Module Index¶
Operator entry point: hyops apply --module <module_ref> [--inputs <file>.yml]
Normative references¶
hyops initcontract- Run records and redaction
- Runtime root and packaging
- Naming and path conventions
Modules¶
72 modules sourced from hybridops-core/modules/.
| Module | Title | Driver | Source |
|---|---|---|---|
core/azure/nat-gateway |
Azure NAT Gateway | iac/terragrunt |
spec.yml |
core/azure/resource-group |
Azure Resource Group | iac/terragrunt |
spec.yml |
core/azure/vnet |
Azure Virtual Network | iac/terragrunt |
spec.yml |
core/hetzner/vyos-image-register |
Hetzner VyOS Image Registration | config/ansible |
spec.yml |
core/hetzner/vyos-image-seed |
Hetzner VyOS Image Seed | config/ansible |
spec.yml |
core/onprem/network-sdn |
Proxmox SDN Foundation | iac/terragrunt |
spec.yml |
core/onprem/template-image |
Proxmox Template Image | images/packer |
spec.yml |
core/onprem/vyos-template-import |
VyOS Template Registration | config/ansible |
spec.yml |
core/onprem/vyos-template-seed |
VyOS Template Seed | config/ansible |
spec.yml |
core/shared/manual-gate |
Shared Manual Gate | config/ansible |
spec.yml |
core/shared/vyos-image-artifact |
VyOS Shared Artifact Registration | config/ansible |
spec.yml |
core/shared/vyos-image-build |
VyOS Shared Image Build | config/ansible |
spec.yml |
examples/core/hello-world |
Hello World | iac/terragrunt |
spec.yml |
org/aws/object-repo |
AWS Object Repository (S3 Bucket + IAM User) | iac/terragrunt |
spec.yml |
org/aws/pgbackrest-repo |
AWS pgBackRest Repository (S3 Bucket + IAM User) | iac/terragrunt |
spec.yml |
org/azure/object-repo |
Azure Object Repository (Storage Account + Blob Container) | iac/terragrunt |
spec.yml |
org/azure/pgbackrest-repo |
Azure pgBackRest Repository (Storage Account + Blob Container) | iac/terragrunt |
spec.yml |
org/gcp/cloudsql-external-replica |
GCP Cloud SQL External Replica (Assessment) | config/ansible |
spec.yml |
org/gcp/cloudsql-postgresql |
GCP Cloud SQL PostgreSQL | iac/terragrunt |
spec.yml |
org/gcp/gsm-eso-sa |
GCP ESO Service Account | iac/terragrunt |
spec.yml |
org/gcp/object-repo |
GCP Object Repository (GCS Bucket + Service Account) | iac/terragrunt |
spec.yml |
org/gcp/pgbackrest-repo |
GCP pgBackRest Repository (GCS Bucket + Service Account) | iac/terragrunt |
spec.yml |
org/gcp/project-factory |
GCP Project Factory | iac/terragrunt |
spec.yml |
org/gcp/wan-cloud-nat |
GCP WAN Cloud NAT | iac/terragrunt |
spec.yml |
org/gcp/wan-cloud-router |
GCP WAN Cloud Router | iac/terragrunt |
spec.yml |
org/gcp/wan-hub-network |
GCP WAN Hub Network | iac/terragrunt |
spec.yml |
org/gcp/wan-vpn-to-edge |
GCP WAN HA VPN to Edge | iac/terragrunt |
spec.yml |
org/hetzner/shared-control-host |
Hetzner Shared Control Host | iac/terragrunt |
spec.yml |
org/hetzner/shared-private-network |
Hetzner Shared Private Network | iac/terragrunt |
spec.yml |
org/hetzner/vyos-edge-foundation |
Hetzner VyOS Edge Foundation | iac/terragrunt |
spec.yml |
org/hetzner/wan-edge-foundation |
Hetzner WAN Edge Foundation | iac/terragrunt |
spec.yml |
platform/azure/container-registry |
Azure Container Registry | iac/terragrunt |
spec.yml |
platform/gcp/gke-cluster |
GKE Cluster | iac/terragrunt |
spec.yml |
platform/gcp/gke-kubeconfig |
GKE Kubeconfig | config/ansible |
spec.yml |
platform/gcp/platform-vm |
GCP Platform VM (Generic) | iac/terragrunt |
spec.yml |
platform/gcp/vm-firewall-rules |
GCP VM Firewall Rules | iac/terragrunt |
spec.yml |
platform/k8s/argocd-bootstrap |
Argo CD Bootstrap (Kubernetes) | config/ansible |
spec.yml |
platform/k8s/gcp-secret-store |
GCP Secret Store (Kubernetes) | config/ansible |
spec.yml |
platform/k8s/gsm-bootstrap |
GCP Secret Manager Bootstrap (Kubernetes) | config/ansible |
spec.yml |
platform/k8s/kube-dns-stub-domain |
Kube DNS Stub Domain | config/ansible |
spec.yml |
platform/k8s/longhorn-dr-volume |
Longhorn DR Volume (Kubernetes) | config/ansible |
spec.yml |
platform/k8s/runtime-bundle-secret |
Runtime Bundle Secret (Kubernetes) | config/ansible |
spec.yml |
platform/linux/desktop-xrdp |
Linux Desktop (XFCE + XRDP) | config/ansible |
spec.yml |
platform/linux/eve-ng |
Linux EVE-NG Service | config/ansible |
spec.yml |
platform/linux/eve-ng-healthcheck |
Linux EVE-NG Healthcheck | config/ansible |
spec.yml |
platform/linux/eve-ng-images |
Linux EVE-NG Images | config/ansible |
