Ephemeral Castle Hetzner Vault Runtime

Scope

This page describes the ephemeral-castle macro-area dedicated to the Hetzner-based lushycorp-vault runtime.

Current Synthesis

Inside ephemeral-castle/, the Hetzner Vault runtime is a dedicated runtime-oriented track separate from the Proxmox plus Talos cluster bootstrap path. It focuses on running and preserving a private Vault system on Hetzner VPS infrastructure, with lifecycle, durability, restore, and operator-recovery contracts developed in staged layers.

Main Structure

  • runtime root: ephemeral-castle/runtimes/lushycorp-vault/hetzner/
  • local lifecycle track for deterministic first-init and host-local behavior
  • S3 backup and recovery track for remote durability and restore

Key Architectural Characteristics

  • the historical private service identity was lushycorp-api.ts.tazlab.net (retired); the runtime was converged onto lushycorp-vault.magellanic-gondola.ts.net via 09-vault-k8s-integration-prep Phase 1 (completed 2026-04-29)
  • local lifecycle and remote durability were deliberately split into staged design and build tracks
  • remote durability uses S3 lineage pointers and bounded slot rotation rather than ad-hoc latest-file assumptions
  • TazPod remains the source of operator recovery artifacts, while host-side retained material is intentionally minimal
  • destroy/create validation on 2026-04-28 confirmed that the remote-durability matrix still hard-fails when operator-side canonical bootstrap artifacts are absent while S3 remains coherent (T0 + H0 + S1)

Why It Matters

This runtime is one of the most infrastructure-heavy parts of TazLab outside the cluster path. It carries lessons about rebirth, restore coherence, secret custody, and fail-fast infrastructure design that are useful beyond the specific Vault runtime itself.

Relationships

Source Basis

  • AGENTS.ctx/ephemeral-castle/CONTEXT.md
  • AGENTS.ctx/memory/system-state.md