diff --git a/.github/renovate.json b/.github/renovate.json
index 8c29184..154f290 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -3,5 +3,47 @@
     "extends": [
         "github>dockhippie/.github//renovate/preset"
     ],
-    "packageRules": []
+    "packageRules": [
+        {
+            "description": "Update golang docker images",
+            "datasources": [
+                "docker"
+            ],
+            "updateTypes": [
+                "major",
+                "minor"
+            ],
+            "enabled": true,
+            "automerge": true
+        },
+        {
+            "description": "Update tags without merge",
+            "datasources": [
+                "github-tags"
+            ],
+            "updateTypes": [
+                "major",
+                "minor"
+            ],
+            "enabled": false,
+            "automerge": false,
+            "matchPackageNames": [
+                "vulcand/vulcand"
+            ]
+        },
+        {
+            "description": "Update tags without merge",
+            "datasources": [
+                "github-tags"
+            ],
+            "updateTypes": [
+                "patch"
+            ],
+            "enabled": true,
+            "automerge": true,
+            "matchPackageNames": [
+                "vulcand/vulcand"
+            ]
+        }
+    ]
 }
diff --git a/.github/settings.yml b/.github/settings.yml
index 461bb8f..f36fd6a 100644
--- a/.github/settings.yml
+++ b/.github/settings.yml
@@ -1,6 +1,7 @@
+---
 repository:
   name: vulcand
-  description: Docker images for Vulcand
+  description: Docker images for vulcand
   topics: docker, image
 
   private: false
diff --git a/.github/workflows/v0.9.yml b/.github/workflows/v0.9.yml
new file mode 100644
index 0000000..d074954
--- /dev/null
+++ b/.github/workflows/v0.9.yml
@@ -0,0 +1,159 @@
+---
+name: v0.9
+
+"on":
+  push:
+    branches:
+      - master
+    paths:
+      - v0.9/*
+      - .github/workflows/v0.9.yml
+  pull_request:
+    branches:
+      - master
+    paths:
+      - v0.9/*
+      - .github/workflows/v0.9.yml
+  workflow_dispatch:
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source
+        id: source
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          images: |
+            webhippie/vulcand
+            quay.io/webhippie/vulcand
+            ghcr.io/dockhippie/vulcand
+          labels: |
+            org.opencontainers.image.vendor=Webhippie
+            maintainer=Thomas Boerger <thomas@webhippie.de>
+
+      - name: Setup QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v3
+
+      - name: Setup Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Hub login
+        id: login1
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Quay login
+        id: login2
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Ghcr login
+        id: login3
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build amd64
+        id: amd64
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: v0.9/
+          provenance: false
+          file: v0.9/Dockerfile.amd64
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            webhippie/vulcand:0.9-amd64
+            quay.io/webhippie/vulcand:0.9-amd64
+            ghcr.io/dockhippie/vulcand:0.9-amd64
+
+      - name: Build arm64
+        id: arm64
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: v0.9/
+          provenance: false
+          file: v0.9/Dockerfile.arm64
+          platforms: linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            webhippie/vulcand:0.9-arm64
+            quay.io/webhippie/vulcand:0.9-arm64
+            ghcr.io/dockhippie/vulcand:0.9-arm64
+
+      - name: Build arm
+        id: arm
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: v0.9/
+          provenance: false
+          file: v0.9/Dockerfile.arm
+          platforms: linux/arm/v6
+          push: ${{ github.event_name != 'pull_request' }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            webhippie/vulcand:0.9-arm
+            quay.io/webhippie/vulcand:0.9-arm
+            ghcr.io/dockhippie/vulcand:0.9-arm
+
+      - name: Hub manifest
+        id: manifest1
+        uses: actionhippie/manifest@v1
+        if: github.event_name != 'pull_request'
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          template: webhippie/vulcand:0.9-ARCH
+          target: webhippie/vulcand:0.9
+          ignore_missing: true
+
+      - name: Quay manifest
+        id: manifest2
+        uses: actionhippie/manifest@v1
+        if: github.event_name != 'pull_request'
+        with:
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          template: quay.io/webhippie/vulcand:0.9-ARCH
+          target: quay.io/webhippie/vulcand:0.9
+          ignore_missing: true
+
+      - name: Ghcr manifest
+        id: manifest3
+        uses: actionhippie/manifest@v1
+        if: github.event_name != 'pull_request'
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          template: ghcr.io/dockhippie/vulcand:0.9-ARCH
+          target: ghcr.io/dockhippie/vulcand:0.9
+          ignore_missing: true
+
+...
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 95de951..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,32 +0,0 @@
-FROM webhippie/alpine:latest
-MAINTAINER Thomas Boerger <thomas@webhippie.de>
-
-ENV VULCAND_PATH github.com/vulcand/vulcand
-ENV VULCAND_REPO https://${VULCAND_PATH}.git
-ENV VULCAND_BRANCH master
-
-ENV GOPATH /usr:/usr/src/${VULCAND_PATH}/Godeps/_workspace
-
-RUN apk update && \
-  apk add \
-    build-base \
-    go \
-    git && \
-  git clone -b ${VULCAND_BRANCH} ${VULCAND_REPO} /usr/src/${VULCAND_PATH} && \
-  cd /usr/src/${VULCAND_PATH} && \
-  go get -u github.com/tools/godep && \
-  godep go install ${VULCAND_PATH} && \
-  godep go install ${VULCAND_PATH}/vctl && \
-  godep go install ${VULCAND_PATH}/vbundle && \
-  apk del build-base go git && \
-  rm -rf /var/cache/apk/* && \
-  rm -r \
-    /usr/src/* \
-    /usr/pkg/* \
-    /usr/bin/godep
-
-ADD rootfs /
-EXPOSE 8181 8182
-
-WORKDIR /root
-CMD ["/bin/s6-svscan", "/etc/s6"]
diff --git a/LICENSE b/LICENSE
index e3cd5e8..7d8830d 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2015-2017 Thomas Boerger <thomas@webhippie.de>
+Copyright (c) 2015 Thomas Boerger <thomas@webhippie.de>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index 60777b0..4913d10 100644
--- a/README.md
+++ b/README.md
@@ -1,76 +1,86 @@
-# Vulcand
+# vulcand
 
-[![](https://images.microbadger.com/badges/image/webhippie/vulcand.svg)](https://microbadger.com/images/webhippie/vulcand "Get your own image badge on microbadger.com")
-
-These are docker images for [Vulcand](https://github.com/mailgun/vulcand) running on an [Alpine Linux container](https://registry.hub.docker.com/u/webhippie/alpine/).
+[![Docker Build](https://github.com/dockhippie/vulcand/actions/workflows/docker.yml/badge.svg)](https://github.com/dockhippie/vulcand/actions/workflows/docker.yml) [![GitHub Repo](https://img.shields.io/badge/github-repo-yellowgreen)](https://github.com/dockhippie/vulcand)
 
+These are docker images for [Vulcand][upstream] running on our
+[Alpine Linux image][parent].
 
 ## Versions
 
-* [latest](https://github.com/dockhippie/vulcand/tree/master) available as ```webhippie/vulcand:latest``` at [Docker Hub](https://registry.hub.docker.com/u/webhippie/vulcand/)
-
+For the available versions please look at [Docker Hub][dockerhub] or
+[Quay][quayio] or check the existing folders within the
+[GitHub repository][github].