spec.yml |
platform/linux/eve-ng-labs |
Linux EVE-NG Labs | config/ansible |
spec.yml |
platform/linux/ops-runner |
Linux Ops Runner Bootstrap | config/ansible |
spec.yml |
platform/network/cloudflare-traffic-steering |
Cloudflare Traffic Steering | config/ansible |
spec.yml |
platform/network/decision-consumer |
Edge Decision Consumer | config/ansible |
spec.yml |
platform/network/decision-dispatcher |
Edge Decision Dispatcher | config/ansible |
spec.yml |
platform/network/decision-executor |
Edge Decision Executor | config/ansible |
spec.yml |
platform/network/decision-service |
Edge Decision Service | config/ansible |
spec.yml |
platform/network/dns-routing |
DNS Routing Control | config/ansible |
spec.yml |
platform/network/edge-observability |
Edge Observability Services | config/ansible |
spec.yml |
platform/network/powerdns-authority |
PowerDNS Internal Authority | config/ansible |
spec.yml |
platform/network/vyos-edge-wan |
VyOS Edge WAN Day-2 | config/ansible |
spec.yml |
platform/network/vyos-site-extension-edge |
VyOS Site Extension (Hetzner Edge Side) | config/ansible |
spec.yml |
platform/network/vyos-site-extension-onprem |
VyOS Site Extension (On-Prem Side) | config/ansible |
spec.yml |
platform/onprem/argocd-bootstrap |
Argo CD Bootstrap (On-Prem RKE2) | config/ansible |
spec.yml |
platform/onprem/eve-ng |
EVE-NG Service (On-Prem Linux) | config/ansible |
spec.yml |
platform/onprem/netbox |
NetBox Service (On-Prem Linux) | config/ansible |
spec.yml |
platform/onprem/netbox-db-migrate |
NetBox DB Migration to PostgreSQL HA (On-Prem) | config/ansible |
spec.yml |
platform/onprem/platform-vm |
Proxmox Platform VM (Generic) | iac/terragrunt |
spec.yml |
platform/onprem/postgresql-core |
PostgreSQL Core Service (On-Prem Linux) | config/ansible |
spec.yml |
platform/onprem/postgresql-dr-source |
PostgreSQL DR Source (On-Prem) | config/ansible |
spec.yml |
platform/onprem/postgresql-ha |
PostgreSQL HA (Patroni + etcd) | config/ansible |
spec.yml |
platform/onprem/postgresql-ha-backup |
PostgreSQL HA Backup (pgBackRest) | config/ansible |
spec.yml |
platform/onprem/rke2-cluster |
RKE2 Cluster (On-Prem Linux) | config/ansible |
spec.yml |
platform/onprem/vyos-edge |
VyOS Edge Appliance | iac/terragrunt |
spec.yml |
platform/postgresql-ha |
PostgreSQL HA (Patroni + etcd) | config/ansible |
spec.yml |
platform/postgresql-ha-backup |
PostgreSQL HA Backup (pgBackRest) | config/ansible |
spec.yml |
Module details¶
Core¶
core/azure/nat-gateway ¶
Details
Description Creates or converges an Azure NAT gateway and public IP via the Terragrunt Azure foundation pack.
Driver: iac/terragrunt · Profile: azure@v1.0 · Pack: azure/core/00-foundation-global/30-nat-gateway@v1.0
Published outputs: nat_gateway_id, nat_gateway_name, public_ip_id, public_ip_address
Source: spec.yml on GitHub
core/azure/resource-group ¶
Details
Description Creates or converges an Azure resource group via the Terragrunt Azure foundation pack.
Driver: iac/terragrunt · Profile: azure@v1.0 · Pack: azure/core/00-foundation-global/10-resource-group@v1.0
Published outputs: resource_group_id, resource_group_name, location
Source: spec.yml on GitHub
core/azure/vnet ¶
Details
Description Creates or converges an Azure virtual network via the Terragrunt Azure foundation pack.
Driver: iac/terragrunt · Profile: azure@v1.0 · Pack: azure/core/00-foundation-global/20-vnet@v1.0
Published outputs: vnet_id, vnet_name, resource_group_name, location
Source: spec.yml on GitHub
core/hetzner/vyos-image-register ¶
Details
Description Register a pre-imported Hetzner custom image or snapshot reference for downstream VyOS edge modules.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: hetzner/common/platform/22-vyos-image-register@v1.0
Published outputs: image_key, image_ref, image_version, image_source_url, images
Source: spec.yml on GitHub
core/hetzner/vyos-image-seed ¶
Details
Description Seed a Hetzner custom VyOS image when missing, then publish its image contract for downstream edge blueprints.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: hetzner/common/platform/21-vyos-image-seed@v1.0
Published outputs: image_key, image_ref, image_name, image_description, image_version, image_source_url, image_seeded, images
Source: spec.yml on GitHub
core/onprem/network-sdn ¶
Details
Description Creates or converges Proxmox SDN zone and VNet/subnet topology.
