One job sits apart from everything else: watching. If the system that monitors the enclave ran on the same infrastructure as the enclave, a single outage could take down both at once — and you’d learn nothing from it. So the external watchdog runs on Contabo, chosen precisely because it is a provider separate from Hetzner.

The principle is plain: observation should not share fate with the thing observed. Keeping the watchdog off Hetzner means that when something at the primary host breaks, the part that notices is still standing. Final provider selection here is still being settled — it’s one of the open questions in the Hardware Manifest.

Has anything touched?

If reading this made you want to argue with it, extend it, or notice what's missing, that's the signal to show up.

:/back-to-top