 
 ## Volumes
 
-* None
-
+*  None
 
 ## Ports
 
-* 8181
-* 8182
-
+*  8181
+*  8182
 
 ## Available environment variables
 
-```bash
-ENV VULCAND_API_INTERFACE
-ENV VULCAND_CERTPATH # As string or filename
-ENV VULCAND_ENDPOINT_DIALTIMEOUT 5s
-ENV VULCAND_ENDPOINT_READTIMEOUT 50s
-ENV VULCAND_ETCD
-ENV VULCAND_ETCD_CAFILE # As string or filename
-ENV VULCAND_ETCD_CERTFILE # As string or filename
-ENV VULCAND_ETCD_KEYFILE # As string or filename
-ENV VULCAND_ETCD_CONSISTENCY STRONG
-ENV VULCAND_ETCD_KEY vulcand
-ENV VULCAND_INTERFACE
-ENV VULCAND_LOG console
-ENV VULCAND_LOG_SEVERITY WARN
-ENV VULCAND_READTIMEOUT 1m0s
-ENV VULCAND_SEALKEY
-ENV VULCAND_SERVER_MAXHEADERBYTES 1048576
-ENV VULCAND_SERVER_READTIMEOUT 1m0s
-ENV VULCAND_SERVER_WRITETIMEOUT 1m0s
-ENV VULCAND_STATSD_ADDR
-ENV VULCAND_STATSD_PREFIX
+```console
+VULCAND_ALIASES =
+VULCAND_CERTPATH =
+VULCAND_DEBUG_JAEGER_TRACING = false
+VULCAND_DEFAULT_LISTENER = true
+VULCAND_ENABLE_JAEGER_TRACING = false
+VULCAND_ENDPOINT_DIAL_TIMEOUT =
+VULCAND_ENDPOINT_READ_TIMEOUT =
+VULCAND_ENGINE = etcd
+VULCAND_ETCD = http://etcd:2379
+VULCAND_ETCD_API_VERSION = 3
+VULCAND_ETCD_CA_FILE =
+VULCAND_ETCD_CERT_FILE =
+VULCAND_ETCD_CONSISTENCY = STRONG
+VULCAND_ETCD_DEBUG = false
+VULCAND_ETCD_ENABLE_TLS = false
+VULCAND_ETCD_INSECURE_SKIP_VERIFY = false
+VULCAND_ETCD_KEY = vulcand
+VULCAND_ETCD_KEY_FILE =
+VULCAND_ETCD_PASSWORD =
+VULCAND_ETCD_SYNC_INTERVAL_SECONDS =
+VULCAND_ETCD_USERNAME =
+VULCAND_HEALTHCHECK_CODE = 200
+VULCAND_HEALTHCHECK_URL = http://localhost:8182/v2/status
+VULCAND_LOG_SEVERITY = warning
+VULCAND_MEM_PROFILE_RATE =
+VULCAND_SEAL_KEY =
+VULCAND_SERVER_MAX_HEADER_BYTES =
+VULCAND_SERVER_READ_TIMEOUT =
+VULCAND_SERVER_WRITE_TIMEOUT =
+VULCAND_STATSD_ADDR =
+VULCAND_STATSD_PREFIX =
+VULCAND_TRUST_FORWARD_HEADER = false
 ```
 
-
 ## Inherited environment variables
 
-```bash
-ENV CRON_ENABLED false
-```
-
+*  [webhippie/alpine](https://github.com/dockhippie/alpine#available-environment-variables)
 
 ## Contributing
 
 Fork -> Patch -> Push -> Pull Request
 
-
 ## Authors
 
-* [Thomas Boerger](https://github.com/tboerger)
-
+*  [Thomas Boerger](https://github.com/tboerger)
 
 ## License
 
 MIT
 
-
 ## Copyright
 
+```console
+Copyright (c) 2015 Thomas Boerger <http://www.webhippie.de>
 ```
-Copyright (c) 2015-2017 Thomas Boerger <http://www.webhippie.de>
-```
+
+[upstream]: https://github.com/vulcand/vulcand
+[parent]: https://github.com/dockhippie/alpine
+[dockerhub]: https://hub.docker.com/r/webhippie/vulcand/tags
+[quayio]: https://quay.io/repository/webhippie/vulcand?tab=tags
+[github]: https://github.com/dockhippie/vulcand
diff --git a/latest/Dockerfile.amd64 b/latest/Dockerfile.amd64
new file mode 100644
index 0000000..2cf37c0
--- /dev/null
+++ b/latest/Dockerfile.amd64
@@ -0,0 +1,25 @@
+FROM ghcr.io/dockhippie/golang:1.21-amd64@sha256:dc8f126b52962e46aad020d11b37d37350359fe3f8be10c151023e04361b52ae AS build
+
+RUN git clone -b master https://github.com/vulcand/vulcand.git /srv/app/src && \
+  cd /srv/app/src && \
+  GO111MODULE=on go install ./...
+
+FROM ghcr.io/dockhippie/alpine:latest-amd64@sha256:63094950b363daed71defbb0ec6b31cef8b54c95afe02c8eeb0221b230b4d817
+
+EXPOSE 8181 8182
+
+WORKDIR /var/lib/vulcand
+CMD ["/usr/bin/container"]
+
+RUN apk update && \
+  apk upgrade && \
+  apk add etcd-ctl@testing && \
+  mkdir -p /var/lib/vulcand && \
+  groupadd -g 1000 vulcand && \
+  useradd -u 1000 -d /var/lib/vulcand -g vulcand -s /bin/bash -M vulcand && \
+  rm -rf /var/cache/apk/*
+
+COPY --from=build /srv/app/bin/vulcand /usr/bin/vulcand
+COPY --from=build /srv/app/bin/vctl /usr/bin/vctl
+COPY --from=build /srv/app/bin/vbundle /usr/bin/vbundle
+COPY ./overlay /
diff --git a/latest/Dockerfile.arm b/latest/Dockerfile.arm
new file mode 100644
index 0000000..1b640f1
--- /dev/null
+++ b/latest/Dockerfile.arm
@@ -0,0 +1,25 @@
+FROM ghcr.io/dockhippie/golang:1.21-arm@sha256:eb3fc0fcc12bdfdcdb2aa08d5355e82d15e88b9d8105f9c5905b719936a606a3 AS build
+
+RUN git clone -b master https://github.com/vulcand/vulcand.git /srv/app/src && \
+  cd /srv/app/src && \
+  GO111MODULE=on go install ./...
+
+FROM ghcr.io/dockhippie/alpine:latest-arm@sha256:ae98e7d8c378250ff7799a4aa80dba4ebf9ef9874c51f304cb5006318bb21b48
+
+EXPOSE 8181 8182
+
+WORKDIR /var/lib/vulcand
+CMD ["/usr/bin/container"]
+
+RUN apk update && \
+  apk upgrade && \
+  apk add etcd-ctl@testing && \
+  mkdir -p /var/lib/vulcand && \
+  groupadd -g 1000 vulcand && \
+  useradd -u 1000 -d /var/lib/vulcand -g vulcand -s /bin/bash -M vulcand && \
+  rm -rf /var/cache/apk/*
+
+COPY --from=build /srv/app/bin/vulcand /usr/bin/vulcand
+COPY --from=build /srv/app/bin/vctl /usr/bin/vctl
+COPY --from=build /srv/app/bin/vbundle /usr/bin/vbundle
+COPY ./overlay /
diff --git a/latest/Dockerfile.arm64 b/latest/Dockerfile.arm64
new file mode 100644
index 0000000..38fa7f9
--- /dev/null
+++ b/latest/Dockerfile.arm64
@@ -0,0 +1,25 @@
+FROM ghcr.io/dockhippie/golang:1.21-arm64@sha256:ec2426e4766ed8b4ea1dd9123d5af77babca67dc498a827c50eb32092a9a287d AS build
+
+RUN git clone -b master https://github.com/vulcand/vulcand.git /srv/app/src && \
+  cd /srv/app/src && \
+  GO111MODULE=on go install ./...