Driver: iac/terragrunt · Profile: onprem-proxmox@v1.0 · Pack: onprem/proxmox/core/00-foundation/10-network-sdn@v1.0
Published outputs: zone_name, vnets, subnets
Source: spec.yml on GitHub
core/onprem/template-image ¶
Details
Description Builds a Proxmox VM template image with Packer and publishes template IDs for downstream VM modules.
Driver: images/packer · Profile: onprem-proxmox@v1.0 · Pack: onprem/proxmox/images/00-template-image@v1.0
Published outputs: template_key, template_vm_id, template_name, template_vm_ids, templates
Source: spec.yml on GitHub
core/onprem/vyos-template-import ¶
Details
Description Register a pre-imported official VyOS Proxmox template into HyOps state for downstream VyOS edge modules.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/12-vyos-template-import@v1.0
Published outputs: template_key, template_vm_id, template_name, template_image_version, template_source_url, templates
Source: spec.yml on GitHub
core/onprem/vyos-template-seed ¶
Details
Description Seed or discover a Proxmox VyOS template, then publish its template contract into HyOps state for downstream VyOS edge modules.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/11-vyos-template-seed@v1.0
Published outputs: template_key, template_vm_id, template_name, template_image_version, template_source_url, template_seeded, templates
Source: spec.yml on GitHub
core/shared/manual-gate ¶
Details
Description Require explicit operator acknowledgement and declared safety assertions before a control-plane action proceeds.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/12-manual-gate@v1.0
Published outputs: gate.name, gate.message, gate.confirmed, gate.assertions, gate.evidence_notes, cap.control.manual_gate
Source: spec.yml on GitHub
core/shared/vyos-image-artifact ¶
Details
Description Publish one canonical VyOS disk artifact contract into HyOps state so Proxmox and Hetzner seed modules can consume it state-first.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/13-vyos-image-artifact@v1.0
Published outputs: artifact_key, artifact_url, artifact_format, artifact_version, artifact_sha256, source_iso_url, artifacts
Source: spec.yml on GitHub
core/shared/vyos-image-build ¶
Details
Description Build a pinned VyOS disk artifact locally, optionally publish it, and publish the same shared artifact contract consumed by Proxmox and Hetzner seed modules.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/14-vyos-image-build@v1.0
Published outputs: artifact_key, artifact_url, artifact_format, artifact_version, artifact_sha256, source_iso_url, artifact_local_path, artifacts
Source: spec.yml on GitHub
Examples¶
examples/core/hello-world ¶
Details
Description Minimal module to validate apply flow end-to-end.
Driver: iac/terragrunt · Profile: local@v1.0 · Pack: hello-world
Source: spec.yml on GitHub
Org¶
org/aws/object-repo ¶
Details
Description Provisions a reusable S3 object repository and dedicated IAM user for platform artifacts/backups. Does not create access keys.
Driver: iac/terragrunt · Profile: aws@v1.0 · Pack: aws/org/10-pgbackrest-repo@v1.0
Published outputs: repo_backend, repo_provider, repo_bucket_name, repo_region, repo_principal_type, repo_principal_name, repo_credential_create_hint, bucket_name, aws_region, iam_user_name, access_key_hint
Source: spec.yml on GitHub
org/aws/pgbackrest-repo ¶
Details
Description Provisions an S3 bucket and a dedicated IAM user for pgBackRest backups. Specialized wrapper over org/aws/object-repo defaults.
Driver: iac/terragrunt · Profile: aws@v1.0 · Pack: aws/org/10-pgbackrest-repo@v1.0
Published outputs: repo_backend, repo_provider, repo_bucket_name, repo_region, repo_principal_type, repo_principal_name, repo_credential_create_hint, bucket_name, aws_region, iam_user_name, access_key_hint
Source: spec.yml on GitHub
org/azure/object-repo ¶
Details
Description Provisions a reusable Azure Storage Account + private Blob container for platform artifacts/backups. Does not create or persist account keys.
Driver: iac/terragrunt · Profile: azure@v1.0 · Pack: azure/org/10-pgbackrest-repo@v1.0
Published outputs: repo_backend, repo_provider, repo_bucket_name, repo_region, repo_principal_type, repo_principal_name, repo_credential_create_hint, resource_group_name, storage_account_name, container_name, account_key_hint
Source: spec.yml on GitHub
org/azure/pgbackrest-repo ¶
Details
Description Provisions an Azure Storage Account and private Blob container for pgBackRest backups. Specialized wrapper over org/azure/object-repo defaults.
