Ephemeral Castle: Golden Image Detail
Level 3 (Detail) — Hetzner VM image builder pipeline.
Concept
The golden image is a pre-baked Hetzner snapshot with all runtime dependencies (Podman, Python, tools) installed. The build pipeline creates a temporary Hetzner server, applies Ansible, takes a snapshot, and destroys the builder.
Builder Pipeline
File: runtimes/lushycorp-vault/hetzner/golden-image/scripts/build-golden-image.sh
1. Create builder VM (Hetzner CX23, Debian 12)
2. Wait for SSH (up to 8 attempts)
3. Run Ansible playbook build-runtime-image.yml
4. Validation check (podman, python3, node, npm, curl, jq)
5. Power off builder
6. Create snapshot (name: --snapshot-name)
7. Destroy builder (unless --keep-builder)
Arguments
| Argument | Default | Description |
|---|---|---|
--snapshot-name | (required) | Snapshot description |
--server-type | cx23 | Hetzner server type |
--location | nbg1 | Hetzner location |
--source-image | debian-12 | Base image |
--ssh-key-name | lushycorp-vault-root | SSH key name |
--without-ipv4 | false | Create without IPv4 |
--keep-builder | false | Keep builder after snapshot |
Log
Log file: logs/build-<timestamp>.log
Image Version History
| Version | Date | Description |
|---|---|---|
| v1 | 2026-04-04 | Initial golden image |
| v2 | 2026-04-04 | IPv6-only validation fixes |
| v3 | 2026-04-05 | Test harness stabilization |
| v4 | 2026-04-05 | Production-ready with hardened validation |
Approved Image Config
File: configs/golden-image.env
| Variable | Description |
|---|---|
APPROVED_GOLDEN_IMAGE_ID | Hetzner snapshot ID |
APPROVED_GOLDEN_IMAGE_NAME | Human-readable name |
The create.sh preflight requires this file to exist and validates both variables are set.
See Also
- Detail: Create/Destroy Detail
- Hub: Ephemeral Castle