+
+FROM ghcr.io/dockhippie/alpine:latest-arm64@sha256:9bde3d4081a6b08b20a15725aec66fff5bf92c449fefcb68a32dc6e4c3bd192e
+
+EXPOSE 8181 8182
+
+WORKDIR /var/lib/vulcand
+CMD ["/usr/bin/container"]
+
+RUN apk update && \
+  apk upgrade && \
+  apk add etcd-ctl@testing && \
+  mkdir -p /var/lib/vulcand && \
+  groupadd -g 1000 vulcand && \
+  useradd -u 1000 -d /var/lib/vulcand -g vulcand -s /bin/bash -M vulcand && \
+  rm -rf /var/cache/apk/*
+
+COPY --from=build /srv/app/bin/vulcand /usr/bin/vulcand
+COPY --from=build /srv/app/bin/vctl /usr/bin/vctl
+COPY --from=build /srv/app/bin/vbundle /usr/bin/vbundle
+COPY ./overlay /
diff --git a/latest/overlay/etc/container.d/00-user.sh b/latest/overlay/etc/container.d/00-user.sh
new file mode 100755
index 0000000..bb0e2e9
--- /dev/null
+++ b/latest/overlay/etc/container.d/00-user.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+if [[ ! "$(id -g vulcand)" =~ "${PGID}" ]]; then
+    echo "> enforcing group id"
+    groupmod -o -g ${PGID} vulcand
+fi
+
+if [[ ! "$(id -u vulcand)" =~ "${PGID}" ]]; then
+    echo "> enforcing user id"
+    usermod -o -u ${PUID} vulcand
+fi
+
+true
diff --git a/latest/overlay/etc/container.d/05-etcd.sh b/latest/overlay/etc/container.d/05-etcd.sh
new file mode 100755
index 0000000..10323d4
--- /dev/null
+++ b/latest/overlay/etc/container.d/05-etcd.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# if [[ "${VULCAND_ENGINE}" == "etcd" ]]; then
+#     if ! ${ETCDCTL_COMMAND} get "/${VULCAND_ETCD_KEY}" --prefix --keys-only >/dev/null 2>&1; then
+#         ${ETCDCTL_COMMAND} mkdir "/${VULCAND_ETCD_KEY}"
+#     fi
+# fi
+
+true
diff --git a/latest/overlay/etc/entrypoint.d/00-user.sh b/latest/overlay/etc/entrypoint.d/00-user.sh
new file mode 100755
index 0000000..c095f43
--- /dev/null
+++ b/latest/overlay/etc/entrypoint.d/00-user.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+declare -x PUID
+[[ -z "${PUID}" ]] && PUID="1000"
+
+declare -x PGID
+[[ -z "${PGID}" ]] && PGID="1000"
+
+true
diff --git a/latest/overlay/etc/entrypoint.d/05-base.sh b/latest/overlay/etc/entrypoint.d/05-base.sh
new file mode 100755
index 0000000..7c92c0b
--- /dev/null
+++ b/latest/overlay/etc/entrypoint.d/05-base.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+declare -x VULCAND_LOG_SEVERITY
+[[ -z "${VULCAND_LOG_SEVERITY}" ]] && VULCAND_LOG_SEVERITY="warning"
+
+declare -x VULCAND_ALIASES
+[[ -z "${VULCAND_ALIASES}" ]] && VULCAND_ALIASES=""
+
+declare -x VULCAND_CERTPATH
+[[ -z "${VULCAND_CERTPATH}" ]] && VULCAND_CERTPATH=""
+
+declare -x VULCAND_DEBUG_JAEGER_TRACING
+[[ -z "${VULCAND_DEBUG_JAEGER_TRACING}" ]] && VULCAND_DEBUG_JAEGER_TRACING="false"
+
+declare -x VULCAND_DEFAULT_LISTENER
+[[ -z "${VULCAND_DEFAULT_LISTENER}" ]] && VULCAND_DEFAULT_LISTENER="true"
+
+declare -x VULCAND_ENABLE_JAEGER_TRACING
+[[ -z "${VULCAND_ENABLE_JAEGER_TRACING}" ]] && VULCAND_ENABLE_JAEGER_TRACING="false"
+
+declare -x VULCAND_ENDPOINT_DIAL_TIMEOUT
+[[ -z "${VULCAND_ENDPOINT_DIAL_TIMEOUT}" ]] && VULCAND_ENDPOINT_DIAL_TIMEOUT=""
+
+declare -x VULCAND_ENDPOINT_READ_TIMEOUT
+[[ -z "${VULCAND_ENDPOINT_READ_TIMEOUT}" ]] && VULCAND_ENDPOINT_READ_TIMEOUT=""
+
+declare -x VULCAND_ENGINE
+[[ -z "${VULCAND_ENGINE}" ]] && VULCAND_ENGINE="etcd"
+
+declare -x VULCAND_MEM_PROFILE_RATE
+[[ -z "${VULCAND_MEM_PROFILE_RATE}" ]] && VULCAND_MEM_PROFILE_RATE=""
+
+declare -x VULCAND_SEAL_KEY
+[[ -z "${VULCAND_SEAL_KEY}" ]] && VULCAND_SEAL_KEY=""
+
+declare -x VULCAND_SERVER_MAX_HEADER_BYTES
+[[ -z "${VULCAND_SERVER_MAX_HEADER_BYTES}" ]] && VULCAND_SERVER_MAX_HEADER_BYTES=""
+
+declare -x VULCAND_SERVER_READ_TIMEOUT
+[[ -z "${VULCAND_SERVER_READ_TIMEOUT}" ]] && VULCAND_SERVER_READ_TIMEOUT=""
+
+declare -x VULCAND_SERVER_WRITE_TIMEOUT
+[[ -z "${VULCAND_SERVER_WRITE_TIMEOUT}" ]] && VULCAND_SERVER_WRITE_TIMEOUT=""
+
+declare -x VULCAND_STATSD_ADDR
+[[ -z "${VULCAND_STATSD_ADDR}" ]] && VULCAND_STATSD_ADDR=""
+
+declare -x VULCAND_STATSD_PREFIX
+[[ -z "${VULCAND_STATSD_PREFIX}" ]] && VULCAND_STATSD_PREFIX=""
+
+declare -x VULCAND_TRUST_FORWARD_HEADER
+[[ -z "${VULCAND_TRUST_FORWARD_HEADER}" ]] && VULCAND_TRUST_FORWARD_HEADER="false"
+
+declare -x VULCAND_ETCD
+[[ -z "${VULCAND_ETCD}" ]] && VULCAND_ETCD="http://etcd:2379"
+
+declare -x VULCAND_ETCD_API_VERSION
+[[ -z "${VULCAND_ETCD_API_VERSION}" ]] && VULCAND_ETCD_API_VERSION="3"
+
+declare -x VULCAND_ETCD_KEY
+[[ -z "${VULCAND_ETCD_KEY}" ]] && VULCAND_ETCD_KEY="vulcand"
+
+declare -x VULCAND_ETCD_SYNC_INTERVAL_SECONDS
+[[ -z "${VULCAND_ETCD_SYNC_INTERVAL_SECONDS}" ]] && VULCAND_ETCD_SYNC_INTERVAL_SECONDS=""
+
+declare -x VULCAND_ETCD_CONSISTENCY
+[[ -z "${VULCAND_ETCD_CONSISTENCY}" ]] && VULCAND_ETCD_CONSISTENCY="STRONG"
+
+declare -x VULCAND_ETCD_ENABLE_TLS
+[[ -z "${VULCAND_ETCD_ENABLE_TLS}" ]] && VULCAND_ETCD_ENABLE_TLS="false"
+
+declare -x VULCAND_ETCD_CA_FILE
+[[ -z "${VULCAND_ETCD_CA_FILE}" ]] && VULCAND_ETCD_CA_FILE=""
+
+declare -x VULCAND_ETCD_CERT_FILE
+[[ -z "${VULCAND_ETCD_CERT_FILE}" ]] && VULCAND_ETCD_CERT_FILE=""
+
+declare -x VULCAND_ETCD_KEY_FILE
+[[ -z "${VULCAND_ETCD_KEY_FILE}" ]] && VULCAND_ETCD_KEY_FILE=""
+
+declare -x VULCAND_ETCD_INSECURE_SKIP_VERIFY
+[[ -z "${VULCAND_ETCD_INSECURE_SKIP_VERIFY}" ]] && VULCAND_ETCD_INSECURE_SKIP_VERIFY="false"
+
+declare -x VULCAND_ETCD_USERNAME
+[[ -z "${VULCAND_ETCD_USERNAME}" ]] && VULCAND_ETCD_USERNAME=""
+
+declare -x VULCAND_ETCD_PASSWORD
+[[ -z "${VULCAND_ETCD_PASSWORD}" ]] && VULCAND_ETCD_PASSWORD=""
+
+declare -x VULCAND_ETCD_DEBUG
+[[ -z "${VULCAND_ETCD_DEBUG}" ]] && VULCAND_ETCD_DEBUG="false"
+
+declare -x VULCAND_HEALTHCHECK_URL
+[[ -z "${VULCAND_HEALTHCHECK_URL}" ]] && VULCAND_HEALTHCHECK_URL="http://localhost:8182/v2/status"
+
+declare -x VULCAND_HEALTHCHECK_CODE
+[[ -z "${VULCAND_HEALTHCHECK_CODE}" ]] && VULCAND_HEALTHCHECK_CODE="200"
+
+declare -x ETCDCTL_COMMAND