Driver: iac/terragrunt · Profile: azure@v1.0 · Pack: azure/org/10-pgbackrest-repo@v1.0
Published outputs: repo_backend, repo_provider, repo_bucket_name, repo_region, repo_principal_type, repo_principal_name, repo_credential_create_hint, resource_group_name, storage_account_name, container_name, account_key_hint
Source: spec.yml on GitHub
org/gcp/cloudsql-external-replica ¶
Details
Description Assess readiness for a managed Cloud SQL PostgreSQL replication lane using an on-prem DR source contract and an existing Cloud SQL target.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: gcp/org/12-cloudsql-external-replica@v1.0
Published outputs: target_project_id, target_region, target_instance_name, target_db_host, target_db_port, target_connection_name, endpoint_dns_name, endpoint_target, endpoint_target_type, endpoint_host, endpoint_port, endpoint_cutover_required, source_host, source_port, source_leader_name, source_replication_candidate, source_connection_profile_name, destination_connection_profile_name, migration_job_name, migration_job_state, managed_replication_ready_for_cutover, connectivity_mode, managed_replication_mode, managed_replication_prereqs_ready, managed_replication_established, cap.db.managed_external_replica
Source: spec.yml on GitHub
org/gcp/cloudsql-postgresql ¶
Details
Description Provision a managed PostgreSQL instance in GCP Cloud SQL with private networking and normalized endpoint outputs.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/11-cloudsql-postgresql@v1.0
Published outputs: project_id, region, instance_name, connection_name, private_ip_address, public_ip_address, availability_type, database_version, db_provider, db_engine, db_host, db_port, cap_db_managed_postgresql
Source: spec.yml on GitHub
org/gcp/gsm-eso-sa ¶
Details
Description
Provisions the GCP service account used by External Secrets Operator to authenticate against GCP Secret Manager from the on-prem RKE2 cluster. Terraform scope: creates the service account and binds roles/secretmanager.secretAccessor. Does not manage org policy or SA keys — those are operator-level concerns handled outside this module. Prerequisites (applied by hyops init gcp --with-cli-login before this module): - constraints/iam.disableServiceAccountKeyCreation is not enforced at project scope - Terraform SA holds roles/editor, roles/resourcemanager.projectIamAdmin, and roles/secretmanager.admin on the project Post-apply steps: 1. hyops init gcp --force --with-eso-sa — generates an SA key and writes it to the bootstrap vault as HYOPS_GSM_SA_KEY_JSON 2. hyops apply platform/k8s/gsm-bootstrap — provisions the gsm-sa-credentials Kubernetes secret consumed by the ESO ClusterSecretStore Placement in the bootstrap sequence: after org/gcp/project-factory, before platform/k8s/gsm-bootstrap.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/01-gsm-eso-sa@v1.0
Published outputs: eso_sa_email
Source: spec.yml on GitHub
org/gcp/object-repo ¶
Details
Description Provisions a reusable GCS object repository and dedicated service account for platform artifacts/backups. Does not create service account keys.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/10-pgbackrest-repo@v1.0
Published outputs: repo_backend, repo_provider, repo_bucket_name, repo_region, repo_principal_type, repo_principal_name, repo_credential_create_hint, bucket_name, service_account_email, gcloud_sa_key_hint
Source: spec.yml on GitHub
org/gcp/pgbackrest-repo ¶
Details
Description Provisions a GCS bucket and dedicated service account for pgBackRest backups. Specialized wrapper over org/gcp/object-repo defaults.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/10-pgbackrest-repo@v1.0
Published outputs: repo_backend, repo_provider, repo_bucket_name, repo_region, repo_principal_type, repo_principal_name, repo_credential_create_hint, bucket_name, service_account_email, gcloud_sa_key_hint
Source: spec.yml on GitHub
org/gcp/project-factory ¶
Details
Description Creates or converges a GCP project via Terragrunt project-factory pack.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/00-project-factory@v1.0
Published outputs: project_id, project_number, service_account_email
Source: spec.yml on GitHub
org/gcp/wan-cloud-nat ¶
Details
Description Provision Cloud NAT for explicit private-subnet egress in the GCP hub VPC.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/23-wan-cloud-nat@v1.0
Published outputs: project_id, region, network_self_link, router_name, nat_name, nat_self_link, subnetwork_self_links
Source: spec.yml on GitHub
org/gcp/wan-cloud-router ¶
Details
Description Provision Cloud Router for WAN BGP control plane in the hub VPC.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/21-wan-cloud-router@v1.0
Published outputs: project_id, region, network_self_link, router_name, router_self_link, bgp_asn
Source: spec.yml on GitHub
org/gcp/wan-hub-network ¶
Details
Description Provision the WAN hub VPC baseline in GCP (network, subnets, firewall baseline).
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/20-wan-hub-network@v1.0
Published outputs: project_id, region, network_name, network_self_link, subnet_core_name, subnet_core_self_link, subnet_core_cidr, subnet_workloads_name, subnet_workloads_self_link, subnet_workloads_cidr, subnet_workloads_pods_secondary_range_name, subnet_workloads_pods_secondary_range_cidr, subnet_workloads_services_secondary_range_name, subnet_workloads_services_secondary_range_cidr
Source: spec.yml on GitHub
org/gcp/wan-vpn-to-edge ¶
Details
Description Provision HA VPN + BGP peers from GCP hub to external WAN edge peers (e.g. Hetzner edge nodes).
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/org/22-wan-vpn-to-edge@v1.0
Published outputs: project_id, network_self_link, ha_vpn_gateway_self_link, ha_vpn_gateway_ip_a, ha_vpn_gateway_ip_b, peer_ip_a, peer_ip_b, router_name, tunnel_a_name, tunnel_b_name, bgp_a_gcp_ip, bgp_a_peer_ip, bgp_b_gcp_ip, bgp_b_peer_ip
Source: spec.yml on GitHub
org/hetzner/shared-control-host ¶
Details
Description Provision a dedicated shared control-plane VM on the existing Hetzner WAN private network for services such as PowerDNS, decision service, and shared runners.
