From d083d462cf5dba8fc627fd2f94d9ca2eba7a404c Mon Sep 17 00:00:00 2001
From: 21in7 <skawksmsduzo@gmail.com>
Date: Fri, 19 Jun 2026 10:40:39 +0900
Subject: [PATCH] fix(hermes): nesting-only features, adopt existing template,
 ignore console drift
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- download_file.debian12_template_gihyeon: overwrite_unmanaged=true to adopt the
  Debian template already present on gihyeon's local datastore (avoids 'refusing
  to override existing file')
- container.hermes: drop keyctl from features — API token gets HTTP 403
  ('changing feature flags (except nesting) is only allowed for root@pam'); keep
  nesting only so token-based create succeeds
- container.hermes: lifecycle ignore_changes=[features, mount_point] so the
  console-applied keyctl + bind mounts (mp0=/data, mp1=/fast; root@pam-only) do
  not show as drift on routine plans

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 hermes.tf | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/hermes.tf b/hermes.tf
index 69bc171..46a8505 100644
--- a/hermes.tf
+++ b/hermes.tf
@@ -1,9 +1,14 @@
 # Download Debian 12 LXC template to gihyeon (node1).
+# overwrite_unmanaged: the template already exists in node1's `local` datastore
+# from an earlier run but is not yet tracked in Terraform state. Without this,
+# bpg refuses to touch the pre-existing file ("refusing to override existing
+# file"). Setting it true lets Terraform adopt/re-download it under management.
 resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
-  content_type = "vztmpl"
-  datastore_id = "local"
-  node_name    = var.hermes_node
-  url          = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
+  content_type        = "vztmpl"
+  datastore_id        = "local"
+  node_name           = var.hermes_node
+  url                 = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
+  overwrite_unmanaged = true
 }
 
 # Hermes Agent LXC.
@@ -22,9 +27,20 @@ resource "proxmox_virtual_environment_container" "hermes" {
   unprivileged  = true
   tags          = ["ai", "agent", "terraform"]
 
+  # Only `nesting` can be set with an API token. Proxmox rejects other feature
+  # flags from tokens: "changing feature flags (except nesting) is only allowed
+  # for root@pam". keyctl (if Docker needs it), fuse, and bind mounts are
+  # applied out-of-band on the node console as root@pam.
   features {
     nesting = true
-    keyctl  = true
+  }
+
+  # keyctl and bind mounts (mp0/mp1) are applied out-of-band on the node console
+  # as root@pam (the API token cannot set them — see the features note above).
+  # Ignore drift on these so a routine `terraform apply` does not try to strip
+  # the console-applied settings (which would fail without root@pam anyway).
+  lifecycle {
+    ignore_changes = [features, mount_point]
   }
 
   operating_system {