From 6aa29e9f77a1177b5f80e2abaa5415bf42944789 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 28 Feb 2026 14:14:20 +0000
Subject: [PATCH] [ci skip] technitium: add primary-secondary DNS HA with AXFR
 zone replication

Secondary instance on a separate node replicates all zones from primary via
zone transfer. LoadBalancer routes DNS queries to both pods. PDB ensures at
least 1 DNS pod survives voluntary disruptions. Setup job automates zone
transfer enablement and secondary zone creation via Technitium REST API.
---
 secrets/nfs_directories.txt                | Bin 1721 -> 1754 bytes
 stacks/platform/main.tf                    |   2 +
 stacks/platform/modules/technitium/ha.tf   | 272 +++++++++++++++++++++
 stacks/platform/modules/technitium/main.tf |  43 +++-
 4 files changed, 312 insertions(+), 5 deletions(-)
 create mode 100644 stacks/platform/modules/technitium/ha.tf

diff --git a/secrets/nfs_directories.txt b/secrets/nfs_directories.txt
index 6103be30020c3c85e6768f196575fce45d6adba7..f8a4de4387a487434fe8e4d910de5fbefc5b153a 100644
GIT binary patch
literal 1754
zcmV<01||6bM@dveQdv+`07h7--%tK(7`xtzLB5VK9&G%$AVj?NE|2&xwkxq-7#wZn
zhm5#SvoXVWv?PJE*>v-4A`KS=4_Y*#xG9Q4y*pvAh(4FbeA&9BTj3d4vA*TN_ZnH^
zv16`QM0y%yaC2Dx>c6hz2Joykbn@|T7Xv`rNgR|3uLF)fyUNRT4C5@VFRu1bNxROa
z-93%0Pe~xT<=V!qC+04wg-g9kJlItpAqGJhsr_%qcT|9~tIkb`E`l9h$K56a`(?}%
z25o38_@dhUg!OV4d-r`{(L{$;bMPxsScRs{nDi!yb;s_k5FGPz9Fa#xk0j6o7G&ka
z)!EH@cp>>==hgQX$Zt^AKEkX=v}bg#6O{tK@S^Ik=1^@XQebetHbr6~gLXXxge~yI
zei@m5Q&tZs>0vV8v1}(=y<zDi+0{xKEf->awfoz5ZdoyikI$*DGx(PtDRAw}iG)|X
zg3F`~3)9837R_d@j4s9t(?D%>Qe_b~^T;q4=kv=+gRKmKURYB(WcG$g0%o%A80n;f
zq5qE)f*5G^Q}d;liY{@N`5=C=XD(8zAarAL<tY7BQv;}-h*mu0#X9b%!eouyd?m-&
z*8B)?{+#ibI#3C(^VRX^MQ2#K3F!S*U^`8Bw$Ra4EsdBD7cik6gaVrg`@1TfImJN#
zRlr^8+?oVbuJp6m@nbUe+Ige)Ox}FG3DT`aW<EqFhvM(hRjKU~|0+4_A#8QLggI-N
zjM{*f;kF;IK}Es7O1bbKc{PGd>j%G6@60;a-vA%8!EL1!8TI7eZWOn`SYuWbuu>3R
zpBcocc<;@KC<O)gm5i!Wl&Ve*q`Az@V`l6G)OpqEh;y1E=5v2Xd*L@y$M`I<`VRNp
zsaxLnB{k$KgW~N+6uf`!2Qj=?&qxZcxWgS-*Hu?v0aNvHj{$PbRTI95shtU)%iz^j
z%U$<&eG(|kLfR1<+X04gC>tn}Pwj_*++ux@_Wou-Dv8r)P&wrjrWR~zlZ$iCdS!p1
ziHanYL?3AUHX1X0TtVYDMeMrNHD<sbFgI>$wmBsbi}dLB{y8ibW-*wiA2M`IiGv2J
z6}7czL1VWUd+3~898tgVdiM6a_jKHhPNk>bLQ8p{Q4nO1B|z~F$GwCVyj3$NiFnS`
z0})@z`oB$4R0HbIgi$-Ff>jytp}#Kz51~OodI57DKyXPn%GmTh|Hg+<D#<`^fq|i5
zAW|Zd`xA%;l^NL~dq|^;bDsS1L(L~jEsZm>jb0l#lNp+bU%9`Tp>6GPIuXFYUy5vR
z5#iTp?m^JZZX2w7CuKAld(aOc0-&YeqM5n9MPp%21d2|J@H|#KoMFcj*uvnzy=+a@
zdW_G?;ajaWI(o~YuyAW}<yNx(xBSD<CL^Vr>gKvl!xp{1)T3=#pWa-60b2~MJu2Zn
zFv}G}AwQXQ%LT#J#-slV|HI`VF<DIC==>!_q$_SpQe7HULyf~$Tdfzvt*78J0`FB!