Driver: iac/terragrunt · Profile: hetzner@v1.0 · Pack: hetzner/org/21-shared-control-host@v1.0
Published outputs: host_name, vm_id, vm_keys, vm_names, public_ipv4, private_ipv4, private_network_id, private_network_cidr, vms, ipv4_configured_primary, ipv4_addresses_all, tags
Source: spec.yml on GitHub
org/hetzner/shared-private-network ¶
Details
Description Provision a reusable Hetzner private network and subnet for routed edge nodes and shared control-plane hosts.
Driver: iac/terragrunt · Profile: hetzner@v1.0 · Pack: hetzner/org/19-shared-private-network@v1.0
Published outputs: private_network_name, private_network_id, private_network_cidr
Source: spec.yml on GitHub
org/hetzner/vyos-edge-foundation ¶
Details
Description Provision two VyOS routed edge nodes, optionally on a shared private network, with firewall policy and floating IPv4 on Hetzner.
Driver: iac/terragrunt · Profile: hetzner@v1.0 · Pack: hetzner/org/20-wan-edge-foundation@v1.0
Published outputs: edge01_name, edge02_name, edge01_id, edge02_id, edge01_public_ip, edge02_public_ip, edge01_private_ip, edge02_private_ip, floating_ipv4, floating_target, private_network_id, private_network_cidr, ipsec_source_cidrs, vms, ipv4_configured_primary, ipv4_addresses_all, image, image_key
Source: spec.yml on GitHub
org/hetzner/wan-edge-foundation ¶
Details
Description Provision two Linux edge nodes, private network, firewall policy, and floating IPv4 for WAN edge operations.
Driver: iac/terragrunt · Profile: hetzner@v1.0 · Pack: hetzner/org/20-wan-edge-foundation@v1.0
Published outputs: edge01_name, edge02_name, edge01_id, edge02_id, edge01_public_ip, edge02_public_ip, edge01_private_ip, edge02_private_ip, floating_ipv4, floating_target, private_network_id, private_network_cidr, vms, ipv4_configured_primary, ipv4_addresses_all
Source: spec.yml on GitHub
Platform¶
platform/azure/container-registry ¶
Details
Description Creates or converges Azure Container Registry via the Terragrunt shared-services pack.
Driver: iac/terragrunt · Profile: azure@v1.0 · Pack: azure/core/10-shared-services-global/10-container-registry@v1.0
Published outputs: registry_id, registry_name, login_server
Source: spec.yml on GitHub
platform/gcp/gke-cluster ¶
Details
Description Creates or converges a governed GKE cluster on the existing GCP hub network.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/platform/20-gke/00-gke-cluster@v1.0
Published outputs: project_id, region, location, cluster_name, endpoint, cluster_ca_certificate, network, subnetwork, node_pool_name, node_service_account_email, cap_k8s_gke
Source: spec.yml on GitHub
platform/gcp/gke-kubeconfig ¶
Details
Description Fetches kubeconfig for an existing GKE cluster into the HyOps runtime.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: gcp/platform/20-gke/01-gke-kubeconfig@v1.0
Published outputs: project_id, location, cluster_name, kubeconfig_path, cap_k8s_gke_kubeconfig
Source: spec.yml on GitHub
platform/gcp/platform-vm ¶
Details
Description Creates or converges one or more generic GCP Compute Engine VMs using Terragrunt. Does not configure the OS.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/platform/10-platform/00-platform-vm@v1.0
Published outputs: vms, vm_ids, vm_keys, vm_names, zones, ipv4_addresses, ipv4_addresses_all, tags
Source: spec.yml on GitHub
platform/gcp/vm-firewall-rules ¶
Details
Description Creates named ingress firewall rules for GCP compute instances. Intended for use alongside platform/gcp/platform-vm to add port-level access without modifying shared network infrastructure.
