From 721fb55e05881effd2beba115e62090183114bb6 Mon Sep 17 00:00:00 2001
From: 21in7 <skawksmsduzo@gmail.com>
Date: Fri, 19 Jun 2026 00:12:16 +0900
Subject: [PATCH] fix: set nesting/keyctl features in hermes.tf to avoid TASK
 WARNINGS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Debian-12 (systemd 252) unprivileged create emits a "you may need to
enable nesting" warning, which Proxmox returns as TASK WARNINGS:1 and bpg
treats as a failed apply. nesting/keyctl on an unprivileged CT need only
VM.Allocate (which the API token has) — not root@pam — so set them in TF.
Only bind mounts genuinely require root@pam/console.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 hermes.tf | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/hermes.tf b/hermes.tf
index 437e432..69bc171 100644
--- a/hermes.tf
+++ b/hermes.tf
@@ -6,11 +6,14 @@ resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon"
   url          = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
 }
 
-# Hermes Agent LXC — token-safe skeleton.
-# IMPORTANT: container `features` (nesting/keyctl) and bind mounts are NOT set
-# here. The Proxmox API token cannot set host-security settings; they are applied
-# once via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh
-# and docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
+# Hermes Agent LXC.
+# `features` (nesting/keyctl) ARE set here: on an unprivileged container these need
+# only VM.Allocate, which the API token has, so Terraform can set them. nesting is
+# also required so the systemd-252 (Debian 12) create does not emit the "enable
+# nesting" warning that Proxmox returns as TASK WARNINGS (which fails the apply).
+# Bind mounts (mp0/mp1, host paths) genuinely DO require root@pam, so those are still
+# added via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh and
+# docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
 resource "proxmox_virtual_environment_container" "hermes" {
   description   = "Hermes Agent (Nous Research) - Managed by Terraform"
   node_name     = var.hermes_node
@@ -19,6 +22,11 @@ resource "proxmox_virtual_environment_container" "hermes" {
   unprivileged  = true
   tags          = ["ai", "agent", "terraform"]
 
+  features {
+    nesting = true
+    keyctl  = true
+  }
+
   operating_system {
     template_file_id = proxmox_virtual_environment_download_file.debian12_template_gihyeon.id
     type             = "debian"