zY6}#iBU4z<B3|AdQljj_^TU0#e3h?2o3JI}VAX~a^t!Z{p$M`rWLgGo*L(_N=wK-)
zQC^V!-#oK!p^i9MWV6X6kwH7&qxNF9iCC6i3)q(4o0=O-g+;W*rIp#_oRrgi2-PpR
z&`91+*<sy)HdVFA)uVh71;JYcXc6~wuw%WE;((9}&PHhW@m6<wG<d8qRNRs7kd~7@
zo&3DxGMRTm1i;KN9wL{J?NsMplS$4$L1#()t`U$7q*c#Z+3mvYR=o#DBP!9OuzY5X
z+Dz@R(p^-_=Gy_SWOYs@_*sh#P1=G`{L&^hebCSfyHQy=NiD1cHm0jIHH(l8IQ$+v
zkSS-L9lsge!lLOBX5>gz$Qcgn1zy9yaSa&F;7aGB$&p`k+?|K7f|IKKfNjCU?*8`d
z4@?RHKmf4cjDQs8gHpN?VJfXsQ@X3o6D$UY((HNhmz2a9>o3)6=kdTwrKqMpXGZL7
z=A-fg7QuiXyqcfrO|>ATo-)n@aj?Sw#UK>rjRL5(#gI{77t!^zWXacY;rZLwyrM~C
zwp4<ZVS0YrhC4>!&ozINlU7?Gl#J*IBp-pu6oDM4`_N0b4HEfz8=El5q>ZZR*^%gj
zc(|l^9mhH&)fe#e!x2+yS2gx*2m^iTt7y#-+uH%T!9P<;0@*j{v_dJ{JcVK8RfOWX
zn}P{XHa3s&JL+c(>D%d=eAui=Tm)B;21PASFmU7bofJl#nM3Oki>ctBJFRORBA63L
wjfimGu<x-`q7;!XU)ZgrRh|lGH&nzX+Wm!Gyt22W9RE+?WLbE6g_E2Bfq~(00ssI2

literal 1721
zcmV;q21fY+M@dveQdv+`00ygB0a>1~B0T`Q;TNtkLtODw0~%J<xE}6~_f|Y0k#aW{
zmfWLp+$|hV4GgyFZcd3ZbKG;ue|FsB9C&;y6tP2ozmi<Y5zVpZ>fVC+W43Wl!1uIg
zVA^oPRxm#Y+#kICY*z)9LtQYmJ9%CXAbKLHT?=MosfrK9zTwRH^QN&_l;dbh_5$|r
z!XC<{NY~C__EITjY)`-p!pIY@n#g3Fx^U?eyi+Qv11HmK#fXNh7qc<$Cb&yWP3tcA
zk+zvgLj+WR+yW$r?NU1`$YHB6u{EB^^@ftF3`->Xt93|znD{nO<fwnF_+m$O-X!{p
ztPzjY%5Onuhz4_<RNIF*3X>Pn!Tp&L3wR-{rRMzIfeun@vCxbr`Kf;0V~>{eF^X27
zkdLS4&h6=T4EH@WOrSAvmFAnECI--sL%+#AIF;Bt=<;o~@-0e01i?_On)j@Ya(g{a
zL?W!`O`}~lmcnQ9aHAg)9SH#awN_v+>3(M1n@2gm7l-wH(5iA)gp33}U@OVSCufg?
