lair/containers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d53e06d784a4593191ced9f2315a72440afbefe2
containers/readme.md
grenade 214850dae4
Some checks failed
images / hermes (push) Has been cancelled
Details
Add lair/containers image-build repo; hermes as first image 
Builds container images for lair infra and publishes to git.lair.cafe.
Hermes Agent (NousResearch) is built directly from its upstream Dockerfile
at the latest release tag, published as git.lair.cafe/lair/hermes; the build
is release-triggered (daily API poll) and self-healing (gated on registry
presence, not a committable pin). Includes a draft rootful quadlet for bob
matching the agent-zero/open-webui convention. Convention follows gongfoo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011D3YeWKpjg5bT488fVanCH
2026-06-23 12:17:10 +03:00

51 lines
2.1 KiB
Markdown
Raw Blame History

# lair/containers
Container images required by lair infrastructure, built and published to the
Gitea registry at **`git.lair.cafe`**. Convention follows
[`gongfoo`](https://git.lair.cafe/gongfoo/gongfoo)'s `images/` setup.
## Layout
```
images/<name>/ one directory per image
Containerfile (when we author the image ourselves)
build.sh local build helper
readme.md what it is and how it's built
.gitea/workflows/
images.yml builds + publishes every image, on push / daily / dispatch
```
## Images
| Image | Published as | Source |
|-------|--------------|--------|
| [hermes](images/hermes/readme.md) | `git.lair.cafe/lair/hermes:{version,latest}` | built from NousResearch/hermes-agent's Dockerfile at the latest release tag |
## How builds work
- **Trigger:** push under `images/**`, a daily cron poll, or manual dispatch.
- **Release-tracking:** each image job resolves the upstream's latest release via
its API and builds that exact ref. For upstreams that ship their own Dockerfile
(hermes) we build directly from the upstream git context; for images we author,
the version is passed as a `--build-arg` with the Containerfile pin as fallback.
- **Self-healing:** a build runs only when the resolved version isn't already in
the registry — and because the registry (not a committed pin) is the source of
truth, a failed build simply retries on the next poll instead of stranding a
stale image. (Lesson borrowed from gongfoo.)
## Adding an image
1. `mkdir images/<name>`, add a `Containerfile` (or build from an upstream
context) + `build.sh` + `readme.md`.
2. Add a job to `.gitea/workflows/images.yml` that logs in, builds
`git.lair.cafe/lair/<name>:latest`, and pushes.
3. Consumers pull `git.lair.cafe/lair/<name>:latest` with `AutoUpdate=registry`.
## Required secret
| Secret | Purpose |
|--------|---------|
| `REGISTRY_TOKEN` | Gitea token with `write:package` for `git.lair.cafe`; used as `podman login -u $GITEA_ACTOR -p $REGISTRY_TOKEN`. Set in this repo's (or the `lair` org's) Actions secrets. |
Build jobs run on self-hosted runners labelled `metal` + `podman`.
Reference in New Issue View Git Blame Copy Permalink