feat: add Hermes Agent LXC terraform config

Defines Hermes Agent LXC (VMID 118) on node gihyeon with 2 cores,
4 GB RAM, 24 GB disk, DHCP on intra01. Token-safe: nesting/keyctl
features and bind mounts are intentionally omitted and must be
applied via pct set after initial deploy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

hermes.tf

@@ -0,0 +1,59 @@
+# Download Debian 12 LXC template to gihyeon (node1).
+resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
+  content_type = "vztmpl"
+  datastore_id = "local"
+  node_name    = var.hermes_node
+  url          = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
+}
+
+# Hermes Agent LXC — token-safe skeleton.
+# IMPORTANT: container `features` (nesting/keyctl) and bind mounts are NOT set
+# here. The Proxmox API token cannot set host-security settings; they are applied
+# once via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh
+# and docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
+resource "proxmox_virtual_environment_container" "hermes" {
+  description   = "Hermes Agent (Nous Research) - Managed by Terraform"
+  node_name     = var.hermes_node
+  vm_id         = var.hermes_vmid
+  start_on_boot = true
+  unprivileged  = true
+  tags          = ["ai", "agent", "terraform"]
+
+  operating_system {
+    template_file_id = proxmox_virtual_environment_download_file.debian12_template_gihyeon.id
+    type             = "debian"
+  }
+
+  cpu {
+    cores = var.hermes_cores
+  }
+
+  memory {
+    dedicated = var.hermes_memory
+    swap      = var.hermes_swap
+  }
+
+  disk {
+    datastore_id = var.hermes_datastore
+    size         = var.hermes_disk_size
+  }
+
+  network_interface {
+    name   = "eth0"
+    bridge = var.hermes_network_bridge
+  }
+
+  initialization {
+    hostname = var.hermes_hostname
+
+    ip_config {
+      ipv4 {
+        address = "dhcp"
+      }
+    }
+
+    dns {
+      servers = var.dns_servers
+    }
+  }
+}