zhtXXWfGr{cCps5<T~tMtrx(W78AOcfnxXU7;Yan{M?)lC$*5SaSB`ILRM;Q~8uP$p
z<0vN;`FnDNk8S8z^Oaw!&sJ+NpW7lDL3ZB*3CF#bX+ekYvK`Tz&V<@FBd3~Xnw8Y6
z5RFF}0^5QrHc(^}<N-qr-MxLW7Z@Kx#Qx=5=aeiaSPEvSf{l#xrI<-gt;^}0Kg!&K
z6$Vb8)v*vztx6=QQRE|6RIziEfkrnvzn3yd5jj=~!rOT+dsZe2H5&!=b3S!ZWfj7d
z(D3BMbINe$N1@Gk0kz4G#=J<HX}Hfm0*YKeJY7$M>Pg$cd|#z<Bj0A@IC{*j9;67I
zzwtCegaPJVIaOPB$puRS_{Oag9!KIPc7eS-@_lg#t>R<Fd<^}-KMl5e^sT&{U(3b6
z;$X*HH5uYG1_YHb^$M|cz?-m9Jdk!T6X`8%5&M3Lmu4A9uI70i0tf)I)trSCI86dd
zd)^DSBfn9pt^7^qpxe*vwSp^@>b+_xJ>@*7ZZ@&G$Qy6ytMf8hUg{ysItiuM;Z1hN
z#EoxQ(oqe|^l$|POUYOItQ}fOZSv;>^7(f$itFoOP5q_#H9QVKRV#6NRGI`@g8qJJ
z!mtO+2rS{SQXH(c-<^6U(M8M?QLWHih0GaF8&H;fwv=osyDaFD9Rr}h$)RC9K83E$
zshL*mKcRPLkFqEL*38Wt%d>(#HOILWD)q2<Sf_$`cLfL9)GfD6>X(4Cq-OHfC}%XL
zVoK|V+M+3r@<e!e3t92@zWEac!P{|xC`X+cn}RomQdv_ZeNYvkwe=gtYN9yxneB{T
z&znu0Hu(>JWV~=(CA|>N5ISJ*m*8oLa7aX1Q4?z;-W`MogU^&rH2allSx2Ee<Seu8
z1V9h=QH6IR;D9<^>XT;mA7V-ZqZ)O#S;LlB5FLKw7i?mR96g0FWU*(AA1kagL8xct
zdrT^277;MlkK>MvM%a*wU3J*tsSQc-t8Zzg$U(3C_kd`u(|VMwJHKG=0cnSBhS3Fg
zc_5H$-2zD*?fo3jO!i=+`&0Thl0jL(*kK<#<t645Q1jftg*mSc6s?<x7>^8sz(DsH
zwZ~rM-g`Og0(R%(#<xRv41B5e!b4p#UaeD|et5S9Ud42ibRBvC_ptf#B$;7{rPO<4
zWK8b43TM1oBM--Lx_m^T2jMlWlJCQlS31m|<t7yjfP6~a^32IH9aE(O!K6}7_0NBq
z9u6<Eed`kYf(1!dOB<M$ykLxSMUAf(5UnQ1o*3=(UMUj1xx*?IY=&|FI*Y=rS*wPC
zywjMG*7RvwxH7{4CG5oee}WdOKqy~`(eUGby^W1@`_u{);rSSI$2=!UYF_<UL_nu<
z4%dK7=v1Ba#M%StTrTSNETn+$vvGoQ8NVjZo#6F+{OA0kbz};P03Z?E9qODtI)lF5
zO1b<QT(vts+xE)qC~%r_#BS?@jCpZ%0J`_;(71xo2>Aw>qZr*W>rlDBCQk=~OAedt
z4u_~}JqTsQr+wu9Z|n0TF+B5^@(Uy>1vt!OvjDSfj8%ta&KXz=e)3}iP8ji*{qzIA
zC?~Oj_cQ7y?!VjvKI*+~@5npXonJzs8a62m`*_DF{LS!!iKx4pj!;4F#3C(N3Jjdb
zvY)0NeF==8xMv!^yZti{Ut6QWFz*ccq%G8>CYr&Ej&daBHMo`Z*c*JuQLUTh<ARK|
P=*-PyWRsKfBYNuWPEk}o

diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf
index 9867649a..2f149b30 100644
--- a/stacks/platform/main.tf
+++ b/stacks/platform/main.tf
@@ -174,6 +174,8 @@ module "technitium" {
   mysql_host             = var.mysql_host
   homepage_token         = var.homepage_credentials["technitium"]["token"]
   technitium_db_password = var.technitium_db_password
+  technitium_username    = var.technitium_username
+  technitium_password    = var.technitium_password
   tier                   = local.tiers.core
 }
 
diff --git a/stacks/platform/modules/technitium/ha.tf b/stacks/platform/modules/technitium/ha.tf
new file mode 100644
index 00000000..b6db1c17
--- /dev/null
+++ b/stacks/platform/modules/technitium/ha.tf
@@ -0,0 +1,272 @@
+# =============================================================================
+# Technitium DNS — High Availability (Primary-Secondary)
+# =============================================================================
+#
+# Secondary DNS instance replicates zones from primary via AXFR.
+# Both pods share the `dns-server=true` label so the DNS LoadBalancer
+# in main.tf routes queries to whichever pod is healthy.
+
+# Primary-only service for zone transfers (AXFR) and API access
+resource "kubernetes_service" "technitium_primary" {
+  metadata {
+    name      = "technitium-primary"
+    namespace = kubernetes_namespace.technitium.metadata[0].name
+    labels = {
+      "app" = "technitium"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "technitium"
+    }
+    port {
+      name     = "dns-tcp"
+      port     = 53
+      protocol = "TCP"
+    }
+    port {
+      name     = "dns-udp"
