feat(dns): migrate DNS writes from resolvectl to persistent Netplan

[retr0h]

Summary

• DNS write operations now generate /etc/netplan/osapi-dns.yaml instead of runtime resolvectl commands — changes persist across reboots
• New shared netplan.ApplyConfig helper handles the write → validate → apply flow with automatic rollback on netplan generate failure
• Read path stays on resolvectl (shows current runtime state)
• Container DNS provider unchanged (uses /etc/resolv.conf directly)
• API endpoint shape unchanged (PUT /network/dns) — no SDK or CLI changes needed

Netplan write flow

1. Generate Netplan YAML from structured input
2. Check SHA for idempotency (skip if unchanged)
3. Write file to /etc/netplan/osapi-dns.yaml
4. Run netplan generate — validates merged config
5. If validation fails → delete file, return error
6. Run netplan apply — applies validated config
7. Store state in file-state KV

Establishes pattern for

• Network interface management (next spec)
• Route management (next spec)

Both will reuse netplan.ApplyConfig and the same file-per-concern pattern.

Test plan

• Shared netplan helper: 100% coverage (ApplyConfig, RemoveConfig, ComputeSHA256)
• DNS write tests: success, idempotent, generate fails, empty input
• YAML generation tests: servers+domains, servers only, domains only, interface name, IPv6
• Build clean, lint clean
• All existing DNS read tests still pass

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main     #348   +/-   ##
=======================================
  Coverage   99.91%   99.91%           
=======================================
  Files         441      443    +2     
  Lines       21510    21606   +96     
=======================================
+ Hits        21491    21587   +96     
  Misses         11       11           
  Partials        8        8           

Files with missing lines	Coverage Δ
internal/provider/network/dns/debian.go	100.00% <100.00%> (ø)
internal/provider/network/dns/debian_netplan.go	100.00% <100.00%> (ø)
...work/dns/debian_update_resolv_conf_by_interface.go	100.00% <100.00%> (ø)
internal/provider/network/netplan/netplan.go	100.00% <100.00%> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d91871f...6077ffb. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.