lair/containers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11429298740a47223c469a3f3e94d3ddf8292d54
containers/images/hermes/hermes.container
grenade 1142929874
All checks were successful
images / hermes (push) Successful in 37s
Details
hermes: single-container deploy (gateway + dashboard), as deployed on bob 
The image's command selects mode; no command = interactive CLI which
crash-loops under systemd. Switched to the supported headless setup: one
container running `gateway run` with the dashboard supervised alongside
via HERMES_DASHBOARD=1 (same netns so the dashboard can reach the gateway,
which two bridge-networked containers could not). Image fails closed on a
0.0.0.0 dashboard bind, so HERMES_DASHBOARD_INSECURE=1 opts into the chosen
trusted-LAN exposure on :5100. Verified live on bob: gateway stable, dash
HTTP 200 across the LAN, inference endpoint reachable, enrolled in
podman-auto-update.timer. Dropped the redundant separate dashboard quadlet.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH
2026-06-23 12:53:51 +03:00

48 lines
2.0 KiB
Plaintext
Raw Blame History

# Hermes Agent for bob — single-container "recommended s6" mode.
# The image runs `hermes gateway run` under s6 supervision, with the dashboard
# web UI supervised alongside in the SAME container when HERMES_DASHBOARD is set
# (per the image's own startup guidance). Running both in one container keeps
# them in one network namespace, so the dashboard can reach the gateway exactly
# as upstream's host-networked compose assumes — which two bridge-networked
# containers could not.
#
# Command must be explicit: the image default (no command) is the interactive
# CLI, which exits without a TTY under systemd and crash-loops.
#
# Setup: sudo install -d -o 10000 -g 10000 /var/lib/hermes ; drop config.yaml
# (provider: custom -> http://hanzalova.internal:31313/v1) ; daemon-reload ; start.
# Dashboard publishes to the LAN at :5100 (agent-zero=5080, open-webui=5090).
# ⚠ The dashboard stores provider API keys and has NO auth — trusted LAN only;
# front it with an authenticating reverse proxy for any wider exposure.
# AutoUpdate=registry keeps it current via the enabled podman-auto-update.timer.
[Unit]
Description=Hermes Agent (gateway + dashboard)
After=network-online.target
Wants=network-online.target
[Container]
Image=git.lair.cafe/lair/hermes:latest
ContainerName=hermes
AutoUpdate=registry
Exec=gateway run
PublishPort=5100:9119
Volume=/var/lib/hermes:/opt/data:Z
Environment=HERMES_UID=10000
Environment=HERMES_GID=10000
# Enable the supervised dashboard web UI inside this container (binds 0.0.0.0:9119).
Environment=HERMES_DASHBOARD=1
# The image fails closed: it refuses a non-loopback (0.0.0.0) dashboard bind
# unless OAuth is configured OR --insecure is opted in. We expose on the trusted
# LAN without auth (the chosen "LAN port like the others" tradeoff), so opt in.
# ⚠ Anyone on the LAN can reach the API-key-storing UI. To switch to real auth,
# drop this and set HERMES_DASHBOARD_OAUTH_CLIENT_ID (+ portal) instead.
Environment=HERMES_DASHBOARD_INSECURE=1
[Service]
Restart=always
TimeoutStartSec=300
[Install]
WantedBy=default.target
Reference in New Issue View Git Blame Copy Permalink