+      port     = 53
+      protocol = "UDP"
+    }
+    port {
+      name     = "api"
+      port     = 5380
+      protocol = "TCP"
+    }
+  }
+}
+
+# Secondary DNS deployment — zone-transfer replica
+resource "kubernetes_deployment" "technitium_secondary" {
+  metadata {
+    name      = "technitium-secondary"
+    namespace = kubernetes_namespace.technitium.metadata[0].name
+    labels = {
+      app  = "technitium-secondary"
+      tier = var.tier
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "RollingUpdate"
+      rolling_update {
+        max_unavailable = "0"
+        max_surge       = "1"
+      }
+    }
+    selector {
+      match_labels = {
+        app = "technitium-secondary"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app          = "technitium-secondary"
+          "dns-server" = "true"
+        }
+      }
+      spec {
+        affinity {
+          pod_anti_affinity {
+            required_during_scheduling_ignored_during_execution {
+              label_selector {
+                match_expressions {
+                  key      = "dns-server"
+                  operator = "In"
+                  values   = ["true"]
+                }
+              }
+              topology_key = "kubernetes.io/hostname"
+            }
+          }
+        }
+        container {
+          image = "technitium/dns-server:latest"
+          name  = "technitium"
+          env {
+            name  = "DNS_SERVER_ADMIN_PASSWORD"
+            value = var.technitium_password
+          }
+          env {
+            name  = "DNS_SERVER_ENABLE_BLOCKING"
+            value = "true"
+          }
+          resources {
+            requests = {
+              cpu    = "100m"
+              memory = "128Mi"
+            }
+            limits = {
+              cpu    = "500m"
+              memory = "512Mi"
+            }
+          }
+          port {
+            container_port = 5380
+          }
+          port {
+            container_port = 53
+          }
+          port {
+            container_port = 80
+          }
+          liveness_probe {
+            tcp_socket {
+              port = 53
+            }
+            initial_delay_seconds = 10
+            period_seconds        = 10
+          }
+          readiness_probe {
+            tcp_socket {
+              port = 53
+            }
+            initial_delay_seconds = 5
+            period_seconds        = 5
+          }
+          volume_mount {
+            mount_path = "/etc/dns"
+            name       = "nfs-config"
+          }
+        }
+        volume {
+          name = "nfs-config"
+          nfs {
+            path   = "/mnt/main/technitium-secondary"
+            server = var.nfs_server
+          }
+        }
+        dns_config {
+          option {
+            name  = "ndots"
+            value = "2"
+          }
+        }
+      }
+    }
+  }
+}
+
+# Secondary web service — internal only, used by setup Job
+resource "kubernetes_service" "technitium_secondary_web" {
+  metadata {
+    name      = "technitium-secondary-web"
+    namespace = kubernetes_namespace.technitium.metadata[0].name
+    labels = {
+      "app" = "technitium-secondary"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "technitium-secondary"
+    }
+    port {
+      name     = "api"
+      port     = 5380
+      protocol = "TCP"