Driver: iac/terragrunt · Profile: gcp@v1.0 · Pack: gcp/platform/10-platform/10-vm-firewall-rules@v1.0
Published outputs: rule_names, rule_ids
Source: spec.yml on GitHub
platform/k8s/argocd-bootstrap ¶
Details
Description Bootstraps Argo CD on an existing Kubernetes cluster and applies a root workloads Application.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/55-argocd-bootstrap@v1.0
Published outputs: kubeconfig_path, argocd_namespace, root_app_name, root_app_namespace, root_app_project, workloads_repo_url, workloads_revision, workloads_target_path, repo_access_mode, repo_secret_name, cap.gitops.argocd
Source: spec.yml on GitHub
platform/k8s/gcp-secret-store ¶
Details
Description Bootstraps a GCP Secret Manager ClusterSecretStore on GKE using Workload Identity instead of a static service account key.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: gcp/platform/20-gke/02-gcp-secret-store@v1.0
Published outputs: secret_store_name, service_account_name, service_account_namespace, secret_project_id, cap.k8s.gcp-secret-store
Source: spec.yml on GitHub
platform/k8s/gsm-bootstrap ¶
Details
Description
Provisions the gsm-sa-credentials Kubernetes secret consumed by the ESO ClusterSecretStore to authenticate against GCP Secret Manager. The SA key JSON is sourced from HYOPS_GSM_SA_KEY_JSON in the bootstrap vault and is never written to the workloads repository. The bootstrap vault is decrypted by the Ansible driver and injected into the playbook environment; no credentials file is required at the module level. Prerequisites: - org/gcp/gsm-eso-sa applied (eso-gsm-reader service account exists) - hyops init gcp --with-eso-sa completed (HYOPS_GSM_SA_KEY_JSON in vault) - RKE2 cluster accessible via the resolved kubeconfig path - External Secrets Operator installed in the target namespace Placement in the bootstrap sequence: after platform/k8s/argocd-bootstrap, before platform/k8s/gcp-secret-store.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/60-gsm-bootstrap@v1.0
Published outputs: secret_name, eso_namespace, cap.k8s.gsm-bootstrap
Source: spec.yml on GitHub
platform/k8s/kube-dns-stub-domain ¶
Details
Description Configures kube-dns stubDomains for a Kubernetes cluster so selected DNS zones are forwarded to an authoritative resolver.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/58-kube-dns-stub-domain@v1.0
Published outputs: namespace, configmap_name, stub_domain, dns_server_ips, cap.k8s.kube_dns_stub_domain
Source: spec.yml on GitHub
platform/k8s/longhorn-dr-volume ¶
Details
Description Observes Longhorn backup state and manages Longhorn DR/restore volumes from backup URLs on an existing Kubernetes cluster.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/57-longhorn-dr-volume@v1.0
Published outputs: longhorn_namespace, operation_mode, backup_name, backup_url, backup_state, backup_created_at, backup_last_synced_at, backup_target_name, source_longhorn_volume_name, source_pvc_namespace, source_pvc_name, restore_volume_name, restore_volume_size, restore_volume_state, restore_volume_robustness, restore_condition_status, restore_volume_is_standby, restore_volume_restore_required, restore_volume_restore_initiated, restore_volume_ready, restore_volume_ready_reason, cap.k8s.longhorn_dr_volume
Source: spec.yml on GitHub
platform/k8s/runtime-bundle-secret ¶
Details
Description Syncs a local runtime bundle file into a Kubernetes Secret so private application payloads can be delivered without embedding that build logic in the public workloads repo.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/56-runtime-bundle-secret@v1.0
Published outputs: namespace, secret_name, bundle_key, bundle_sha256, restarted_targets, cap.k8s.runtime_bundle_secret
Source: spec.yml on GitHub
platform/linux/desktop-xrdp ¶
Details
Description Install XFCE4 and XRDP on an Ubuntu 22.04 host to enable RDP access. Sets the login password for the target user from the bootstrap vault.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/44-desktop-xrdp@v1.0
Published outputs: rdp_host, rdp_port, rdp_user
Source: spec.yml on GitHub
platform/linux/eve-ng ¶
Details
Description Install and configure EVE-NG on a single Ubuntu 22.04 Linux host reached directly, through a bastion, or through GCP IAP.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/40-eve-ng@v1.0
Published outputs: eveng_url, cap.lab.eveng
Source: spec.yml on GitHub
platform/linux/eve-ng-healthcheck ¶
Details
Description Run structured health checks against an existing EVE-NG host and publish a concise HyOps status result.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/43-eve-ng-healthcheck@v1.0
Published outputs: cap.lab.eveng.health, eveng_health_status, eveng_health_level
Source: spec.yml on GitHub
platform/linux/eve-ng-images ¶
Details
Description Load curated EVE-NG device images onto an existing EVE-NG host reached directly, through a bastion, or through GCP IAP.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/41-eve-ng-images@v1.0
Published outputs: cap.lab.eveng.images, eveng_images_source, eveng_images_requested_count
Source: spec.yml on GitHub
platform/linux/eve-ng-labs ¶
Details
Description Load lab content onto an existing EVE-NG host from a local path, Git repository, or remote file source.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/42-eve-ng-labs@v1.0
Published outputs: cap.lab.eveng.labs, eveng_labs_source, eveng_lab_folder_count
Source: spec.yml on GitHub
platform/linux/ops-runner ¶
Details
Description Install the HybridOps release and required runner toolchain on a Linux execution host.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/platform/10-ops-runner@v1.0
Published outputs: runner_state, runner_install_prefix, runner_bin_dir, cap.ctrl.runner
Source: spec.yml on GitHub
platform/network/cloudflare-traffic-steering ¶
Details
Description Manages a sticky weighted Cloudflare Worker front door that can steer a single hostname between primary and burst origins.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/25-cloudflare-traffic-steering@v1.0
Published outputs: traffic.status, traffic.provider, traffic.hostname, traffic.route_pattern, traffic.worker_name, traffic.zone_name, traffic.desired, traffic.burst_weight_pct, traffic.primary_origin_url, traffic.burst_origin_url, traffic.cookie_name, traffic.status_url, traffic.route_ready, cap.network.cloudflare_traffic_steering
Source: spec.yml on GitHub
platform/network/decision-consumer ¶
Details
