feat(hermes): replace Dockerfile with python:3.11-slim based image with Chromium

ai/compose.yml

@@ -112,7 +112,22 @@ services:
       - /mnt/HoardingCow_docker_data/Ollama/ollama:/root/.ollama
     environment:
       - OLLAMA_VULKAN=0
+      - HSA_OVERRIDE_GFX_VERSION=9.0.6
+      - HCC_AMDGPU_TARGET=gfx906
+      - HIP_VISIBLE_DEVICES=0,1
+      - ROCR_VISIBLE_DEVICES=0,1
+      - HSA_ENABLE_SDMA=0 
       - OLLAMA_HOST=0.0.0.0
+      - OLLAMA_DEBUG=1
+      - OLLAMA_FLASH_ATTENTION=1
+      - OLLAMA_NUM_PARALLEL=2
+    devices:
+      # Map the render nodes and KFD for ROCm to work inside the container
+      - /dev/kfd:/dev/kfd
+      - /dev/dri:/dev/dri
+    group_add:
+      - "303"
+      - "26"
 
 networks:
   ai_net:
@@ -122,40 +137,47 @@ networks:
     driver: bridge
     name: ai_backend
     
-  llama-cpp-hermes:
-    image: llama-cpp:rocm-gfx906
-    container_name: llama-cpp-hermes
-    restart: unless-stopped
-    networks:
-      - ai_backend
-    ports:
-      - "127.0.0.1:8300:8080"
-    ipc: host
-    devices:
-      - /dev/kfd:/dev/kfd
-      - /dev/dri:/dev/dri
-    group_add:
-      - "303"
-      - "26"
-    environment:
-      - HSA_OVERRIDE_GFX_VERSION=9.0.6
-      - HSA_ENABLE_SDMA=0
-      - HIP_VISIBLE_DEVICES=0,1
-      - LLAMA_CACHE=/models
-    volumes:
-      - /mnt/HoardingCow_docker_data/Llama_cpp/models:/models
-      - /mnt/HoardingCow_docker_data/Ollama/ollama/models/blobs/sha256-17823599694fa3503ef54bf748d5078c6ce881f4d01616cafa255dc05d215a08:/model.gguf:ro
-    command: >
-      -m /model.gguf
-      --host 0.0.0.0
-      --port 8080
-      --gpu-layers 99
-      --ctx-size 163840
-      -ctk f16 -ctv f16
-      --flash-attn on
-      --split-mode layer
-      --no-mmap
-      --n-predict -1
+  # llama_cpp_devstral:
+  #   image: ghcr.io/ggml-org/llama.cpp:server-rocm
+  #   container_name: llama_cpp_devstral
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_backend
+  #   ports:
+  #     - "8300:8080"
+  #   ipc: host
+  #   devices:
+  #     - "/dev/kfd:/dev/kfd"
+  #     - "/dev/dri:/dev/dri"
+  #   group_add:
+  #     - "303" # video
+  #     - "26"  # render
+  #   environment:
+  #     HSA_OVERRIDE_GFX_VERSION: 9.0.6
+  #     HIP_VISIBLE_DEVICES: 0,1
+  #     LLAMA_CACHE: /models
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Llama_cpp/models:/models
+  #     - /mnt/HoardingCow_docker_data/Llama_cpp/devstral-agent.jinja:/template.jinja
+  #   command: >
+  #     -hf unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF:Devstral-Small-2-24B-Instruct-2512-Q8_0.gguf
+  #     -a devstral-2-small-llama_cpp
+  #     --chat-template-file /template.jinja
+  #     --host 0.0.0.0
+  #     --port 8080
+  #     --n-gpu-layers 99
+  #     --ctx-size 163840
+  #     --batch-size 4096
+  #     --ubatch-size 4096
+  #     --cache-type-k f16
+  #     --cache-type-v f16
+  #     --cache-reuse 256
+  #     --flash-attn on
+  #     --context-shift
+  #     --split-mode layer
+  #     --no-mmap
+  #     --n-predict -1
+  #     --parallel 2
 
