Ephemeral Castle: Golden Image Detail

Level 3 (Detail) — Hetzner VM image builder pipeline.

Concept

The golden image is a pre-baked Hetzner snapshot with all runtime dependencies (Podman, Python, tools) installed. The build pipeline creates a temporary Hetzner server, applies Ansible, takes a snapshot, and destroys the builder.

Builder Pipeline

File: runtimes/lushycorp-vault/hetzner/golden-image/scripts/build-golden-image.sh

1. Create builder VM (Hetzner CX23, Debian 12)
2. Wait for SSH (up to 8 attempts)
3. Run Ansible playbook build-runtime-image.yml
4. Validation check (podman, python3, node, npm, curl, jq)
5. Power off builder
6. Create snapshot (name: --snapshot-name)
7. Destroy builder (unless --keep-builder)

Arguments

ArgumentDefaultDescription
--snapshot-name(required)Snapshot description
--server-typecx23Hetzner server type
--locationnbg1Hetzner location
--source-imagedebian-12Base image
--ssh-key-namelushycorp-vault-rootSSH key name
--without-ipv4falseCreate without IPv4
--keep-builderfalseKeep builder after snapshot

Log

Log file: logs/build-<timestamp>.log

Image Version History

VersionDateDescription
v12026-04-04Initial golden image
v22026-04-04IPv6-only validation fixes
v32026-04-05Test harness stabilization
v42026-04-05Production-ready with hardened validation

Approved Image Config

File: configs/golden-image.env

VariableDescription
APPROVED_GOLDEN_IMAGE_IDHetzner snapshot ID
APPROVED_GOLDEN_IMAGE_NAMEHuman-readable name

The create.sh preflight requires this file to exist and validates both variables are set.

See Also