- download_file.debian12_template_gihyeon: overwrite_unmanaged=true to adopt the
Debian template already present on gihyeon's local datastore (avoids 'refusing
to override existing file')
- container.hermes: drop keyctl from features — API token gets HTTP 403
('changing feature flags (except nesting) is only allowed for root@pam'); keep
nesting only so token-based create succeeds
- container.hermes: lifecycle ignore_changes=[features, mount_point] so the
console-applied keyctl + bind mounts (mp0=/data, mp1=/fast; root@pam-only) do
not show as drift on routine plans
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The Debian-12 (systemd 252) unprivileged create emits a "you may need to
enable nesting" warning, which Proxmox returns as TASK WARNINGS:1 and bpg
treats as a failed apply. nesting/keyctl on an unprivileged CT need only
VM.Allocate (which the API token has) — not root@pam — so set them in TF.
Only bind mounts genuinely require root@pam/console.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Defines Hermes Agent LXC (VMID 118) on node gihyeon with 2 cores,
4 GB RAM, 24 GB disk, DHCP on intra01. Token-safe: nesting/keyctl
features and bind mounts are intentionally omitted and must be
applied via pct set after initial deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