+[[ -z "${ETCDCTL_COMMAND}" ]] && ETCDCTL_COMMAND="etcdctl --endpoints=${VULCAND_ETCD}"
+
+true
diff --git a/latest/overlay/etc/entrypoint.d/10-cert.sh b/latest/overlay/etc/entrypoint.d/10-cert.sh
new file mode 100755
index 0000000..ad4e779
--- /dev/null
+++ b/latest/overlay/etc/entrypoint.d/10-cert.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+if [ -n "${VULCAND_CERTPATH}" ]; then
+    if [ ! -f "${VULCAND_CERTPATH}" ];  then
+        echo -e "${VULCAND_CERTPATH}" >| /tmp/vulcand.crt
+        VULCAND_CERTPATH="/tmp/vulcand.crt"
+    fi
+fi
+
+if [ -n "${VULCAND_ETCD_CA_FILE}" ]; then
+    if [ ! -f "${VULCAND_ETCD_CA_FILE}" ]; then
+        echo -e "${VULCAND_ETCD_CA_FILE}" >| /tmp/ca.crt
+        VULCAND_ETCD_CA_FILE="/tmp/ca.crt"
+    fi
+
+    ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --cacert=${VULCAND_ETCD_CA_FILE}"
+fi
+
+if [ -n "${VULCAND_ETCD_CERT_FILE}" ]; then
+    if [ ! -f "${VULCAND_ETCD_CERT_FILE}" ]; then
+        echo -e "${VULCAND_ETCD_CERT_FILE}" >| /tmp/etcd.crt
+        VULCAND_ETCD_CERT_FILE="/tmp/etcd.crt"
+    fi
+
+    ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --cert=${VULCAND_ETCD_CERT_FILE}"
+fi
+
+if [ -n "${VULCAND_ETCD_KEY_FILE}" ]; then
+    if [ ! -f "${VULCAND_ETCD_KEY_FILE}" ]; then
+        echo -e "${VULCAND_ETCD_KEY_FILE}" >| /tmp/etcd.key
+        VULCAND_ETCD_KEY_FILE="/tmp/etcd.key"
+    fi
+
+    ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --key=${VULCAND_ETCD_KEY_FILE}"
+fi
+
+true
diff --git a/latest/overlay/usr/bin/container b/latest/overlay/usr/bin/container
new file mode 100755
index 0000000..0fe7b30
--- /dev/null
+++ b/latest/overlay/usr/bin/container
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -eo pipefail
+source /usr/bin/entrypoint
+
+for FILE in $(find /etc/container.d -type f -iname \*.sh | sort); do
+    source ${FILE}
+done
+
+pushd /var/lib/vulcand >/dev/null
+    STARTCMD="su-exec vulcand vulcand -interface=0.0.0.0 -port=8181 -apiInterface=0.0.0.0 -apiPort=8182 -log=console"
+
+    [[ -n "${VULCAND_LOG_SEVERITY}" ]] && STARTCMD="${STARTCMD} -logSeverity=${VULCAND_LOG_SEVERITY}"
+    [[ -n "${VULCAND_ALIASES}" ]] && STARTCMD="${STARTCMD} -aliases=${VULCAND_ALIASES}"
+    [[ -n "${VULCAND_CERTPATH}" ]] && STARTCMD="${STARTCMD} -certPath=${VULCAND_CERTPATH}"
+    [[ "${VULCAND_DEBUG_JAEGER_TRACING}" == "true" || "${VULCAND_DEBUG_JAEGER_TRACING}" == "1" ]] && STARTCMD="${STARTCMD} -debugJaegerTracing"
+    [[ "${VULCAND_DEFAULT_LISTENER}" == "true" || "${VULCAND_DEFAULT_LISTENER}" == "1" ]] && STARTCMD="${STARTCMD} -default-listener"
+    [[ "${VULCAND_ENABLE_JAEGER_TRACING}" == "true" || "${VULCAND_ENABLE_JAEGER_TRACING}" == "1" ]] && STARTCMD="${STARTCMD} -enableJaegerTracing"
+    [[ -n "${VULCAND_ENDPOINT_DIAL_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -endpointDialTimeout=${VULCAND_ENDPOINT_DIAL_TIMEOUT}"
+    [[ -n "${VULCAND_ENDPOINT_READ_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -endpointDialTimeout=${VULCAND_ENDPOINT_READ_TIMEOUT}"
+    [[ -n "${VULCAND_ENGINE}" ]] && STARTCMD="${STARTCMD} -engine=${VULCAND_ENGINE}"
+    [[ -n "${VULCAND_MEM_PROFILE_RATE}" ]] && STARTCMD="${STARTCMD} -memProfileRate=${VULCAND_MEM_PROFILE_RATE}"
+    [[ -n "${VULCAND_SEAL_KEY}" ]] && STARTCMD="${STARTCMD} -sealKey=${VULCAND_SEAL_KEY}"
+    [[ -n "${VULCAND_SERVER_MAX_HEADER_BYTES}" ]] && STARTCMD="${STARTCMD} -serverMaxHeaderBytes=${VULCAND_SERVER_MAX_HEADER_BYTES}"
+    [[ -n "${VULCAND_SERVER_READ_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -serverReadTimeout=${VULCAND_SERVER_READ_TIMEOUT}"
+    [[ -n "${VULCAND_SERVER_WRITE_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -serverWriteTimeout=${VULCAND_SERVER_WRITE_TIMEOUT}"
+    [[ -n "${VULCAND_STATSD_ADDR}" ]] && STARTCMD="${STARTCMD} -statsdAddr=${VULCAND_STATSD_ADDR}"
+    [[ -n "${VULCAND_STATSD_PREFIX}" ]] && STARTCMD="${STARTCMD} -statsdPrefix=${VULCAND_STATSD_PREFIX}"
+    [[ "${VULCAND_TRUST_FORWARD_HEADER}" == "true" || "${VULCAND_TRUST_FORWARD_HEADER}" == "1" ]] && STARTCMD="${STARTCMD} -trustForwardHeader"
+
+    if [[ "${VULCAND_ENGINE}" == "etcd" ]]; then
+        [[ -n "${VULCAND_ETCD}" ]] && STARTCMD="${STARTCMD} -etcd=${VULCAND_ETCD}"
+        [[ -n "${VULCAND_ETCD_API_VERSION}" ]] && STARTCMD="${STARTCMD} -etcdApiVer=${VULCAND_ETCD_API_VERSION}"
+        [[ -n "${VULCAND_ETCD_KEY}" ]] && STARTCMD="${STARTCMD} -etcdKey=${VULCAND_ETCD_KEY}"
+        [[ -n "${VULCAND_ETCD_SYNC_INTERVAL_SECONDS}" ]] && STARTCMD="${STARTCMD} -etcdSyncIntervalSeconds=${VULCAND_ETCD_SYNC_INTERVAL_SECONDS}"
+        [[ -n "${VULCAND_ETCD_CONSISTENCY}" ]] && STARTCMD="${STARTCMD} -etcdConsistency=${VULCAND_ETCD_CONSISTENCY}"
+        [[ "${VULCAND_ETCD_ENABLE_TLS}" == "true" || "${VULCAND_ETCD_ENABLE_TLS}" == "1" ]] && STARTCMD="${STARTCMD} -etcdEnableTLS"
+        [[ -n "${VULCAND_ETCD_CA_FILE}" ]] && STARTCMD="${STARTCMD} -etcdCaFile=${VULCAND_ETCD_CA_FILE}"
+        [[ -n "${VULCAND_ETCD_CERT_FILE}" ]] && STARTCMD="${STARTCMD} -etcdCertFile=${VULCAND_ETCD_CERT_FILE}"
+        [[ -n "${VULCAND_ETCD_KEY_FILE}" ]] && STARTCMD="${STARTCMD} -etcdKeyFile=${VULCAND_ETCD_KEY_FILE}"
+        [[ "${VULCAND_ETCD_INSECURE_SKIP_VERIFY}" == "true" || "${VULCAND_ETCD_INSECURE_SKIP_VERIFY}" == "1" ]] && STARTCMD="${STARTCMD} -etcdInsecureSkipVerify"
+        [[ -n "${VULCAND_ETCD_USERNAME}" ]] && STARTCMD="${STARTCMD} -etcdUsername=${VULCAND_ETCD_USERNAME}"
+        [[ -n "${VULCAND_ETCD_PASSWORD}" ]] && STARTCMD="${STARTCMD} -etcdPassword=${VULCAND_ETCD_PASSWORD}"
+        [[ "${VULCAND_ETCD_DEBUG}" == "true" || "${VULCAND_ETCD_DEBUG}" == "1" ]] && STARTCMD="${STARTCMD} -etcdDebug"
+    fi
+
+    echo "> starting vulcand service"
+    exec ${STARTCMD}
+popd >/dev/null
diff --git a/latest/overlay/usr/bin/healthcheck b/latest/overlay/usr/bin/healthcheck
new file mode 100755
