hermes: finalize dashboard exposure + local-inference config

Confirmed against upstream: dashboard binds 0.0.0.0:9119 by default
(HERMES_DASHBOARD_HOST/PORT), so bridge + PublishPort=5100:9119 needs no
override. LLM backend uses Hermes' `custom` OpenAI-compatible provider
pointed at the local sovereign inference (hanzalova.internal:31313/v1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH

images/hermes/hermes.container

@@ -1,21 +1,21 @@
-# DRAFT reference quadlet for deploying Hermes on bob (bob.hanzalova.internal).
+# Reference quadlet for deploying Hermes on bob (bob.hanzalova.internal).
 # Deploy to /etc/containers/systemd/hermes.container (rootful, matching the
 # existing agent-zero.container and open-webui.container), then:
 #   sudo install -d -o 10000 -g 10000 /var/lib/hermes      # /opt/data owner = HERMES_UID
-#   # drop config.yaml + .env into /var/lib/hermes (LLM backend, secrets) — see readme.md
+#   sudo install -o 10000 -g 10000 /path/to/config.yaml /var/lib/hermes/config.yaml
+#   sudo install -o 10000 -g 10000 /path/to/.env          /var/lib/hermes/.env   # if needed
 #   sudo systemctl daemon-reload && sudo systemctl start hermes.service
 #
-# Once git.lair.cafe/lair/hermes:latest is published by the `images` workflow,
-# this is a normal pull + AutoUpdate=registry quadlet — same lifecycle as the
-# other two services on bob.
+# Gated on git.lair.cafe/lair/hermes:latest being published by the `images`
+# workflow first. After that it's a normal pull + AutoUpdate=registry quadlet —
+# same lifecycle as the other two services, and now enrolled in the (enabled)
+# podman-auto-update.timer.
 #
-# UNRESOLVED before first deploy (confirm against hermes dashboard docs):
-#   The dashboard binds 127.0.0.1:9119 by default. To expose it on the LAN at
-#   :5100 (the agent-zero=5080 / open-webui=5090 convention) the dashboard must
-#   be told to bind 0.0.0.0 INSIDE the container — set that in
-#   /var/lib/hermes/config.yaml (or a hermes dashboard-host env) and keep the
-#   PublishPort below. ⚠ It stores provider API keys and has no auth, so only
-#   expose on a trusted LAN — consider a reverse proxy with auth for anything wider.
+# Dashboard: the image binds the dashboard on 0.0.0.0:9119 by default
+# (HERMES_DASHBOARD_HOST / HERMES_DASHBOARD_PORT), so bridge networking +
+# PublishPort below exposes it on the LAN at :5100 with no override needed.
+# ⚠ The dashboard stores provider API keys and has NO auth — keep it on a trusted
+# LAN only; front it with an authenticating reverse proxy for anything wider.
 
 [Unit]
 Description=Hermes Agent
@@ -26,20 +26,15 @@ Wants=network-online.target
 Image=git.lair.cafe/lair/hermes:latest
 ContainerName=hermes
 AutoUpdate=registry
-# Bridge + PublishPort keeps the 50X0 LAN convention. Requires the dashboard to
-# bind 0.0.0.0:9119 inside the container (see note above). If you instead accept
-# host networking like upstream's compose, replace the next two lines with
-# `Network=host` and configure the dashboard bind/port directly.
+# Keeps the 50X0 LAN convention (agent-zero=5080, open-webui=5090, hermes=5100).
 PublishPort=5100:9119
 Volume=/var/lib/hermes:/opt/data:Z
 # Upstream drops to the non-root hermes user (uid/gid 10000); /var/lib/hermes
-# must be owned by 10000:10000 on the host (see install -d above).
+# must be owned 10000:10000 on the host (see install -d above).
 Environment=HERMES_UID=10000
 Environment=HERMES_GID=10000
-# LLM backend: point hermes at the local sovereign inference at
-# http://hanzalova.internal:31313/v1 (same endpoint open-webui uses). Hermes is
-# OpenRouter-first with per-provider base URLs and no plain OpenAI slot, so the
-# model routing is configured in /var/lib/hermes/config.yaml, not here. See readme.md.
+# LLM backend (local sovereign inference) is configured in
+# /var/lib/hermes/config.yaml via provider: "custom" -> see readme.md.
 
 [Service]
 Restart=always