Gitea runner fixes

ai/compose.yml

@@ -26,10 +26,7 @@ services:
   #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build:
-      context: ./hermes
-      ssh:
-        - default
+    build: ./hermes
     container_name: hermes
     restart: always
     # Gateway run enables the internal API server on port 8642

ai/hermes/Dockerfile

@@ -9,16 +9,27 @@ FROM nousresearch/hermes-agent:latest
 # The official hermes-agent image already has: git, curl, ffmpeg, python3,
 # gcc, build-essential, openssh-client, procps, tini, ripgrep, docker-cli,
 # libportaudio2, ca-certificates, etc.
+#
+# These extras we need to add back:
+#   - poppler-utils, imagemagick  (PDF/image processing)
+#   - texlive-*                   (LaTeX typesetting for reports)
+#   - qemu-user-static, binfmt-support (QEMU cross-compilation)
+#   - emacs-nox                   (text editing in container)
 USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
+        libportaudio2 \
+        ca-certificates \
         poppler-utils \
         imagemagick \
         texlive-latex-base \
         texlive-latex-extra \
         texlive-fonts-recommended \
         texlive-xetex \
-        texlive-science && \
+        texlive-science \
+        qemu-user-static \
+        binfmt-support \
+        emacs-nox && \
     rm -rf /var/lib/apt/lists/*
 
 # ---------- UV (hyperfast pip alternative) ----------
@@ -26,41 +37,21 @@ COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
 
 WORKDIR /opt/hermes
 
-# ---------- Extra Python deps ----------
+# ---------- Piper TTS dans le venv existant ----------
+# Le venv de l'image de base est root-owned, on doit installer en root aussi
 RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir httpx
+    uv pip install --no-cache-dir piper-tts sounddevice numpy
 
-# ---------- Piper TTS ----------
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
-    mkdir -p /opt/hermes/.venv/share/piper/voices
-
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+# ---------- Télécharger la voix Piper Ryan (high quality) ----------
+RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
+    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
 import urllib.request
 base = '/opt/hermes/.venv/share/piper/voices'
 url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
 urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
-print('Piper voice downloaded')
 PYEOF
 
-# ---------- Install Himalaya email CLI ----------
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request, tarfile, os, shutil
-url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
-tgz = '/tmp/himalaya.tgz'
-urllib.request.urlretrieve(url, tgz)
-with tarfile.open(tgz) as t:
-    t.extractall('/tmp')
-shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
-os.chmod('/usr/local/bin/himalaya', 0o755)
-os.remove(tgz)
-print('himalaya v1.2.0 installed')
-PYEOF
-
-# ---------- Install himalaya-ro wrapper ----------
-COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
-
 # ---------- Patch tts_tool.py: remplacer Edge TTS par Piper ----------
 # Edge TTS appelle les serveurs Microsoft — on ne veut jamais ça.
 # Piper roule localement sur CPU, aucun cloud, aucune donnée qui sort.
@@ -68,15 +59,15 @@ COPY patch_tts_tool.py /tmp/patch_tts_tool.py
 RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py
 
 # ---------- Runtime ----------
+# Retour à l'utilisateur non-root pour la sécurité
 USER hermes
+
 ENV HERMES_HOME=/opt/data
 ENV PATH="/opt/data/.local/bin:${PATH}"
-# Point browser tool to Playwright's Chromium (already in base image)
-ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
 
 VOLUME [ "/opt/data" ]
 
-# Startup permission fix + config generation + TTS patch
+# Script de réparation des permissions + patch TTS au démarrage
 COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
 
 ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]

ai/hermes/himalaya-ro.sh

@@ -1,73 +0,0 @@
-#!/usr/bin/env bash
-# ─────────────────────────────────────────────────────────────
-# himalaya-ro — Read-only wrapper for himalaya
-#
-# Blocks destructive commands and logs audit trail.
-# Pass-through for read-only commands (list, read, search).
-#
-# Usage:  himalaya-ro [options] <command> [args...]
-#
-# Install: place in PATH before the real himalaya, or use
-#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
-# ─────────────────────────────────────────────────────────────
-set -o pipefail
-
-# ── Configuration ───────────────────────────────────────────
-HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
-AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
-
-# ── Destructive commands we block ──────────────────────────
-BLOCKED_CMDS=(
-  "message move"
-  "message delete"
-  "message copy"
-  "flag add"
-  "flag remove"
-  "folder create"
-  "folder delete"
-  "folder rename"
-  "template send"
-  "account configure"
-  "account delete"
-)
-
-# ── Determine the subcommand being invoked ─────────────────
-# Strip leading options (--account, --output, etc.) to find the verb
-ARGS=()
-SKIP_NEXT=false
-for arg in "$@"; do
-  if $SKIP_NEXT; then
-    SKIP_NEXT=false
-    continue
-  fi
-  if [[ "$arg" == --* ]]; then
-    case "$arg" in
-      --account|--output|--page|--page-size|--folder|--color|--format)
-        SKIP_NEXT=true ;;
-    esac
-    continue
-  fi
-  ARGS+=("$arg")
-done
-
-# Build subcommand string and check against blocklist
-CMD_STR=""
-for ((i=0; i<${#ARGS[@]}; i++)); do
-  if [ -z "$CMD_STR" ]; then
-    CMD_STR="${ARGS[$i]}"
-  else
-    CMD_STR="$CMD_STR ${ARGS[$i]}"
-  fi
-  for blocked in "${BLOCKED_CMDS[@]}"; do
-    if [[ "$CMD_STR" == "$blocked" ]]; then
-      TS=$(date '+%Y-%m-%d %H:%M:%S')
-      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
-      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
-      echo "       Audit log: $AUDIT_LOG" >&2
-      exit 100
-    fi
-  done
-done
-
-# ── Allow pass-through ─────────────────────────────────────
-exec "$HIMALAYA_BIN" "$@"

versioncontrol/compose.yml

@@ -8,13 +8,8 @@ services:
       - USER_GID=1000
       - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
       - GITEA__actions__ENABLED=true
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
-      # Enable Gitea Actions (act_runner required on host)
-      - GITEA__actions__ENABLED=true
-      # Don't fetch actions from GitHub (offline mode + local only)
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks:
@@ -50,7 +45,7 @@ services:
     image: gitea/act_runner:latest
     container_name: act_runner
     environment:
-      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
+      - GITEA_INSTANCE_URL=http://gitea:3000
       - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
       - GITEA_RUNNER_NAME=ai-host-runner
       - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix