hermes.tf

@@ -1,9 +1,14 @@
 # Download Debian 12 LXC template to gihyeon (node1).
+# overwrite_unmanaged: the template already exists in node1's `local` datastore
+# from an earlier run but is not yet tracked in Terraform state. Without this,
+# bpg refuses to touch the pre-existing file ("refusing to override existing
+# file"). Setting it true lets Terraform adopt/re-download it under management.
 resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
   content_type        = "vztmpl"
   datastore_id        = "local"
   node_name           = var.hermes_node
   url                 = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
+  overwrite_unmanaged = true
 }
 
 # Hermes Agent LXC.
@@ -22,9 +27,20 @@ resource "proxmox_virtual_environment_container" "hermes" {
   unprivileged  = true
   tags          = ["ai", "agent", "terraform"]
 
+  # Only `nesting` can be set with an API token. Proxmox rejects other feature
+  # flags from tokens: "changing feature flags (except nesting) is only allowed
+  # for root@pam". keyctl (if Docker needs it), fuse, and bind mounts are
+  # applied out-of-band on the node console as root@pam.
   features {
     nesting = true
-    keyctl  = true
+  }
+
+  # keyctl and bind mounts (mp0/mp1) are applied out-of-band on the node console
+  # as root@pam (the API token cannot set them — see the features note above).
+  # Ignore drift on these so a routine `terraform apply` does not try to strip
+  # the console-applied settings (which would fail without root@pam anyway).
+  lifecycle {
+    ignore_changes = [features, mount_point]
   }
 
   operating_system {