Ephemeral Castle Hetzner Vault Runtime
Scope
This page describes the ephemeral-castle macro-area dedicated to the Hetzner-based lushycorp-vault runtime.
Current Synthesis
Inside ephemeral-castle/, the Hetzner Vault runtime is a dedicated runtime-oriented track separate from the Proxmox plus Talos cluster bootstrap path. It focuses on running and preserving a private Vault system on Hetzner VPS infrastructure, with lifecycle, durability, restore, and operator-recovery contracts developed in staged layers.
Main Structure
- runtime root:
ephemeral-castle/runtimes/lushycorp-vault/hetzner/ - local lifecycle track for deterministic first-init and host-local behavior
- S3 backup and recovery track for remote durability and restore
Key Architectural Characteristics
- private service identity is built around
lushycorp-api.ts.tazlab.net - local lifecycle and remote durability were deliberately split into staged design and build tracks
- remote durability uses S3 lineage pointers and bounded slot rotation rather than ad-hoc latest-file assumptions
- TazPod remains the source of operator recovery artifacts, while host-side retained material is intentionally minimal
Why It Matters
This runtime is one of the most infrastructure-heavy parts of TazLab outside the cluster path. It carries lessons about rebirth, restore coherence, secret custody, and fail-fast infrastructure design that are useful beyond the specific Vault runtime itself.
Relationships
- parent repository hub: ephemeral-castle
- depends operationally on tazpod for operator-side secret custody
- related to Ephemeral Castle Tailscale Foundation because Tailscale is the network backbone used across the infrastructure story
- related to TazLab Secret And Identity Flow
Source Basis
AGENTS.ctx/ephemeral-castle/CONTEXT.mdAGENTS.ctx/memory/system-state.md