Correct README/plan/spec after the apply-failure root cause: nesting/keyctl
are settable by the API token on an unprivileged CT and are required at create
to avoid the systemd-252 TASK WARNINGS that fails apply. Console step reduced
to bind mounts only. README apply uses -target (PBS disk drift).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The Debian-12 (systemd 252) unprivileged create emits a "you may need to
enable nesting" warning, which Proxmox returns as TASK WARNINGS:1 and bpg
treats as a failed apply. nesting/keyctl on an unprivileged CT need only
VM.Allocate (which the API token has) — not root@pam — so set them in TF.
Only bind mounts genuinely require root@pam/console.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
terraform plan revealed proxmox_virtual_environment_container.pbs has disk
drift (live 48G vs code 16G). A blanket apply would shrink it, so the hermes
apply must be -targeted. Recorded in the plan.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds hermes.tf / hermes-variables.tf / scripts/hermes-bootstrap.sh
rows to the structure table, and appends a Hermes Agent section with
the 4-step deploy sequence (host prep → terraform apply → pct set
bind mounts → in-container bootstrap). Notes that mp0/mp1 are outside
TF state and need a future terraform import.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds scripts/hermes-bootstrap.sh which installs rootful Docker,
writes docker-compose.yml (nousresearch/hermes-agent) with bind mounts
for /data and /fast, and writes a .env template pointing at the
litellm gateway (#117, 10.1.10.22:4000). Run once inside LXC #118
console after pct set has applied bind mounts and features.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Defines Hermes Agent LXC (VMID 118) on node gihyeon with 2 cores,
4 GB RAM, 24 GB disk, DHCP on intra01. Token-safe: nesting/keyctl
features and bind mounts are intentionally omitted and must be
applied via pct set after initial deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Plan: 10 tasks splitting workstation Terraform (token-safe container skeleton)
from PVE-console host ops (features nesting/keyctl + bind mounts via pct set,
which the API token cannot do) and in-container Docker/hermes bootstrap.
Spec amended for the discovered API-token limitation: bind mounts AND container
features require root@pam/SSH, so both are applied via console pct set rather
than Terraform; terraform import tracked as follow-up.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Design for deploying Nous Research Hermes Agent as an unprivileged Docker
LXC (#118) on node1, using litellm (10.1.10.22:4000) as the OpenAI-compatible
LLM gateway. Messaging-connector use (outbound-only, no inbound ports).
Large workspace via direct host bind mounts (hdd /data + 2tb /fast),
aligned with the Plan A same-host bind-mount decision.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
