Add lair/containers image-build repo; hermes as first image

Builds container images for lair infra and publishes to git.lair.cafe.
Hermes Agent (NousResearch) is built directly from its upstream Dockerfile
at the latest release tag, published as git.lair.cafe/lair/hermes; the build
is release-triggered (daily API poll) and self-healing (gated on registry
presence, not a committable pin). Includes a draft rootful quadlet for bob
matching the agent-zero/open-webui convention. Convention follows gongfoo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH

images/hermes/build.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# Build the Hermes Agent image locally, mirroring what the `images` workflow does.
+#
+# Hermes ships its own Dockerfile, so there is no vendored Containerfile here — we
+# build straight from the upstream git context at a release tag. Override the ref
+# with HERMES_REF (e.g. v0.2.0); empty resolves the latest upstream release.
+set -euo pipefail
+
+REGISTRY="${REGISTRY:-git.lair.cafe}"
+IMAGE_NAME="${REGISTRY}/lair/hermes"
+HERMES_REF="${HERMES_REF:-}"
+
+if [ -z "${HERMES_REF}" ]; then
+  HERMES_REF=$(curl -fsS 'https://api.github.com/repos/NousResearch/hermes-agent/releases/latest' | jq -r '.tag_name // empty')
+  [ -n "${HERMES_REF}" ] || HERMES_REF=$(curl -fsS 'https://api.github.com/repos/NousResearch/hermes-agent/tags' | jq -r '.[0].name // empty')
+fi
+[ -n "${HERMES_REF}" ] || { echo "could not resolve an upstream hermes ref"; exit 1; }
+VERSION="${HERMES_REF#v}"
+
+echo "building ${IMAGE_NAME}:${VERSION} from NousResearch/hermes-agent#${HERMES_REF}"
+podman build --pull=newer \
+  -t "${IMAGE_NAME}:${VERSION}" \
+  -t "${IMAGE_NAME}:latest" \
+  "https://github.com/NousResearch/hermes-agent.git#${HERMES_REF}"
+
+echo "built ${IMAGE_NAME}:${VERSION} and :latest"
+echo "push with: podman push ${IMAGE_NAME}:${VERSION} && podman push ${IMAGE_NAME}:latest"