+    }
+  }
+}
+
+# PodDisruptionBudget — keep at least 1 DNS pod running during voluntary disruptions
+resource "kubernetes_pod_disruption_budget_v1" "technitium_dns" {
+  metadata {
+    name      = "technitium-dns"
+    namespace = kubernetes_namespace.technitium.metadata[0].name
+  }
+  spec {
+    min_available = "1"
+    selector {
+      match_labels = {
+        "dns-server" = "true"
+      }
+    }
+  }
+}
+
+# Setup Job — configures secondary zones via Technitium REST API
+resource "kubernetes_job" "technitium_secondary_setup" {
+  metadata {
+    name      = "technitium-secondary-setup"
+    namespace = kubernetes_namespace.technitium.metadata[0].name
+  }
+  spec {
+    backoff_limit = 5
+    template {
+      metadata {}
+      spec {
+        restart_policy = "OnFailure"
+        container {
+          name  = "setup"
+          image = "curlimages/curl:latest"
+          command = ["/bin/sh", "-c", <<-SCRIPT
+            set -e
+            PRIMARY="http://technitium-primary.technitium.svc.cluster.local:5380"
+            SECONDARY="http://technitium-secondary-web.technitium.svc.cluster.local:5380"
+
+            # Wait for both to be ready
+            until curl -sf "$PRIMARY/api/user/login?user=$TECH_USER&pass=$TECH_PASS" -o /tmp/p.json; do echo "Waiting for primary..."; sleep 5; done
+            until curl -sf "$SECONDARY/api/user/login?user=$TECH_USER&pass=$TECH_PASS" -o /tmp/s.json; do echo "Waiting for secondary..."; sleep 5; done
+            P_TOKEN=$(cat /tmp/p.json | sed -n 's/.*"token":"\([^"]*\)".*/\1/p')
+            S_TOKEN=$(cat /tmp/s.json | sed -n 's/.*"token":"\([^"]*\)".*/\1/p')
+
+            # Get zones from primary (split JSON into lines so sed can match each zone)
+            curl -sf "$PRIMARY/api/zones/list?token=$P_TOKEN" | tr ',' '\n' | sed -n 's/.*"name":"\([^"]*\)".*/\1/p' > /tmp/zones.txt
+            echo "Found zones:"; cat /tmp/zones.txt
+
+            # Enable zone transfers on primary for each zone
+            while read -r zone; do
+              echo "Enabling zone transfer for: $zone"
+              curl -sf "$PRIMARY/api/zones/options/set?token=$P_TOKEN&zone=$zone&zoneTransfer=Allow" || true
+            done < /tmp/zones.txt
+
+            # Create secondary zones on secondary instance (ignore "already exists" errors)
+            while read -r zone; do
+              echo "Creating secondary zone: $zone"
+              curl -sf "$SECONDARY/api/zones/create?token=$S_TOKEN&zone=$zone&type=Secondary&primaryNameServerAddresses=$PRIMARY_IP" || true
+            done < /tmp/zones.txt
+
+            # Force resync all secondary zones to pull latest data
+            while read -r zone; do
+              echo "Resyncing: $zone"
+              curl -sf "$SECONDARY/api/zones/resync?token=$S_TOKEN&zone=$zone" || true
+            done < /tmp/zones.txt
+
+            echo "Secondary zone setup complete"
+          SCRIPT
+          ]
+          env {
+            name  = "TECH_USER"
+            value = var.technitium_username
+          }
+          env {
+            name  = "TECH_PASS"
+            value = var.technitium_password
+          }
+          env {
+            name  = "PRIMARY_IP"
+            value = kubernetes_service.technitium_primary.spec[0].cluster_ip
+          }
+        }
+        dns_config {
+          option {