index 0000000..9487c2b
--- /dev/null
+++ b/latest/overlay/usr/bin/healthcheck
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eo pipefail
+source /usr/bin/entrypoint
+
+CHECK="$(curl -sL -w %{http_code} -o /dev/null ${VULCAND_HEALTHCHECK_URL})"
+
+if [[ "${CHECK}" == "${VULCAND_HEALTHCHECK_CODE}" ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/rootfs/etc/s6/vulcand/finish b/rootfs/etc/s6/vulcand/finish
deleted file mode 100755
index 06bd986..0000000
--- a/rootfs/etc/s6/vulcand/finish
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-exit 0
diff --git a/rootfs/etc/s6/vulcand/run b/rootfs/etc/s6/vulcand/run
deleted file mode 100755
index 7d2a8e8..0000000
--- a/rootfs/etc/s6/vulcand/run
+++ /dev/null
@@ -1,110 +0,0 @@
-#!/bin/bash
-
-if [ -f ./setup ]
-then
-  source ./setup
-fi
-
-STARTCMD="/usr/bin/vulcand -port=8181 -apiPort=8182"
-
-if [ -n "${VULCAND_API_INTERFACE}" ]
-then
-  STARTCMD="${STARTCMD} -apiInterface=${VULCAND_API_INTERFACE}"
-fi
-
-if [ -n "${VULCAND_ENDPOINT_DIALTIMEOUT}" ]
-then
-  STARTCMD="${STARTCMD} -endpointDialTimeout=${VULCAND_ENDPOINT_DIALTIMEOUT}"
-fi
-
-if [ -n "${VULCAND_ENDPOINT_READTIMEOUT}" ]
-then
-  STARTCMD="${STARTCMD} -endpointReadTimeout=${VULCAND_ENDPOINT_READTIMEOUT}"
-fi
-
-if [ -n "${VULCAND_ETCD}" ]
-then
-  STARTCMD="${STARTCMD} -etcd=${VULCAND_ETCD}"
-fi
-
-if [ -n "${VULCAND_ETCD_CONSISTENCY}" ]
-then
-  STARTCMD="${STARTCMD} -etcdConsistency=${VULCAND_ETCD_CONSISTENCY}"
-fi
-
-if [ -n "${VULCAND_ETCD_KEY}" ]
-then
-  STARTCMD="${STARTCMD} -etcdKey=${VULCAND_ETCD_KEY}"
-fi
-
-if [ -n "${VULCAND_INTERFACE}" ]
-then
-  STARTCMD="${STARTCMD} -interface=${VULCAND_INTERFACE}"
-fi
-
-if [ -n "${VULCAND_LOG}" ]
-then
-  STARTCMD="${STARTCMD} -log=${VULCAND_LOG}"
-fi
-
-if [ -n "${VULCAND_LOG_SEVERITY}" ]
-then
-  STARTCMD="${STARTCMD} -logSeverity=${VULCAND_LOG_SEVERITY}"
-fi
-
-if [ -n "${VULCAND_READTIMEOUT}" ]
-then
-  STARTCMD="${STARTCMD} -readTimeout=${VULCAND_READTIMEOUT}"
-fi
-
-if [ -n "${VULCAND_SEALKEY}" ]
-then
-  STARTCMD="${STARTCMD} -sealKey=${VULCAND_SEALKEY}"
-fi
-
-if [ -n "${VULCAND_SERVER_MAXHEADERBYTES}" ]
-then
-  STARTCMD="${STARTCMD} -serverMaxHeaderBytes=${VULCAND_SERVER_MAXHEADERBYTES}"
-fi
-
-if [ -n "${VULCAND_SERVER_READTIMEOUT}" ]
-then
-  STARTCMD="${STARTCMD} -serverReadTimeout=${VULCAND_SERVER_READTIMEOUT}"
-fi
-
-if [ -n "${VULCAND_SERVER_WRITETIMEOUT}" ]
-then
-  STARTCMD="${STARTCMD} -serverWriteTimeout=${VULCAND_SERVER_WRITETIMEOUT}"
-fi
-
-if [ -n "${VULCAND_STATSD_ADDR}" ]
-then
-  STARTCMD="${STARTCMD} -statsdAddr=${VULCAND_STATSD_ADDR}"
-fi
-
-if [ -n "${VULCAND_STATSD_PREFIX}" ]
-then
-  STARTCMD="${STARTCMD} -statsdPrefix=${VULCAND_STATSD_PREFIX}"
-fi
-
-if [ -n "${VULCAND_CERTPATH}" ]
-then
-  STARTCMD="${STARTCMD} -certPath=${VULCAND_CERTPATH}"
-fi
-
-if [ -n "${VULCAND_ETCD_CAFILE}" ]
-then
-  STARTCMD="${STARTCMD} -etcdCaFile=${VULCAND_ETCD_CAFILE}"
-fi
-
-if [ -n "${VULCAND_ETCD_CERTFILE}" ]
-then
-  STARTCMD="${STARTCMD} -etcdCertFile=${VULCAND_ETCD_CERTFILE}"
-fi
-
-if [ -n "${VULCAND_ETCD_KEYFILE}" ]
-then
-  STARTCMD="${STARTCMD} -etcdKeyFile=${VULCAND_ETCD_KEYFILE}"
-fi
-
-exec ${STARTCMD}
diff --git a/rootfs/etc/s6/vulcand/setup b/rootfs/etc/s6/vulcand/setup
deleted file mode 100755
index a6a381a..0000000
--- a/rootfs/etc/s6/vulcand/setup
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/bin/bash
-
-declare -x VULCAND_ETCD
-declare -x VULCAND_ETCD_KEY
-declare -x VULCAND_ETCD_CAFILE
-declare -x VULCAND_ETCD_CERTFILE
-declare -x VULCAND_ETCD_KEYFILE
-declare -x VULCAND_CERTPATH
-declare -x ETCDCTL_COMMAND
-
-if [ -z "${VULCAND_ETCD}" ]
-then
-  VULCAND_ETCD="http://etcd:2379"
-fi
-
-if [ -n "${VULCAND_ETCD_KEY}" ]
-then
-  VULCAND_ETCD_KEY="vulcand"
-fi
-
-if [ -z "${ETCDCTL_COMMAND}" ]
-then
-  ETCDCTL_COMMAND="/usr/bin/etcdctl --peers=${VULCAND_ETCD}"
-else
-  ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --peers=${VULCAND_ETCD}"
-fi
-
-if [ -n "${VULCAND_ETCD_CAFILE}" ]
-then
-  if [ ! -f "${VULCAND_ETCD_CAFILE}" ]
-  then
-    echo -e "${VULCAND_ETCD_CAFILE}" >| /tmp/ca.crt
-    VULCAND_ETCD_CAFILE="/tmp/ca.crt"
-  fi
-
-  ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --ca-file=${VULCAND_ETCD_CAFILE}"
-fi
-
-if [ -n "${VULCAND_ETCD_CERTFILE}" ]
-then
-  if [ ! -f "${VULCAND_ETCD_CERTFILE}" ]
-  then
-    echo -e "${VULCAND_ETCD_CERTFILE}" >| /tmp/etcd.crt
-    VULCAND_ETCD_CERTFILE="/tmp/etcd.crt"
-  fi
-
-  ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --cert-file=${VULCAND_ETCD_CERTFILE}"
-fi
-
-if [ -n "${VULCAND_ETCD_KEYFILE}" ]
-then
-  if [ ! -f "${VULCAND_ETCD_KEYFILE}" ]
-  then
-    echo -e "${VULCAND_ETCD_KEYFILE}" >| /tmp/etcd.key
-    VULCAND_ETCD_KEYFILE="/tmp/etcd.key"
-  fi
-
-  ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --key-file=${VULCAND_ETCD_KEYFILE}"
-fi
-
-if [ -n "${VULCAND_CERTPATH}" ]
-then
-  if [ ! -f "${VULCAND_CERTPATH}" ]
-  then
-    echo -e "${VULCAND_CERTPATH}" >| /tmp/vulcand.crt
-    VULCAND_CERTPATH="/tmp/vulcand.crt"
-  fi
-fi
-
-if ! ${ETCDCTL_COMMAND} ls /${VULCAND_ETCD_KEY} > /dev/null 2>&1
-then
-  ${ETCDCTL_COMMAND} mkdir /${VULCAND_ETCD_KEY}
-fi
diff --git a/rootfs/usr/bin/etcdctl b/rootfs/usr/bin/etcdctl
deleted file mode 100755
index bad28d5..0000000
Binary files a/rootfs/usr/bin/etcdctl and /dev/null differ
diff --git a/v0.9/Dockerfile.amd64 b/v0.9/Dockerfile.amd64
new file mode 100644
index 0000000..c0b0dcc
--- /dev/null
+++ b/v0.9/Dockerfile.amd64
@@ -0,0 +1,28 @@
+FROM ghcr.io/dockhippie/golang:1.21-amd64@sha256:dc8f126b52962e46aad020d11b37d37350359fe3f8be10c151023e04361b52ae AS build
+
+# renovate: datasource=github-tags depName=vulcand/vulcand
+ENV VULCAND_VERSION=v0.9.2
+
+RUN git clone -b ${VULCAND_VERSION} https://github.com/vulcand/vulcand.git /srv/app/src && \
+  cd /srv/app/src && \
+  GO111MODULE=on go install ./...
