feat: add Hermes Agent LXC terraform config

Defines Hermes Agent LXC (VMID 118) on node gihyeon with 2 cores,
4 GB RAM, 24 GB disk, DHCP on intra01. Token-safe: nesting/keyctl
features and bind mounts are intentionally omitted and must be
applied via pct set after initial deploy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

hermes-variables.tf

@@ -0,0 +1,53 @@
+variable "hermes_vmid" {
+  description = "VMID for the Hermes Agent LXC"
+  type        = number
+  default     = 118
+}
+
+variable "hermes_hostname" {
+  description = "Hostname for the Hermes Agent LXC"
+  type        = string
+  default     = "hermes"
+}
+
+variable "hermes_node" {
+  description = "Proxmox node to host the Hermes Agent LXC"
+  type        = string
+  default     = "gihyeon"
+}
+
+variable "hermes_cores" {
+  description = "CPU cores for the Hermes Agent LXC"
+  type        = number
+  default     = 2
+}
+
+variable "hermes_memory" {
+  description = "Dedicated memory (MB) for the Hermes Agent LXC"
+  type        = number
+  default     = 4096
+}
+
+variable "hermes_swap" {
+  description = "Swap (MB) for the Hermes Agent LXC"
+  type        = number
+  default     = 512
+}
+
+variable "hermes_disk_size" {
+  description = "Root filesystem size (GB) for the Hermes Agent LXC"
+  type        = number
+  default     = 24
+}
+
+variable "hermes_datastore" {
+  description = "Datastore for the Hermes Agent LXC root filesystem"
+  type        = string
+  default     = "local-lvm"
+}
+
+variable "hermes_network_bridge" {
+  description = "Network bridge (SDN VNET) for the Hermes Agent LXC"
+  type        = string
+  default     = "intra01"
+}

hermes.tf

@@ -0,0 +1,59 @@
+# Download Debian 12 LXC template to gihyeon (node1).
+resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
+  content_type = "vztmpl"
+  datastore_id = "local"
+  node_name    = var.hermes_node
+  url          = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
+}
+
+# Hermes Agent LXC — token-safe skeleton.
+# IMPORTANT: container `features` (nesting/keyctl) and bind mounts are NOT set
+# here. The Proxmox API token cannot set host-security settings; they are applied
+# once via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh
+# and docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
+resource "proxmox_virtual_environment_container" "hermes" {
+  description   = "Hermes Agent (Nous Research) - Managed by Terraform"
+  node_name     = var.hermes_node
+  vm_id         = var.hermes_vmid
+  start_on_boot = true
+  unprivileged  = true
+  tags          = ["ai", "agent", "terraform"]
+
+  operating_system {
+    template_file_id = proxmox_virtual_environment_download_file.debian12_template_gihyeon.id
+    type             = "debian"
+  }
+
+  cpu {
+    cores = var.hermes_cores
+  }
+
+  memory {
+    dedicated = var.hermes_memory
+    swap      = var.hermes_swap
+  }
+
+  disk {
+    datastore_id = var.hermes_datastore
+    size         = var.hermes_disk_size
+  }
+
+  network_interface {
+    name   = "eth0"
+    bridge = var.hermes_network_bridge
+  }
+
+  initialization {
+    hostname = var.hermes_hostname
+
+    ip_config {
+      ipv4 {
+        address = "dhcp"
+      }
+    }
+
+    dns {
+      servers = var.dns_servers
+    }
+  }
+}

outputs.tf

@@ -7,3 +7,13 @@ output "pbs_ip_address" {
   description = "PBS LXC IP address"
   value       = var.pbs_ip_address
 }
+
+output "hermes_container_id" {
+  description = "Hermes Agent LXC container ID"
+  value       = proxmox_virtual_environment_container.hermes.vm_id
+}
+
+output "hermes_hostname" {
+  description = "Hermes Agent LXC hostname (IP is DHCP-assigned; discover via PVE/API)"
+  value       = var.hermes_hostname
+}

terraform.tfvars

@@ -3,7 +3,12 @@ proxmox_endpoint  = "https://192.168.50.87:8006"
 proxmox_api_token = "root@pam!terrform=1408ded5-c7c4-4384-8b19-64178837fb8c"
 
 # PBS 네트워크 설정
-pbs_network_bridge = "intra01"  # TODO: SDN VNET 브릿지 이름으로 변경
+pbs_network_bridge = "intra01" # TODO: SDN VNET 브릿지 이름으로 변경
 pbs_ip_address     = "10.1.20.11/24"
-pbs_gateway        = "10.1.20.254"  # TODO: SDN 게이트웨이 확인
+pbs_gateway        = "10.1.20.254" # TODO: SDN 게이트웨이 확인
 dns_servers        = ["1.1.1.1", "8.8.8.8"]
+
+# Hermes Agent LXC 설정 (node1 / intra01)
+hermes_vmid           = 118
+hermes_node           = "gihyeon"
+hermes_network_bridge = "intra01"

terraform.tfvars.example

@@ -7,3 +7,8 @@ pbs_network_bridge = "vmbr0"  # TODO: SDN VNET 브릿지 이름으로 변경
 pbs_ip_address     = "10.1.20.11/24"
 pbs_gateway        = "10.1.20.1"  # TODO: SDN 게이트웨이 확인
 dns_servers        = ["1.1.1.1", "8.8.8.8"]
+
+# Hermes Agent LXC 설정 (node1 / intra01)
+hermes_vmid           = 118
+hermes_node           = "gihyeon"
+hermes_network_bridge = "intra01"