Skip to content

Provision Hetzner VyOS Edge (HyOps Blueprint)

Use networking/hetzner-vyos-edge@v1 to build/publish (or reuse) a canonical VyOS artifact, seed or discover the Hetzner image, and provision the default routed Hetzner edge pair.

This is the target-state replacement for the Linux strongSwan/FRR edge path. The shared Hetzner control host remains a separate Linux service host.

Inputs

The blueprint is state-first where possible:

  • core/shared/vyos-image-build publishes the canonical VyOS artifact URL contract
  • core/hetzner/vyos-image-seed publishes the custom Hetzner image reference
  • org/hetzner/vyos-edge-foundation consumes it by image_state_ref

Operator-supplied values still required:

  • object repo state or explicit artifact URL for the build step
  • SSH public key

Initialize an env-scoped overlay

hyops blueprint init --env dev \
  --ref networking/hetzner-vyos-edge@v1 \
  --dest-name hetzner-vyos-edge.yml

Edit:

  • ~/.hybridops/envs/dev/config/blueprints/hetzner-vyos-edge.yml
  • If you already have a seeded Hetzner custom image, set image_ref.
  • The blueprint now defaults to core/shared/vyos-image-build#vyos_default_build.
  • If vyos_artifact_build.inputs.artifact_url is set, HyOps uses it directly.
  • If vyos_artifact_build.inputs.artifact_url is empty, HyOps runs build/publish and uses repo_state_ref to discover bucket backend.
  • vyos_image consumes the resulting shared artifact state by default; set image_source_url only when intentionally bypassing the shared artifact contract.
  • If image_source_url points to a qcow2 artifact, HyOps will auto-wrap it for Hetzner.
  • When using that qcow2 path, also set seed_wrapper_public_base_url to the publicly reachable base URL of the execution host, for example http://203.0.113.10:18080.
  • If your only upstream source is an installer ISO, leave image_source_url empty and provide a custom seed_command that performs the ISO-to-image workflow before snapshot creation.
  • Leave seed_tool: hcloud-upload-image unless you provide a custom seed_command.
  • HyOps fails fast when image_source_url is invalid/unreachable, with guidance to run core/shared/vyos-image-build.
  • A single operator-managed qcow2 URL can serve both Proxmox and Hetzner, provided the Hetzner wrapper can expose the temporary converted raw image from a publicly reachable execution host.

If hyops blueprint init --ref networking/hetzner-vyos-edge@v1 says the blueprint is not found under ~/.hybridops/core/app/blueprints/..., your installed HyOps payload is older than the current source tree. Refresh the install, or use the repo-local CLI until the installed payload is updated.

Validate

hyops blueprint preflight --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/hetzner-vyos-edge.yml"

Deploy

hyops blueprint deploy --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/hetzner-vyos-edge.yml" \
  --execute