+
+FROM ghcr.io/dockhippie/alpine:latest-amd64@sha256:63094950b363daed71defbb0ec6b31cef8b54c95afe02c8eeb0221b230b4d817
+
+EXPOSE 8181 8182
+
+WORKDIR /var/lib/vulcand
+CMD ["/usr/bin/container"]
+
+RUN apk update && \
+  apk upgrade && \
+  apk add etcd-ctl@testing && \
+  mkdir -p /var/lib/vulcand && \
+  groupadd -g 1000 vulcand && \
+  useradd -u 1000 -d /var/lib/vulcand -g vulcand -s /bin/bash -M vulcand && \
+  rm -rf /var/cache/apk/*
+
+COPY --from=build /srv/app/bin/vulcand /usr/bin/vulcand
+COPY --from=build /srv/app/bin/vctl /usr/bin/vctl
+COPY --from=build /srv/app/bin/vbundle /usr/bin/vbundle
+COPY ./overlay /
diff --git a/v0.9/Dockerfile.arm b/v0.9/Dockerfile.arm
new file mode 100644
index 0000000..df20619
--- /dev/null
+++ b/v0.9/Dockerfile.arm
@@ -0,0 +1,28 @@
+FROM ghcr.io/dockhippie/golang:1.21-arm@sha256:eb3fc0fcc12bdfdcdb2aa08d5355e82d15e88b9d8105f9c5905b719936a606a3 AS build
+
+# renovate: datasource=github-tags depName=vulcand/vulcand
+ENV VULCAND_VERSION=v0.9.2
+
+RUN git clone -b ${VULCAND_VERSION} https://github.com/vulcand/vulcand.git /srv/app/src && \
+  cd /srv/app/src && \
+  GO111MODULE=on go install ./...
+
+FROM ghcr.io/dockhippie/alpine:latest-arm@sha256:ae98e7d8c378250ff7799a4aa80dba4ebf9ef9874c51f304cb5006318bb21b48
+
+EXPOSE 8181 8182
+
+WORKDIR /var/lib/vulcand
+CMD ["/usr/bin/container"]
+
+RUN apk update && \
+  apk upgrade && \
+  apk add etcd-ctl@testing && \
+  mkdir -p /var/lib/vulcand && \
+  groupadd -g 1000 vulcand && \
+  useradd -u 1000 -d /var/lib/vulcand -g vulcand -s /bin/bash -M vulcand && \
+  rm -rf /var/cache/apk/*
+
+COPY --from=build /srv/app/bin/vulcand /usr/bin/vulcand
+COPY --from=build /srv/app/bin/vctl /usr/bin/vctl
+COPY --from=build /srv/app/bin/vbundle /usr/bin/vbundle
+COPY ./overlay /
diff --git a/v0.9/Dockerfile.arm64 b/v0.9/Dockerfile.arm64
new file mode 100644
index 0000000..ca889d8
--- /dev/null
+++ b/v0.9/Dockerfile.arm64
@@ -0,0 +1,28 @@
+FROM ghcr.io/dockhippie/golang:1.21-arm64@sha256:ec2426e4766ed8b4ea1dd9123d5af77babca67dc498a827c50eb32092a9a287d AS build
+
+# renovate: datasource=github-tags depName=vulcand/vulcand
+ENV VULCAND_VERSION=v0.9.2
+
+RUN git clone -b ${VULCAND_VERSION} https://github.com/vulcand/vulcand.git /srv/app/src && \
+  cd /srv/app/src && \
+  GO111MODULE=on go install ./...
+
+FROM ghcr.io/dockhippie/alpine:latest-arm64@sha256:9bde3d4081a6b08b20a15725aec66fff5bf92c449fefcb68a32dc6e4c3bd192e
+
+EXPOSE 8181 8182
+
+WORKDIR /var/lib/vulcand
+CMD ["/usr/bin/container"]
+
+RUN apk update && \
+  apk upgrade && \
+  apk add etcd-ctl@testing && \
+  mkdir -p /var/lib/vulcand && \
+  groupadd -g 1000 vulcand && \
+  useradd -u 1000 -d /var/lib/vulcand -g vulcand -s /bin/bash -M vulcand && \
+  rm -rf /var/cache/apk/*
+
+COPY --from=build /srv/app/bin/vulcand /usr/bin/vulcand
+COPY --from=build /srv/app/bin/vctl /usr/bin/vctl
+COPY --from=build /srv/app/bin/vbundle /usr/bin/vbundle
+COPY ./overlay /
diff --git a/v0.9/overlay/etc/container.d/00-user.sh b/v0.9/overlay/etc/container.d/00-user.sh
new file mode 100755
index 0000000..bb0e2e9
--- /dev/null
+++ b/v0.9/overlay/etc/container.d/00-user.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+if [[ ! "$(id -g vulcand)" =~ "${PGID}" ]]; then
+    echo "> enforcing group id"
+    groupmod -o -g ${PGID} vulcand
+fi
+
+if [[ ! "$(id -u vulcand)" =~ "${PGID}" ]]; then
+    echo "> enforcing user id"
+    usermod -o -u ${PUID} vulcand
+fi
+
+true
diff --git a/v0.9/overlay/etc/container.d/05-etcd.sh b/v0.9/overlay/etc/container.d/05-etcd.sh
new file mode 100755
index 0000000..10323d4
--- /dev/null
+++ b/v0.9/overlay/etc/container.d/05-etcd.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# if [[ "${VULCAND_ENGINE}" == "etcd" ]]; then
+#     if ! ${ETCDCTL_COMMAND} get "/${VULCAND_ETCD_KEY}" --prefix --keys-only >/dev/null 2>&1; then
+#         ${ETCDCTL_COMMAND} mkdir "/${VULCAND_ETCD_KEY}"
+#     fi
+# fi
+
+true
diff --git a/v0.9/overlay/etc/entrypoint.d/00-user.sh b/v0.9/overlay/etc/entrypoint.d/00-user.sh
new file mode 100755
index 0000000..c095f43
--- /dev/null
+++ b/v0.9/overlay/etc/entrypoint.d/00-user.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+declare -x PUID
+[[ -z "${PUID}" ]] && PUID="1000"
+
+declare -x PGID
+[[ -z "${PGID}" ]] && PGID="1000"
+
+true
diff --git a/v0.9/overlay/etc/entrypoint.d/05-base.sh b/v0.9/overlay/etc/entrypoint.d/05-base.sh
new file mode 100755
index 0000000..7c92c0b
--- /dev/null
+++ b/v0.9/overlay/etc/entrypoint.d/05-base.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+declare -x VULCAND_LOG_SEVERITY
+[[ -z "${VULCAND_LOG_SEVERITY}" ]] && VULCAND_LOG_SEVERITY="warning"
+
+declare -x VULCAND_ALIASES
+[[ -z "${VULCAND_ALIASES}" ]] && VULCAND_ALIASES=""
+