+            name  = "ndots"
+            value = "2"
+          }
+        }
+      }
+    }
+  }
+
+  depends_on = [
+    kubernetes_deployment.technitium,
+    kubernetes_deployment.technitium_secondary,
+    kubernetes_service.technitium_primary,
+    kubernetes_service.technitium_secondary_web,
+  ]
+}
diff --git a/stacks/platform/modules/technitium/main.tf b/stacks/platform/modules/technitium/main.tf
index a03bd691..cfa2487c 100644
--- a/stacks/platform/modules/technitium/main.tf
+++ b/stacks/platform/modules/technitium/main.tf
@@ -4,6 +4,8 @@ variable "homepage_token" {}
 variable "technitium_db_password" {}
 variable "nfs_server" { type = string }
 variable "mysql_host" { type = string }
+variable "technitium_username" { type = string }
+variable "technitium_password" { type = string }
 
 resource "kubernetes_namespace" "technitium" {
   metadata {
@@ -91,7 +93,11 @@ resource "kubernetes_deployment" "technitium" {
   }
   spec {
     strategy {
-      type = "Recreate"
+      type = "RollingUpdate"
+      rolling_update {
+        max_unavailable = "0"
+        max_surge       = "1"
+      }
     }
     # replicas = 1
     selector {
@@ -107,12 +113,13 @@ resource "kubernetes_deployment" "technitium" {
           "diun.include_tags" = "latest"
         }
         labels = {
-          app = "technitium"
+          app          = "technitium"
+          "dns-server" = "true"
         }
       }
       spec {
-        # Prefer nodes running Traefik for network locality
         affinity {
+          # Prefer nodes running Traefik for network locality
           pod_affinity {
             preferred_during_scheduling_ignored_during_execution {
               weight = 100
@@ -128,6 +135,19 @@ resource "kubernetes_deployment" "technitium" {
               }
             }
           }
+          # Spread DNS pods across nodes for HA
+          pod_anti_affinity {
+            required_during_scheduling_ignored_during_execution {
+              label_selector {
+                match_expressions {
+                  key      = "dns-server"
+                  operator = "In"
+                  values   = ["true"]
+                }
+              }
+              topology_key = "kubernetes.io/hostname"
+            }
+          }
         }
         container {
           image = "technitium/dns-server:latest"
@@ -151,6 +171,20 @@ resource "kubernetes_deployment" "technitium" {
           port {
             container_port = 80
           }
+          liveness_probe {
+            tcp_socket {
+              port = 53
+            }
+            initial_delay_seconds = 10
+            period_seconds        = 10
+          }
+          readiness_probe {
+            tcp_socket {
+              port = 53
+            }
+            initial_delay_seconds = 5
+            period_seconds        = 5
+          }
           volume_mount {
             mount_path = "/etc/dns"
             name       = "nfs-config"
@@ -184,7 +218,6 @@ resource "kubernetes_deployment" "technitium" {
   }
 }
 
-
 resource "kubernetes_service" "technitium-web" {
   metadata {
     name      = "technitium-web"
@@ -234,7 +267,7 @@ resource "kubernetes_service" "technitium-dns" {
     }
     external_traffic_policy = "Local"
     selector = {
-      app = "technitium"
+      "dns-server" = "true"
     }
   }
 }