# Reference quadlet for deploying Hermes on bob (bob.hanzalova.internal).
# Deploy to /etc/containers/systemd/hermes.container (rootful, matching the
# existing agent-zero.container and open-webui.container), then:
#   sudo install -d -o 10000 -g 10000 /var/lib/hermes      # /opt/data owner = HERMES_UID
#   sudo install -o 10000 -g 10000 /path/to/config.yaml /var/lib/hermes/config.yaml
#   sudo install -o 10000 -g 10000 /path/to/.env          /var/lib/hermes/.env   # if needed
#   sudo systemctl daemon-reload && sudo systemctl start hermes.service
#
# Gated on git.lair.cafe/lair/hermes:latest being published by the `images`
# workflow first. After that it's a normal pull + AutoUpdate=registry quadlet —
# same lifecycle as the other two services, and now enrolled in the (enabled)
# podman-auto-update.timer.
#
# Dashboard: the image binds the dashboard on 0.0.0.0:9119 by default
# (HERMES_DASHBOARD_HOST / HERMES_DASHBOARD_PORT), so bridge networking +
# PublishPort below exposes it on the LAN at :5100 with no override needed.
# ⚠ The dashboard stores provider API keys and has NO auth — keep it on a trusted
# LAN only; front it with an authenticating reverse proxy for anything wider.

[Unit]
Description=Hermes Agent
After=network-online.target
Wants=network-online.target

[Container]
Image=git.lair.cafe/lair/hermes:latest
ContainerName=hermes
AutoUpdate=registry
# Keeps the 50X0 LAN convention (agent-zero=5080, open-webui=5090, hermes=5100).
PublishPort=5100:9119
Volume=/var/lib/hermes:/opt/data:Z
# Upstream drops to the non-root hermes user (uid/gid 10000); /var/lib/hermes
# must be owned 10000:10000 on the host (see install -d above).
Environment=HERMES_UID=10000
Environment=HERMES_GID=10000
# LLM backend (local sovereign inference) is configured in
# /var/lib/hermes/config.yaml via provider: "custom" -> see readme.md.

[Service]
Restart=always
TimeoutStartSec=300

[Install]
WantedBy=default.target