hermes: finalize dashboard exposure + local-inference config
All checks were successful
images / hermes (push) Successful in 15m40s
All checks were successful
images / hermes (push) Successful in 15m40s
Confirmed against upstream: dashboard binds 0.0.0.0:9119 by default (HERMES_DASHBOARD_HOST/PORT), so bridge + PublishPort=5100:9119 needs no override. LLM backend uses Hermes' `custom` OpenAI-compatible provider pointed at the local sovereign inference (hanzalova.internal:31313/v1). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH
This commit is contained in:
grenade
@@ -40,20 +40,31 @@ existing `agent-zero` / `open-webui` services on bob. Summary:
|
||||
1. `git.lair.cafe/lair/hermes:latest` must be published first (run the `images`
|
||||
workflow).
|
||||
2. `sudo install -d -o 10000 -g 10000 /var/lib/hermes`
|
||||
3. Drop `config.yaml` + `.env` into `/var/lib/hermes`:
|
||||
- **LLM backend → local sovereign inference.** Point hermes at
|
||||
`http://hanzalova.internal:31313/v1` (the endpoint open-webui already uses).
|
||||
Hermes is OpenRouter-first with per-provider base URLs and no plain
|
||||
OpenAI-base slot, so define the OpenAI-compatible provider/model in
|
||||
`config.yaml` (confirm the exact schema against hermes docs).
|
||||
- Secrets (any provider keys, tool keys) go in `.env`, not the quadlet.
|
||||
3. Drop `config.yaml` into `/var/lib/hermes` (owned `10000:10000`) — **LLM backend
|
||||
→ local sovereign inference.** Hermes exposes a `custom` provider for any
|
||||
OpenAI-compatible endpoint, so point it at the same endpoint open-webui uses:
|
||||
|
||||
```yaml
|
||||
# /var/lib/hermes/config.yaml
|
||||
model:
|
||||
provider: "custom" # OpenAI-compatible endpoint
|
||||
base_url: "http://hanzalova.internal:31313/v1"
|
||||
api_key: "beast" # matches open-webui's OPENAI_API_KEY
|
||||
default: "<model-id-your-endpoint-serves>" # see: curl http://hanzalova.internal:31313/v1/models
|
||||
# context_length: 32768 # optional
|
||||
# max_tokens: 4096 # optional, output ceiling
|
||||
```
|
||||
|
||||
Any other secrets (web-search/tool keys, messaging tokens) go in
|
||||
`/var/lib/hermes/.env`, never in the quadlet.
|
||||
4. Install `hermes.container` to `/etc/containers/systemd/`, `daemon-reload`,
|
||||
`start hermes.service`.
|
||||
|
||||
### Open item: dashboard LAN exposure
|
||||
### Dashboard LAN exposure (resolved)
|
||||
|
||||
The dashboard defaults to `127.0.0.1:9119` and **stores API keys with no auth**.
|
||||
The draft quadlet publishes it on the LAN at `:5100` (the 5080/5090 convention),
|
||||
which requires telling the dashboard to bind `0.0.0.0` inside the container (a
|
||||
`config.yaml`/env setting to confirm). Only expose on a trusted LAN; front it
|
||||
with an authenticating reverse proxy for anything wider.
|
||||
The image binds the dashboard on **`0.0.0.0:9119` by default**
|
||||
(`HERMES_DASHBOARD_HOST` / `HERMES_DASHBOARD_PORT`), so bridge networking +
|
||||
`PublishPort=5100:9119` in the quadlet exposes it on the LAN at `:5100` with no
|
||||
override. ⚠ The dashboard **stores provider API keys and has no auth** — keep it
|
||||
on a trusted LAN only, and front it with an authenticating reverse proxy for any
|
||||
wider exposure.
|
||||
|
||||
Reference in New Issue
Block a user