome A Windows Server VM is running in GCP with a public IP. RDP is open only to the specified source ranges via a dedicated firewall rule.

Steps

1. gcp_windows_vm → platform/gcp/platform-vm deploy
2. gcp_windows_firewall → platform/gcp/vm-firewall-rules deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

Networking

networking/edge-control-plane@v1

Details

Description Provision edge WAN foundations, configure edge routing, bootstrap observability, and deploy decision control loop.

Outcome Edge control plane is ready for deterministic DR/burst signaling.

Steps

1. vyos_artifact_build → core/shared/vyos-image-build deploy
2. vyos_image → core/hetzner/vyos-image-seed deploy
3. hetzner_shared_network → org/hetzner/shared-private-network deploy
4. hetzner_edge_foundation → org/hetzner/vyos-edge-foundation deploy
5. gcp_wan_hub_network → org/gcp/wan-hub-network deploy
6. gcp_wan_cloud_router → org/gcp/wan-cloud-router deploy
7. gcp_wan_vpn_to_edge → org/gcp/wan-vpn-to-edge deploy
8. shared_control_host → org/hetzner/shared-control-host deploy
9. edge_control_runner → platform/linux/ops-runner deploy
10. vyos_edge_day2 → platform/network/vyos-edge-wan deploy
11. edge_observability → platform/network/edge-observability deploy
12. dns_routing_intent → platform/network/dns-routing deploy
13. decision_service → platform/network/decision-service deploy
14. decision_dispatcher → platform/network/decision-dispatcher deploy
15. decision_consumer → platform/network/decision-consumer deploy
16. decision_executor → platform/network/decision-executor deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/gcp-ops-runner@v1

Details

Description Provision a private GCP runner VM in the hub core subnet for runner-local DR and burst execution.

Outcome A shared execution host exists inside the GCP hub VPC and can be used by CI or decision-driven DR workflows.

Steps

1. gcp_ops_runner_egress → org/gcp/wan-cloud-nat deploy
2. gcp_ops_runner_vm → platform/gcp/platform-vm deploy
3. gcp_ops_runner_bootstrap → platform/linux/ops-runner deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/hetzner-vyos-edge@v1

Details

Description Seed or discover a Hetzner VyOS image and provision the routed Hetzner edge pair as the default WAN edge path.

Outcome A VyOS-based Hetzner routed edge pair is available for future IPsec/BGP integration.

Steps

1. vyos_artifact_build → core/shared/vyos-image-build deploy
2. vyos_image → core/hetzner/vyos-image-seed deploy
3. hetzner_shared_network → org/hetzner/shared-private-network deploy
4. hetzner_vyos_edge → org/hetzner/vyos-edge-foundation deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/onprem-ops-runner@v1

Details

Description Provision and bootstrap an on-prem runner VM for runner-local failback and steady-state platform operations.

Outcome A shared execution host exists on the on-prem management network and can be used for failback or local platform workflows.

Steps

1. template_image_ubuntu_22_04 → core/onprem/template-image deploy
2. onprem_ops_runner_vm → platform/onprem/platform-vm deploy
3. onprem_ops_runner_bootstrap → platform/linux/ops-runner deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/onprem-site-extension@v1

Details

Description Extend the static Hetzner Site-A edge pair back into the on-prem VyOS edge using a dual-tunnel site-extension layer.

Outcome The on-prem VyOS edge exchanges approved prefixes with the Hetzner edge pair inside Site-A ASN 65010.

Steps

1. site_extension_edge → platform/network/vyos-site-extension-edge deploy
2. site_extension_onprem → platform/network/vyos-site-extension-onprem deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/onprem-vyos-edge@v1

Details

Description Seed or discover a Proxmox VyOS template and provision a VyOS edge VM on Proxmox using the shared VM lifecycle.

Outcome A VyOS edge appliance is provisioned on Proxmox with state-first template resolution and env-prefixed VM naming.

Steps

1. vyos_template → core/onprem/vyos-template-seed deploy
2. vyos_edge_vm → platform/onprem/vyos-edge deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/powerdns-onprem-secondary@v1

Details

Description Provision an on-prem read-only internal DNS secondary on the shared on-prem runner host.

Outcome An on-prem PowerDNS secondary serves replicated hyops.internal data for local resolution resilience.

Steps

1. powerdns_secondary → platform/network/powerdns-authority deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/powerdns-shared-primary@v1

Details

Description Deploy the writable internal DNS authority on the existing Hetzner shared control host.

Outcome PowerDNS primary serves hyops.internal from the existing shared control host and exposes the API for DNS cutover automation.

