Use hcloud-upload-image for Hetzner imports

joshp123 · joshp123 · commit 8e8d439d7551 · 2026-01-07T18:25:37.000+01:00
diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -46,6 +46,5 @@ jobs:
       - name: Import image into Hetzner
         env:
           HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
-          IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
-          IMAGE_DESCRIPTION: ${{ secrets.IMAGE_DESCRIPTION }}
+          HCLOUD_LOCATION: nbg1
         run: scripts/import-image.sh "${IMAGE_URL}"
diff --git a/AGENTS.md b/AGENTS.md
@@ -15,11 +15,32 @@ Memory references:
 
 Repo rule: no inline scripting languages (Python/Node/etc.) in Nix or shell blocks; put logic in script files and call them.
 
+The Zen of ~~Python~~ Clawdbot, ~~by~~ shamelessly stolen from Tim Peters:
+- Beautiful is better than ugly.
+- Explicit is better than implicit.
+- Simple is better than complex.
+- Complex is better than complicated.
+- Flat is better than nested.
+- Sparse is better than dense.
+- Readability counts.
+- Special cases aren't special enough to break the rules.
+- Although practicality beats purity.
+- Errors should never pass silently.
+- Unless explicitly silenced.
+- In the face of ambiguity, refuse the temptation to guess.
+- There should be one-- and preferably only one --obvious way to do it.
+- Although that way may not be obvious at first unless you're Dutch.
+- Now is better than never.
+- Although never is often better than *right* now.
+- If the implementation is hard to explain, it's a bad idea.
+- If the implementation is easy to explain, it may be a good idea.
+- Namespaces are one honking great idea -- let's do more of those!
+
 Deploy flow (automation-first):
 - Use `devenv.nix` for tooling (hcloud, nixos-generators, zstd).
 - Build a bootstrap NixOS image with nixos-generators (raw-efi), compress it, and upload to a public URL.
   - Use `nix/hosts/clawdinator-1-image.nix` for image builds.
-- CI is preferred: `.github/workflows/image-build.yml` runs build → S3 upload → Hetzner import.
+- CI is preferred: `.github/workflows/image-build.yml` runs build → S3 upload → Hetzner import (via `hcloud-upload-image`).
 - Bootstrap S3 bucket + scoped IAM user with `infra/opentofu/aws` (use homelab-admin creds).
 - Import the image into Hetzner with `hcloud image create`.
 - Provision host with OpenTofu (`infra/opentofu`; set `HCLOUD_TOKEN`, no tfvars with secrets).
diff --git a/README.md b/README.md
@@ -52,7 +52,7 @@ Image-based deploy (Option A, recommended):
    - `zstd dist/nixos.img -o dist/nixos.img.zst`
 3) Upload the image to S3 (private object; use a presigned URL for import).
 4) Import into Hetzner:
-   - `hcloud image create --from-url <url> --type custom --architecture x86 --name clawdinator-nixos`
+   - Use `hcloud-upload-image` (Hetzner Cloud does not support direct URL imports).
 5) Point OpenTofu at the image name or id and provision.
 6) Re-key agenix secrets to the new host SSH key and sync secrets to `/var/lib/clawd/nix-secrets`.
 7) Run `nixos-rebuild switch --flake /var/lib/clawd/repo#clawdinator-1`.
diff --git a/docs/POC.md b/docs/POC.md
@@ -18,7 +18,7 @@ Secrets wiring:
 - Infra: HCLOUD_TOKEN env var for OpenTofu and hcloud CLI.
  
 Image pipeline:
-- Build a bootstrap image with nixos-generators (raw-efi) from `nix/hosts/clawdinator-1-image.nix`, compress, upload, import into Hetzner.
+- Build a bootstrap image with nixos-generators (raw-efi) from `nix/hosts/clawdinator-1-image.nix`, compress, upload, import into Hetzner using `hcloud-upload-image`.
 - OpenTofu provisions instances from the imported custom image, then nixos-rebuild applies full config.
 - Runtime: explicit token files via agenix (standard).
 - GitHub token is required. Prefer GitHub App (`services.clawdinator.githubApp.*`) to mint short-lived tokens.
diff --git a/scripts/import-image.sh b/scripts/import-image.sh
@@ -7,12 +7,13 @@ if [ -z "${image_url}" ]; then
   exit 1
 fi
 
-name="${IMAGE_NAME:-clawdinator-nixos-$(date -u +%Y%m%d-%H%M%S)}"
-description="${IMAGE_DESCRIPTION:-CLAWDINATOR NixOS image}"
+location="${HCLOUD_LOCATION:-nbg1}"
 
-hcloud image create \
-  --from-url "${image_url}" \
-  --type custom \
+docker run --rm \
+  -e HCLOUD_TOKEN="${HCLOUD_TOKEN:?HCLOUD_TOKEN required}" \
+  ghcr.io/apricote/hcloud-upload-image:latest \
+  upload \
+  --image-url "${image_url}" \
   --architecture x86 \
-  --name "${name}" \
-  --description "${description}"
+  --compression zstd \
+  --location "${location}"