Description Deploys a deterministic approval-aware consumer that promotes dispatch requests into execution records.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/40-decision-consumer@v1.0
Published outputs: decision_consumer.status, decision_consumer.last_tick, decision_consumer.last_request_id, decision_consumer.last_execution_id, decision_consumer.execution_mode, cap.control.decision_consumer
Source: spec.yml on GitHub
platform/network/decision-dispatcher ¶
Details
Description Deploys a deterministic dispatcher service that consumes decision records and stages normalized dispatch requests.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/35-decision-dispatcher@v1.0
Published outputs: decision_dispatcher.status, decision_dispatcher.last_tick, decision_dispatcher.last_dispatch_id, decision_dispatcher.execution_mode, cap.control.decision_dispatcher
Source: spec.yml on GitHub
platform/network/decision-executor ¶
Details
Description Deploys a deterministic executor service that consumes approved execution records and stages dry-run execution attempts.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/45-decision-executor@v1.0
Published outputs: decision_executor.status, decision_executor.last_tick, decision_executor.last_execution_id, decision_executor.last_attempt_id, decision_executor.execution_mode, cap.control.decision_executor
Source: spec.yml on GitHub
platform/network/decision-service ¶
Details
Description Deploys a deterministic decision-loop service on edge Linux nodes for DR/burst control signaling.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/30-decision-service@v1.0
Published outputs: decision_service.status, decision_service.last_tick, decision_service.last_action, decision_service.signal_ready, decision_service.execution_mode, decision_service.last_decision_id, cap.control.decision_service
Source: spec.yml on GitHub
platform/network/dns-routing ¶
Details
Description Publishes and optionally applies DNS routing intent for primary/secondary cutover control.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/40-dns-routing@v1.0
Published outputs: dns.status, dns.provider, dns.zone, dns.record_fqdn, dns.record_type, dns.desired, dns.targets, dns.expected_targets, dns.observed_targets, dns.observed_ttl, dns.record_exists, dns.matches_desired, cap.network.dns_routing
Source: spec.yml on GitHub
platform/network/edge-observability ¶
Details
Description Deploys Thanos/Grafana/Alertmanager services on edge Linux nodes via Ansible role consumption, with optional local Prometheus probing for control-plane decisions.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/20-edge-observability@v1.0
Published outputs: edge_obs_state, edge_obs_root, edge_obs_query_http_port, edge_obs_grafana_http_port, edge_obs_alertmanager_http_port, edge_obs_prometheus_http_port, edge_obs_public_grafana_host, edge_obs_public_thanos_host, cap.obs.edge
Source: spec.yml on GitHub
platform/network/powerdns-authority ¶
Details
Description Deploy PowerDNS Authoritative in Docker Compose on Linux hosts, supporting primary or secondary internal DNS authority roles.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/50-powerdns-authority@v1.0
Published outputs: powerdns_state, powerdns_mode, powerdns_root, powerdns_zone_name, powerdns_target_host, powerdns_private_host, powerdns_public_host, powerdns_control_host, powerdns_control_user, powerdns_server_id, powerdns_zone_id, powerdns_api_key_env, powerdns_dns_port, powerdns_api_port, powerdns_api_url, cap.net.dns_authority
Source: spec.yml on GitHub
platform/network/vyos-edge-wan ¶
Details
Description Configure IPsec + BGP day-2 policy on Hetzner VyOS edge peers from a shared control host.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/15-vyos-edge-wan@v1.0
Published outputs: vyos.edge01.peer_ip, vyos.edge02.peer_ip, vyos.edge01.bgp_neighbor, vyos.edge02.bgp_neighbor, cap.network.vyos_edge_wan
Source: spec.yml on GitHub
platform/network/vyos-site-extension-edge ¶
Details
Description Configure the Hetzner VyOS edge pair as the static Site-A transit layer for an on-prem site-extension tunnel.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: linux/common/network/16-vyos-site-extension-edge@v1.0
Published outputs: onprem.peer_remote_address, vyos.edge01.bgp_neighbor, vyos.edge02.bgp_neighbor, cap.network.vyos_site_extension_edge
Source: spec.yml on GitHub
platform/network/vyos-site-extension-onprem ¶
Details
Description Configure the on-prem VyOS edge as the initiator side of the Hetzner-backed site-extension tunnel.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/network/16-vyos-site-extension-onprem@v1.0
Published outputs: onprem.target_host, vyos.edge01.bgp_neighbor, vyos.edge02.bgp_neighbor, cap.network.vyos_site_extension_onprem
Source: spec.yml on GitHub
platform/onprem/argocd-bootstrap ¶
Details
Description Bootstraps Argo CD on an existing Kubernetes cluster and applies a root workloads Application.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/55-argocd-bootstrap@v1.0
Published outputs: kubeconfig_path, argocd_namespace, root_app_name, root_app_namespace, root_app_project, workloads_repo_url, workloads_revision, workloads_target_path, repo_access_mode, repo_secret_name, cap.gitops.argocd
Source: spec.yml on GitHub
platform/onprem/eve-ng ¶
Details
Description Installs/configures EVE-NG on an existing Ubuntu 22.04 (Jammy) host via Ansible. Does not provision a VM.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/40-eve-ng@v1.0
Published outputs: eveng_url, cap.lab.eveng
Source: spec.yml on GitHub
platform/onprem/netbox ¶
Details
Description Configures NetBox on an existing Linux host via Ansible. Does not provision a VM.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/20-netbox@v1.0
Published outputs: netbox_url, netbox_api_url, netbox_http_host_port, db_host, db_port, db_name, db_user, db_password_env, secret_key_env, superuser_password_env, api_token_env, cap.ipam.netbox
Source: spec.yml on GitHub
platform/onprem/netbox-db-migrate ¶
Details
Description Performs an explicit NetBox database migration (pg_dump/pg_restore) from a source PostgreSQL contract (typically pgcore) to a target PostgreSQL HA contract. Does not repoint NetBox; use netbox-ha-cutover separately.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/25-netbox-db-migrate@v1.0
Published outputs: migration, cap.db.netbox_migration
Source: spec.yml on GitHub
platform/onprem/platform-vm ¶
Details
Description Creates or converges one or more generic Proxmox VMs using explicit operator inputs.