+declare -x VULCAND_CERTPATH
+[[ -z "${VULCAND_CERTPATH}" ]] && VULCAND_CERTPATH=""
+
+declare -x VULCAND_DEBUG_JAEGER_TRACING
+[[ -z "${VULCAND_DEBUG_JAEGER_TRACING}" ]] && VULCAND_DEBUG_JAEGER_TRACING="false"
+
+declare -x VULCAND_DEFAULT_LISTENER
+[[ -z "${VULCAND_DEFAULT_LISTENER}" ]] && VULCAND_DEFAULT_LISTENER="true"
+
+declare -x VULCAND_ENABLE_JAEGER_TRACING
+[[ -z "${VULCAND_ENABLE_JAEGER_TRACING}" ]] && VULCAND_ENABLE_JAEGER_TRACING="false"
+
+declare -x VULCAND_ENDPOINT_DIAL_TIMEOUT
+[[ -z "${VULCAND_ENDPOINT_DIAL_TIMEOUT}" ]] && VULCAND_ENDPOINT_DIAL_TIMEOUT=""
+
+declare -x VULCAND_ENDPOINT_READ_TIMEOUT
+[[ -z "${VULCAND_ENDPOINT_READ_TIMEOUT}" ]] && VULCAND_ENDPOINT_READ_TIMEOUT=""
+
+declare -x VULCAND_ENGINE
+[[ -z "${VULCAND_ENGINE}" ]] && VULCAND_ENGINE="etcd"
+
+declare -x VULCAND_MEM_PROFILE_RATE
+[[ -z "${VULCAND_MEM_PROFILE_RATE}" ]] && VULCAND_MEM_PROFILE_RATE=""
+
+declare -x VULCAND_SEAL_KEY
+[[ -z "${VULCAND_SEAL_KEY}" ]] && VULCAND_SEAL_KEY=""
+
+declare -x VULCAND_SERVER_MAX_HEADER_BYTES
+[[ -z "${VULCAND_SERVER_MAX_HEADER_BYTES}" ]] && VULCAND_SERVER_MAX_HEADER_BYTES=""
+
+declare -x VULCAND_SERVER_READ_TIMEOUT
+[[ -z "${VULCAND_SERVER_READ_TIMEOUT}" ]] && VULCAND_SERVER_READ_TIMEOUT=""
+
+declare -x VULCAND_SERVER_WRITE_TIMEOUT
+[[ -z "${VULCAND_SERVER_WRITE_TIMEOUT}" ]] && VULCAND_SERVER_WRITE_TIMEOUT=""
+
+declare -x VULCAND_STATSD_ADDR
+[[ -z "${VULCAND_STATSD_ADDR}" ]] && VULCAND_STATSD_ADDR=""
+
+declare -x VULCAND_STATSD_PREFIX
+[[ -z "${VULCAND_STATSD_PREFIX}" ]] && VULCAND_STATSD_PREFIX=""
+
+declare -x VULCAND_TRUST_FORWARD_HEADER
+[[ -z "${VULCAND_TRUST_FORWARD_HEADER}" ]] && VULCAND_TRUST_FORWARD_HEADER="false"
+
+declare -x VULCAND_ETCD
+[[ -z "${VULCAND_ETCD}" ]] && VULCAND_ETCD="http://etcd:2379"
+
+declare -x VULCAND_ETCD_API_VERSION
+[[ -z "${VULCAND_ETCD_API_VERSION}" ]] && VULCAND_ETCD_API_VERSION="3"
+
+declare -x VULCAND_ETCD_KEY
+[[ -z "${VULCAND_ETCD_KEY}" ]] && VULCAND_ETCD_KEY="vulcand"
+
+declare -x VULCAND_ETCD_SYNC_INTERVAL_SECONDS
+[[ -z "${VULCAND_ETCD_SYNC_INTERVAL_SECONDS}" ]] && VULCAND_ETCD_SYNC_INTERVAL_SECONDS=""
+
+declare -x VULCAND_ETCD_CONSISTENCY
+[[ -z "${VULCAND_ETCD_CONSISTENCY}" ]] && VULCAND_ETCD_CONSISTENCY="STRONG"
+
+declare -x VULCAND_ETCD_ENABLE_TLS
+[[ -z "${VULCAND_ETCD_ENABLE_TLS}" ]] && VULCAND_ETCD_ENABLE_TLS="false"
+
+declare -x VULCAND_ETCD_CA_FILE
+[[ -z "${VULCAND_ETCD_CA_FILE}" ]] && VULCAND_ETCD_CA_FILE=""
+
+declare -x VULCAND_ETCD_CERT_FILE
+[[ -z "${VULCAND_ETCD_CERT_FILE}" ]] && VULCAND_ETCD_CERT_FILE=""
+
+declare -x VULCAND_ETCD_KEY_FILE
+[[ -z "${VULCAND_ETCD_KEY_FILE}" ]] && VULCAND_ETCD_KEY_FILE=""
+
+declare -x VULCAND_ETCD_INSECURE_SKIP_VERIFY
+[[ -z "${VULCAND_ETCD_INSECURE_SKIP_VERIFY}" ]] && VULCAND_ETCD_INSECURE_SKIP_VERIFY="false"
+
+declare -x VULCAND_ETCD_USERNAME
+[[ -z "${VULCAND_ETCD_USERNAME}" ]] && VULCAND_ETCD_USERNAME=""
+
+declare -x VULCAND_ETCD_PASSWORD
+[[ -z "${VULCAND_ETCD_PASSWORD}" ]] && VULCAND_ETCD_PASSWORD=""
+
+declare -x VULCAND_ETCD_DEBUG
+[[ -z "${VULCAND_ETCD_DEBUG}" ]] && VULCAND_ETCD_DEBUG="false"
+
+declare -x VULCAND_HEALTHCHECK_URL
+[[ -z "${VULCAND_HEALTHCHECK_URL}" ]] && VULCAND_HEALTHCHECK_URL="http://localhost:8182/v2/status"
+
+declare -x VULCAND_HEALTHCHECK_CODE
+[[ -z "${VULCAND_HEALTHCHECK_CODE}" ]] && VULCAND_HEALTHCHECK_CODE="200"
+
+declare -x ETCDCTL_COMMAND
+[[ -z "${ETCDCTL_COMMAND}" ]] && ETCDCTL_COMMAND="etcdctl --endpoints=${VULCAND_ETCD}"
+
+true
diff --git a/v0.9/overlay/etc/entrypoint.d/10-cert.sh b/v0.9/overlay/etc/entrypoint.d/10-cert.sh
new file mode 100755
index 0000000..ad4e779
--- /dev/null
+++ b/v0.9/overlay/etc/entrypoint.d/10-cert.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+if [ -n "${VULCAND_CERTPATH}" ]; then
+    if [ ! -f "${VULCAND_CERTPATH}" ];  then
+        echo -e "${VULCAND_CERTPATH}" >| /tmp/vulcand.crt
+        VULCAND_CERTPATH="/tmp/vulcand.crt"
+    fi
+fi
+
+if [ -n "${VULCAND_ETCD_CA_FILE}" ]; then
+    if [ ! -f "${VULCAND_ETCD_CA_FILE}" ]; then
+        echo -e "${VULCAND_ETCD_CA_FILE}" >| /tmp/ca.crt
+        VULCAND_ETCD_CA_FILE="/tmp/ca.crt"
+    fi
+
+    ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --cacert=${VULCAND_ETCD_CA_FILE}"
+fi
+
+if [ -n "${VULCAND_ETCD_CERT_FILE}" ]; then
+    if [ ! -f "${VULCAND_ETCD_CERT_FILE}" ]; then
+        echo -e "${VULCAND_ETCD_CERT_FILE}" >| /tmp/etcd.crt
+        VULCAND_ETCD_CERT_FILE="/tmp/etcd.crt"
+    fi
+
+    ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --cert=${VULCAND_ETCD_CERT_FILE}"
+fi
+
+if [ -n "${VULCAND_ETCD_KEY_FILE}" ]; then
+    if [ ! -f "${VULCAND_ETCD_KEY_FILE}" ]; then
+        echo -e "${VULCAND_ETCD_KEY_FILE}" >| /tmp/etcd.key
+        VULCAND_ETCD_KEY_FILE="/tmp/etcd.key"
+    fi
+
