# DRAFT reference quadlet for deploying Hermes on bob (bob.hanzalova.internal).
# Deploy to /etc/containers/systemd/hermes.container (rootful, matching the
# existing agent-zero.container and open-webui.container), then:
#   sudo install -d -o 10000 -g 10000 /var/lib/hermes      # /opt/data owner = HERMES_UID
#   # drop config.yaml + .env into /var/lib/hermes (LLM backend, secrets) — see readme.md
#   sudo systemctl daemon-reload && sudo systemctl start hermes.service
#
# Once git.lair.cafe/lair/hermes:latest is published by the `images` workflow,
# this is a normal pull + AutoUpdate=registry quadlet — same lifecycle as the
# other two services on bob.
#
# UNRESOLVED before first deploy (confirm against hermes dashboard docs):
#   The dashboard binds 127.0.0.1:9119 by default. To expose it on the LAN at
#   :5100 (the agent-zero=5080 / open-webui=5090 convention) the dashboard must
#   be told to bind 0.0.0.0 INSIDE the container — set that in
#   /var/lib/hermes/config.yaml (or a hermes dashboard-host env) and keep the
#   PublishPort below. ⚠ It stores provider API keys and has no auth, so only
#   expose on a trusted LAN — consider a reverse proxy with auth for anything wider.

[Unit]
Description=Hermes Agent
After=network-online.target
Wants=network-online.target

[Container]
Image=git.lair.cafe/lair/hermes:latest
ContainerName=hermes
AutoUpdate=registry
# Bridge + PublishPort keeps the 50X0 LAN convention. Requires the dashboard to
# bind 0.0.0.0:9119 inside the container (see note above). If you instead accept
# host networking like upstream's compose, replace the next two lines with
# `Network=host` and configure the dashboard bind/port directly.
PublishPort=5100:9119
Volume=/var/lib/hermes:/opt/data:Z
# Upstream drops to the non-root hermes user (uid/gid 10000); /var/lib/hermes
# must be owned by 10000:10000 on the host (see install -d above).
Environment=HERMES_UID=10000
Environment=HERMES_GID=10000
# LLM backend: point hermes at the local sovereign inference at
# http://hanzalova.internal:31313/v1 (same endpoint open-webui uses). Hermes is
# OpenRouter-first with per-provider base URLs and no plain OpenAI slot, so the
# model routing is configured in /var/lib/hermes/config.yaml, not here. See readme.md.

[Service]
Restart=always
TimeoutStartSec=300

[Install]
WantedBy=default.target