gihyeon/proxmox-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(hermes): nesting-only features, adopt existing template, ignore console drift

Browse Source 
- download_file.debian12_template_gihyeon: overwrite_unmanaged=true to adopt the
  Debian template already present on gihyeon's local datastore (avoids 'refusing
  to override existing file')
- container.hermes: drop keyctl from features — API token gets HTTP 403
  ('changing feature flags (except nesting) is only allowed for root@pam'); keep
  nesting only so token-based create succeeds
- container.hermes: lifecycle ignore_changes=[features, mount_point] so the
  console-applied keyctl + bind mounts (mp0=/data, mp1=/fast; root@pam-only) do
  not show as drift on routine plans

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
21in7
2026-06-19 10:40:39 +09:00
parent f6dc709793
commit d083d462cf
1 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
hermes.tf
View File

@@ -1,9 +1,14 @@
# Download Debian 12 LXC template to gihyeon (node1). # Download Debian 12 LXC template to gihyeon (node1).
# overwrite_unmanaged: the template already exists in node1's `local` datastore
# from an earlier run but is not yet tracked in Terraform state. Without this,
# bpg refuses to touch the pre-existing file ("refusing to override existing
# file"). Setting it true lets Terraform adopt/re-download it under management.
resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" { resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
content_type = "vztmpl" content_type = "vztmpl"
datastore_id = "local" datastore_id = "local"
node_name = var.hermes_node node_name = var.hermes_node
url = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst" url = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
overwrite_unmanaged = true
} }
# Hermes Agent LXC. # Hermes Agent LXC.
@@ -22,9 +27,20 @@ resource "proxmox_virtual_environment_container" "hermes" {
unprivileged = true unprivileged = true
tags = ["ai", "agent", "terraform"] tags = ["ai", "agent", "terraform"]
# Only `nesting` can be set with an API token. Proxmox rejects other feature
# flags from tokens: "changing feature flags (except nesting) is only allowed
# for root@pam". keyctl (if Docker needs it), fuse, and bind mounts are
# applied out-of-band on the node console as root@pam.
features { features {
nesting = true nesting = true
keyctl = true }
# keyctl and bind mounts (mp0/mp1) are applied out-of-band on the node console
# as root@pam (the API token cannot set them — see the features note above).
# Ignore drift on these so a routine `terraform apply` does not try to strip
# the console-applied settings (which would fail without root@pam anyway).
lifecycle {
ignore_changes = [features, mount_point]
} }
operating_system { operating_system {