Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

dns-sovereign/scripts/11_pdns_apply.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${PDNS_API_KEY:=}"
+: "${PDNS_DATA_DIR:=$HOME/pdns}"
+: "${PDNS_PORT:=53}"
+: "${PDNS_WEB_PORT:=8081}"
+
+main() {
+  confirm_gate
+  need docker
+  [[ -n "$PDNS_API_KEY" ]] || die "PDNS_API_KEY is required."
+
+  local ts; ts="$(date -Iseconds | tr ':' '-')"
+  local backup_dir="$SKILL_ROOT/outputs/backups/$ts"
+  mkdir -p "$backup_dir"
+
+  # pdns.conf (mounted into container)
+  cat > "$SKILL_ROOT/outputs/pdns.conf" <<EOF
+launch=gsqlite3
+gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
+
+api=yes
+api-key=$PDNS_API_KEY
+webserver=yes
+webserver-address=0.0.0.0
+webserver-port=8081
+
+# security posture
+disable-syslog=yes
+loglevel=4
+
+# allow API only from container network; bind published port to localhost in compose
+webserver-allow-from=127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+EOF
+
+  # compose
+  cat > "$SKILL_ROOT/outputs/compose.yml" <<EOF
+version: "3.8"
+services:
+  pdns:
+    image: powerdns/pdns-auth-49:latest
+    container_name: pdns-auth
+    restart: unless-stopped
+    ports:
+      - "${PDNS_PORT}:53/udp"
+      - "${PDNS_PORT}:53/tcp"
+      - "127.0.0.1:${PDNS_WEB_PORT}:8081/tcp"
+    volumes:
+      - ${PDNS_DATA_DIR}:/var/lib/powerdns
+      - ${SKILL_ROOT}/outputs/pdns.conf:/etc/powerdns/pdns.conf:ro
+EOF
+
+  cp -a "$SKILL_ROOT/outputs/pdns.conf" "$backup_dir/pdns.conf"
+  cp -a "$SKILL_ROOT/outputs/compose.yml" "$backup_dir/compose.yml"
+
+  log_info "Starting PowerDNS..."
+  cd "$SKILL_ROOT/outputs"
+  $(compose_cmd) -f compose.yml up -d
+
+  # Probe API
+  log_info "Probing PDNS API..."
+  local api="http://127.0.0.1:${PDNS_WEB_PORT}/api/v1/servers/localhost"
+  curl -fsS -H "X-API-Key: $PDNS_API_KEY" "$api" | jq '.' > "$SKILL_ROOT/outputs/pdns_api_probe.json"
+  log_info "PDNS API probe saved: outputs/pdns_api_probe.json"
+  log_info "PDNS apply complete."
+}
+main "$@"