Authoritative On-Prem Foundation

Executive summary

• Establishes NetBox as the authoritative system for prefixes, addressing, and VM inventory before higher-order services are introduced.
• Builds the Proxmox SDN baseline for management, data, and workload networks through one controlled path rather than hand-built bridge changes.
• Creates a reusable foundation for later PostgreSQL HA, RKE2, and DR blueprints without duplicating network intent in each layer.
• Reduces allocation drift early, when the cost of inconsistent addressing and inventory is highest.

Case study – how this was used in practice

• Context: The platform needed a clean shared baseline before PostgreSQL HA, RKE2, and DR work could be layered on top.
• Challenge: Foundation services had to be rebuildable without losing control of addressing, VLAN-backed networks, or synced inventory state.
• Approach: NetBox, SDN, and supporting foundation VMs were brought up through the on-prem bootstrap and authoritative-foundation blueprint path.
• Outcome: Addressing, inventory, and network state now follow one controlled path instead of diverging between manual records and deployed reality.

Demo

Video walkthrough

• Video placeholder: replace VIDEO_URL_HERE with the published walkthrough URL.
• Suggested embed target: VIDEO_URL_HERE

Show the initial bootstrap, NetBox reachability, prefix sync, and the point where foundation VM inventory appears under the authoritative IPAM view.

Screenshots

Add these files when they are ready:

![NetBox prefix and VLAN-backed network view](./images/authoritative-onprem-foundation-01-netbox-prefixes.png)
![NetBox VM inventory showing synced foundation hosts](./images/authoritative-onprem-foundation-02-netbox-vm-inventory.png)
![Proxmox SDN bridges or VNet view after apply](./images/authoritative-onprem-foundation-03-proxmox-sdn.png)

Architecture

• On-prem control plane: Proxmox, NetBox, and the SDN bridge set for management, data, and workload segments.
• Authoritative data path: prefixes and VM records flow through NetBox rather than spreadsheet-driven allocation.
• Extension path: later blueprints for PostgreSQL HA, RKE2, and DR consume this baseline rather than re-declaring network state.

Implementation highlights

• Bootstrap path: onprem/bootstrap-netbox@v1
• Foundation path: onprem/authoritative-foundation@v1
• Supporting documentation:
• Quickstart
• Network architecture

Evidence and run records

Relevant run records live under the runtime root for the shared environment, typically:

• envs/shared/logs/module/core__onprem__network-sdn/...
• envs/shared/logs/module/platform__onprem__netbox/...
• envs/shared/state/netbox/network/...
• envs/shared/state/netbox/vms/...

Learning outcomes

• Understand how NetBox-backed IPAM fits into the platform before workload delivery.
• See how Proxmox SDN and inventory sync are tied together through one controlled path rather than separate administrative steps.
• Recognize the baseline required before adding Kubernetes, database HA, or DR layers.

Reuse and extensions

• Extend this baseline with PostgreSQL HA, RKE2, or WAN/site-extension blueprints.
• Reuse the same authoritative IPAM pattern across shared, dev, and later production lanes.

Related

Related reading

• System prerequisites (HybridOps.Core)
• Network Architecture

Status and versioning

Validated against the current HybridOps on-prem foundation flow. Video and screenshot assets are still to be added.

Maintainer

• Owner: HybridOps
• Primary contact: platform-docs
• Last reviewed: 2026-03-09