Driver: iac/terragrunt · Profile: onprem-proxmox@v1.0 · Pack: onprem/proxmox/core/10-platform/00-platform-vm@v1.0
Published outputs: vms, vm_ids, vm_keys, vm_names, node_name, ipv4_addresses, ipv4_addresses_all, mac_addresses_primary, mac_addresses_all, tags
Source: spec.yml on GitHub
platform/onprem/postgresql-core ¶
Details
Description Configures PostgreSQL on an existing Linux host via Ansible. Does not provision a VM.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/30-postgresql-core@v1.0
Published outputs: pg_host, pg_port, apps, db_host, db_port, db_name, db_user, db_password_env, cap.db.pgcore
Source: spec.yml on GitHub
platform/onprem/postgresql-dr-source ¶
Details
Description Assess an on-prem PostgreSQL HA source and publish a normalized managed-DR source contract. Non-destructive.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/37-postgresql-dr-source@v1.0
Published outputs: source, source_host, source_port, source_leader_name, source_leader_host, source_export_ready, source_replication_candidate, source_replication_user, db_name, db_user, db_password_env, cap.db.postgresql_dr_source
Source: spec.yml on GitHub
platform/onprem/postgresql-ha ¶
Details
Description Legacy compatibility ref for platform/postgresql-ha. Deploys a highly available PostgreSQL cluster using Patroni and etcd via Ansible (Autobase). Does not provision VMs.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/35-postgresql-ha@v1.0
Published outputs: pg_host, pg_port, cluster_vip, endpoint_target, endpoint_target_type, endpoint_dns_name, endpoint_host, endpoint_port, endpoint_cutover_required, inventory_groups, apps, db_host, db_port, db_name, db_user, db_password_env, cap.db.postgresql_ha
Source: spec.yml on GitHub
platform/onprem/postgresql-ha-backup ¶
Details
Description Legacy compatibility ref for platform/postgresql-ha-backup. Configures pgBackRest backups (S3, GCS, or Azure Blob repo) for an existing Patroni PostgreSQL HA cluster via Ansible (Autobase). Does not provision VMs.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/36-postgresql-ha-backup@v1.0
Published outputs: cap.db.postgresql_ha_backup, pgbackrest_repo, pgbackrest_latest_backup, pgbackrest_latest_backup_set, pgbackrest_latest_backup_timeline
Source: spec.yml on GitHub
platform/onprem/rke2-cluster ¶
Details
Description Installs/configures an RKE2 cluster across one or more existing Linux hosts via Ansible. Does not provision VMs.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/50-rke2-cluster@v1.0
Published outputs: kubeconfig_path, rke2_servers, rke2_agents, cap.k8s.rke2
Source: spec.yml on GitHub
platform/onprem/vyos-edge ¶
Details
Description Provision VyOS routed edge VMs on Proxmox by specializing the generic Proxmox platform-vm lifecycle and requiring VyOS first-boot cloud-init intent.
Driver: iac/terragrunt · Profile: onprem-proxmox@v1.0 · Pack: onprem/proxmox/core/10-platform/00-platform-vm@v1.0
Published outputs: vms, vm_ids, vm_keys, vm_names, node_name, ipv4_addresses, ipv4_addresses_all, mac_addresses_primary, mac_addresses_all, tags
Source: spec.yml on GitHub
platform/postgresql-ha ¶
Details
Description Deploys a highly available PostgreSQL cluster using Patroni and etcd via Ansible (Autobase). Does not provision VMs.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/35-postgresql-ha@v1.0
Published outputs: pg_host, pg_port, cluster_vip, endpoint_target, endpoint_target_type, endpoint_dns_name, endpoint_host, endpoint_port, endpoint_cutover_required, inventory_groups, apps, db_host, db_port, db_name, db_user, db_password_env, cap.db.postgresql_ha
Source: spec.yml on GitHub
platform/postgresql-ha-backup ¶
Details
Description Configures pgBackRest backups (S3, GCS, or Azure Blob repo) for an existing Patroni PostgreSQL HA cluster via Ansible (Autobase). Does not provision VMs.
Driver: config/ansible · Profile: onprem-linux@v1.0 · Pack: onprem/common/platform/36-postgresql-ha-backup@v1.0
Published outputs: cap.db.postgresql_ha_backup, pgbackrest_repo, pgbackrest_latest_backup, pgbackrest_latest_backup_set, pgbackrest_latest_backup_timeline
Source: spec.yml on GitHub