+    ETCDCTL_COMMAND="${ETCDCTL_COMMAND} --key=${VULCAND_ETCD_KEY_FILE}"
+fi
+
+true
diff --git a/v0.9/overlay/usr/bin/container b/v0.9/overlay/usr/bin/container
new file mode 100755
index 0000000..0fe7b30
--- /dev/null
+++ b/v0.9/overlay/usr/bin/container
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -eo pipefail
+source /usr/bin/entrypoint
+
+for FILE in $(find /etc/container.d -type f -iname \*.sh | sort); do
+    source ${FILE}
+done
+
+pushd /var/lib/vulcand >/dev/null
+    STARTCMD="su-exec vulcand vulcand -interface=0.0.0.0 -port=8181 -apiInterface=0.0.0.0 -apiPort=8182 -log=console"
+
+    [[ -n "${VULCAND_LOG_SEVERITY}" ]] && STARTCMD="${STARTCMD} -logSeverity=${VULCAND_LOG_SEVERITY}"
+    [[ -n "${VULCAND_ALIASES}" ]] && STARTCMD="${STARTCMD} -aliases=${VULCAND_ALIASES}"
+    [[ -n "${VULCAND_CERTPATH}" ]] && STARTCMD="${STARTCMD} -certPath=${VULCAND_CERTPATH}"
+    [[ "${VULCAND_DEBUG_JAEGER_TRACING}" == "true" || "${VULCAND_DEBUG_JAEGER_TRACING}" == "1" ]] && STARTCMD="${STARTCMD} -debugJaegerTracing"
+    [[ "${VULCAND_DEFAULT_LISTENER}" == "true" || "${VULCAND_DEFAULT_LISTENER}" == "1" ]] && STARTCMD="${STARTCMD} -default-listener"
+    [[ "${VULCAND_ENABLE_JAEGER_TRACING}" == "true" || "${VULCAND_ENABLE_JAEGER_TRACING}" == "1" ]] && STARTCMD="${STARTCMD} -enableJaegerTracing"
+    [[ -n "${VULCAND_ENDPOINT_DIAL_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -endpointDialTimeout=${VULCAND_ENDPOINT_DIAL_TIMEOUT}"
+    [[ -n "${VULCAND_ENDPOINT_READ_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -endpointDialTimeout=${VULCAND_ENDPOINT_READ_TIMEOUT}"
+    [[ -n "${VULCAND_ENGINE}" ]] && STARTCMD="${STARTCMD} -engine=${VULCAND_ENGINE}"
+    [[ -n "${VULCAND_MEM_PROFILE_RATE}" ]] && STARTCMD="${STARTCMD} -memProfileRate=${VULCAND_MEM_PROFILE_RATE}"
+    [[ -n "${VULCAND_SEAL_KEY}" ]] && STARTCMD="${STARTCMD} -sealKey=${VULCAND_SEAL_KEY}"
+    [[ -n "${VULCAND_SERVER_MAX_HEADER_BYTES}" ]] && STARTCMD="${STARTCMD} -serverMaxHeaderBytes=${VULCAND_SERVER_MAX_HEADER_BYTES}"
+    [[ -n "${VULCAND_SERVER_READ_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -serverReadTimeout=${VULCAND_SERVER_READ_TIMEOUT}"
+    [[ -n "${VULCAND_SERVER_WRITE_TIMEOUT}" ]] && STARTCMD="${STARTCMD} -serverWriteTimeout=${VULCAND_SERVER_WRITE_TIMEOUT}"
+    [[ -n "${VULCAND_STATSD_ADDR}" ]] && STARTCMD="${STARTCMD} -statsdAddr=${VULCAND_STATSD_ADDR}"
+    [[ -n "${VULCAND_STATSD_PREFIX}" ]] && STARTCMD="${STARTCMD} -statsdPrefix=${VULCAND_STATSD_PREFIX}"
+    [[ "${VULCAND_TRUST_FORWARD_HEADER}" == "true" || "${VULCAND_TRUST_FORWARD_HEADER}" == "1" ]] && STARTCMD="${STARTCMD} -trustForwardHeader"
+
+    if [[ "${VULCAND_ENGINE}" == "etcd" ]]; then
+        [[ -n "${VULCAND_ETCD}" ]] && STARTCMD="${STARTCMD} -etcd=${VULCAND_ETCD}"
+        [[ -n "${VULCAND_ETCD_API_VERSION}" ]] && STARTCMD="${STARTCMD} -etcdApiVer=${VULCAND_ETCD_API_VERSION}"
+        [[ -n "${VULCAND_ETCD_KEY}" ]] && STARTCMD="${STARTCMD} -etcdKey=${VULCAND_ETCD_KEY}"
+        [[ -n "${VULCAND_ETCD_SYNC_INTERVAL_SECONDS}" ]] && STARTCMD="${STARTCMD} -etcdSyncIntervalSeconds=${VULCAND_ETCD_SYNC_INTERVAL_SECONDS}"
+        [[ -n "${VULCAND_ETCD_CONSISTENCY}" ]] && STARTCMD="${STARTCMD} -etcdConsistency=${VULCAND_ETCD_CONSISTENCY}"
+        [[ "${VULCAND_ETCD_ENABLE_TLS}" == "true" || "${VULCAND_ETCD_ENABLE_TLS}" == "1" ]] && STARTCMD="${STARTCMD} -etcdEnableTLS"
+        [[ -n "${VULCAND_ETCD_CA_FILE}" ]] && STARTCMD="${STARTCMD} -etcdCaFile=${VULCAND_ETCD_CA_FILE}"
+        [[ -n "${VULCAND_ETCD_CERT_FILE}" ]] && STARTCMD="${STARTCMD} -etcdCertFile=${VULCAND_ETCD_CERT_FILE}"
+        [[ -n "${VULCAND_ETCD_KEY_FILE}" ]] && STARTCMD="${STARTCMD} -etcdKeyFile=${VULCAND_ETCD_KEY_FILE}"
+        [[ "${VULCAND_ETCD_INSECURE_SKIP_VERIFY}" == "true" || "${VULCAND_ETCD_INSECURE_SKIP_VERIFY}" == "1" ]] && STARTCMD="${STARTCMD} -etcdInsecureSkipVerify"
+        [[ -n "${VULCAND_ETCD_USERNAME}" ]] && STARTCMD="${STARTCMD} -etcdUsername=${VULCAND_ETCD_USERNAME}"
+        [[ -n "${VULCAND_ETCD_PASSWORD}" ]] && STARTCMD="${STARTCMD} -etcdPassword=${VULCAND_ETCD_PASSWORD}"
+        [[ "${VULCAND_ETCD_DEBUG}" == "true" || "${VULCAND_ETCD_DEBUG}" == "1" ]] && STARTCMD="${STARTCMD} -etcdDebug"
+    fi
+
+    echo "> starting vulcand service"
+    exec ${STARTCMD}
+popd >/dev/null
diff --git a/v0.9/overlay/usr/bin/healthcheck b/v0.9/overlay/usr/bin/healthcheck
new file mode 100755
index 0000000..9487c2b
--- /dev/null
+++ b/v0.9/overlay/usr/bin/healthcheck
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eo pipefail
+source /usr/bin/entrypoint
+
+CHECK="$(curl -sL -w %{http_code} -o /dev/null ${VULCAND_HEALTHCHECK_URL})"
+
+if [[ "${CHECK}" == "${VULCAND_HEALTHCHECK_CODE}" ]]; then
+    exit 0
+fi
+
+exit 1