Steps

1. powerdns_primary → platform/network/powerdns-authority deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

networking/wan-hub-edge@v1

Details

Description Provision Hetzner VyOS edge peers, GCP hub networking, and HA VPN/BGP between the cloud hub and routed edge.

Outcome Deterministic BGP/IPsec control plane between GCP Cloud Router and Hetzner VyOS edge peers.

Steps

1. vyos_artifact_build → core/shared/vyos-image-build deploy
2. vyos_image → core/hetzner/vyos-image-seed deploy
3. hetzner_edge_foundation → org/hetzner/vyos-edge-foundation deploy
4. gcp_wan_hub_network → org/gcp/wan-hub-network deploy
5. gcp_wan_cloud_router → org/gcp/wan-cloud-router deploy
6. gcp_wan_vpn_to_edge → org/gcp/wan-vpn-to-edge deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

On-Prem

onprem/authoritative-foundation@v1

Details

Description Day-1+ chain where NetBox state gates IPAM-driven platform VM expansion. Non-foundation steps are optional until inputs are finalized.

Outcome Subsequent platform services provision from authoritative NetBox-backed intent.

Steps

1. network_sdn → core/onprem/network-sdn deploy
2. netbox_foundation → platform/onprem/netbox deploy
3. control_plane_vm → platform/onprem/platform-vm deploy
4. postgres_core_vm → platform/onprem/postgresql-core deploy
5. custom_platform_vm → platform/onprem/platform-vm deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

onprem/bootstrap-netbox@v1

Details

Description Bootstrap SDN, build a base template image, provision pgcore/netbox VMs, then configure PostgreSQL and NetBox.

Outcome NetBox is online and ready to become authoritative IPAM/inventory.

Steps

1. network_sdn → core/onprem/network-sdn deploy
2. template_image_ubuntu → core/onprem/template-image deploy
3. platform_vms → platform/onprem/platform-vm deploy
4. pgcore → platform/onprem/postgresql-core deploy
5. netbox → platform/onprem/netbox deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

onprem/eve-ng@v1

Details

Description Consume shared SDN/NetBox authority, build a Jammy template image (if needed), provision the EVE-NG VM, then configure EVE-NG.

Outcome EVE-NG is installed and reachable.

Steps

1. template_image_jammy → core/onprem/template-image deploy
2. eve_ng_vm → platform/onprem/platform-vm deploy
3. eve_ng_config → platform/linux/eve-ng deploy
4. eve_ng_healthcheck → platform/linux/eve-ng-healthcheck deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

onprem/netbox-ha-cutover@v1

Details

Description Re-apply NetBox so it consumes the PostgreSQL HA DB contract from state.

Outcome NetBox uses platform/postgresql-ha outputs (apps.netbox.db_*) instead of bootstrap pgcore.

Steps

1. netbox_cutover → platform/onprem/netbox deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

onprem/postgresql-ha@v1

Details

Description Consume shared SDN/NetBox authority, ensure a Rocky 9 template exists, provision Postgres nodes, then deploy Patroni + etcd. Cloud DR replica is out-of-scope for this blueprint.

Outcome HA PostgreSQL cluster is deployed and publishes connection outputs for downstream services.

Steps

1. template_image_rocky9 → core/onprem/template-image deploy
2. postgres_ha_vms → platform/onprem/platform-vm deploy
3. postgresql_ha → platform/postgresql-ha deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

onprem/rke2-workloads@v1

Details

Description Consume shared SDN/NetBox authority, build template image, provision RKE2 VMs, install RKE2, then bootstrap Argo CD root workloads app.

Outcome RKE2 is ready, Argo CD root application points to the workloads repo, and the GSM service account secret is provisioned for External Secrets Operator.

Steps

1. template_image_rocky9 → core/onprem/template-image deploy
2. rke2_vms → platform/onprem/platform-vm deploy
3. rke2_cluster → platform/onprem/rke2-cluster deploy
4. gitops_workloads → platform/k8s/argocd-bootstrap deploy
5. gsm_bootstrap → platform/k8s/gsm-bootstrap deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---

onprem/rke2@v1

Details

Description Consume shared SDN/NetBox authority, build a base template image, provision RKE2 VMs, then install RKE2.

Outcome RKE2 is installed and kubeconfig is exported for operators.

Steps

1. template_image_rocky9 → core/onprem/template-image deploy
2. rke2_vms → platform/onprem/platform-vm deploy
3. rke2_cluster → platform/onprem/rke2-cluster deploy

Runbook: View runbook

Source: blueprint.yml on GitHub

---