gihyeon/proxmox-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71e056133e8bceb2532343bccc8ae8a6e1ebf7e5
proxmox-iac/hermes.tf
21in7 d083d462cf fix(hermes): nesting-only features, adopt existing template, ignore console drift 
- download_file.debian12_template_gihyeon: overwrite_unmanaged=true to adopt the
  Debian template already present on gihyeon's local datastore (avoids 'refusing
  to override existing file')
- container.hermes: drop keyctl from features — API token gets HTTP 403
  ('changing feature flags (except nesting) is only allowed for root@pam'); keep
  nesting only so token-based create succeeds
- container.hermes: lifecycle ignore_changes=[features, mount_point] so the
  console-applied keyctl + bind mounts (mp0=/data, mp1=/fast; root@pam-only) do
  not show as drift on routine plans

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 10:40:39 +09:00

84 lines
2.9 KiB
HCL
Raw Blame History

# Download Debian 12 LXC template to gihyeon (node1).
# overwrite_unmanaged: the template already exists in node1's `local` datastore
# from an earlier run but is not yet tracked in Terraform state. Without this,
# bpg refuses to touch the pre-existing file ("refusing to override existing
# file"). Setting it true lets Terraform adopt/re-download it under management.
resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
content_type = "vztmpl"
datastore_id = "local"
node_name = var.hermes_node
url = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
overwrite_unmanaged = true
}
# Hermes Agent LXC.
# `features` (nesting/keyctl) ARE set here: on an unprivileged container these need
# only VM.Allocate, which the API token has, so Terraform can set them. nesting is
# also required so the systemd-252 (Debian 12) create does not emit the "enable
# nesting" warning that Proxmox returns as TASK WARNINGS (which fails the apply).
# Bind mounts (mp0/mp1, host paths) genuinely DO require root@pam, so those are still
# added via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh and
# docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
resource "proxmox_virtual_environment_container" "hermes" {
description = "Hermes Agent (Nous Research) - Managed by Terraform"
node_name = var.hermes_node
vm_id = var.hermes_vmid
start_on_boot = true
unprivileged = true
tags = ["ai", "agent", "terraform"]
# Only `nesting` can be set with an API token. Proxmox rejects other feature
# flags from tokens: "changing feature flags (except nesting) is only allowed
# for root@pam". keyctl (if Docker needs it), fuse, and bind mounts are
# applied out-of-band on the node console as root@pam.
features {
nesting = true
}
# keyctl and bind mounts (mp0/mp1) are applied out-of-band on the node console
# as root@pam (the API token cannot set them — see the features note above).
# Ignore drift on these so a routine `terraform apply` does not try to strip
# the console-applied settings (which would fail without root@pam anyway).
lifecycle {
ignore_changes = [features, mount_point]
}
operating_system {
template_file_id = proxmox_virtual_environment_download_file.debian12_template_gihyeon.id
type = "debian"
}
cpu {
cores = var.hermes_cores
}
memory {
dedicated = var.hermes_memory
swap = var.hermes_swap
}
disk {
datastore_id = var.hermes_datastore
size = var.hermes_disk_size
}
network_interface {
name = "eth0"
bridge = var.hermes_network_bridge
}
initialization {
hostname = var.hermes_hostname
ip_config {
ipv4 {
address = "dhcp"
}
}
dns {
servers = var.dns_servers
}
}
}
Reference in New Issue View Git Blame Copy Permalink