   # vllm:
   #   image: nalanzeyu/vllm-gfx906:v0.9.0-rocm6.3

ai/hermes/Dockerfile

@@ -1,93 +1,106 @@
 # syntax=docker/dockerfile:1
-# Hermes Agent -- custom fork build
-# Builds on top of official image + overlays our forked source from Gitea.
-# Requires Docker BuildKit. Pass SSH agent for git clone:
-#   docker compose build hermes
-# Or manually:
-#   DOCKER_BUILDKIT=1 docker build --ssh default -t hermes-agent:custom .
+# Hermes Agent with Chromium -- local browser tool support
+# Based on python:3.11-slim for minimal footprint.
+# Chromium installed via apt-get for system-level browser automation.
+#
+# Build:
+#   docker build -t hermes-agent:chromium .
+#
+# Environment variables:
+#   CHROME_EXECUTABLE  -- path to the Chromium binary
 
-# ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
-FROM nousresearch/hermes-agent:latest
+# ---------- Base image ----------
+FROM python:3.11-slim
 
-# ---------- Overlay our forked source ----------
-# Uses SSH agent forwarding from the build host (no key baked into image).
-# --exclude node_modules/.venv keeps the base image's pre-built layers intact.
-# Only the Python source, web UI source, and config change.
-RUN --mount=type=ssh \
-    mkdir -p /root/.ssh && \
-    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
-    cd /tmp && \
-    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
-    git clone --depth 1 --branch main \
-    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rsync -a --delete fork/ /opt/hermes/ \
-      --exclude node_modules \
-      --exclude .venv \
-      --exclude .git && \
-    rm -rf /tmp/fork /root/.ssh/
+ENV DEBIAN_FRONTEND=noninteractive
+ENV PYTHONUNBUFFERED=1
 
-# ---------- Rebuild web UI ----------
-# Source files changed; node_modules (from base image) reused.
-RUN cd /opt/hermes && npm run build
-
-# ---------- Reinstall Python package (editable) ----------
-# Picks up source changes from our fork.
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir --no-deps -e /opt/hermes
-
-# ---------- Extra system deps ----------
-USER root
+# ---------- System dependencies for Chromium ----------
+# The minimum set required to run headless Chromium on Linux.
+# python:3.11-slim is Debian Bookworm (12) -- package names without t64 suffix.
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        libportaudio2 ca-certificates poppler-utils imagemagick \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
-        texlive-xetex texlive-science \
-        qemu-user-static binfmt-support emacs-nox && \
-    rm -rf /var/lib/apt/lists/*
+        # Chromium and its launcher
+        chromium \
+        chromium-common \
+        chromium-sandbox \
+        # Font rendering for proper page rendering
+        fonts-liberation \
+        fonts-noto-color-emoji \
+        fonts-dejavu-core \
+        # System libraries required by Chromium at runtime
+        libnss3 \
+        libnspr4 \
+        libatk1.0-0 \
+        libatk-bridge2.0-0 \
+        libcups2 \
+        libdrm2 \
+        libxdamage1 \
+        libxfixes3 \
+        libxcomposite1 \
+        libxrandr2 \
+        libgbm1 \
+        libpango-1.0-0 \
+        libcairo2 \
+        libasound2 \
+        libxkbcommon0 \
+        libxshmfence1 \
+        # Virtual framebuffer for headless operation
+        xvfb \
+        # Process supervisor for orphan reaping
+        tini \
+        # Git for Hermes source operations
+        git \
+        # SSL certificates for HTTPS connections
+        ca-certificates \
+        # Curl for health checks
+        curl \
+    && rm -rf /var/lib/apt/lists/*
 
-# ---------- UV ----------
-COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
+# ---------- Hermes Agent installation ----------
+# Install uv (fast Python package manager)
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uvx /usr/local/bin/uvx
 
-# ---------- Piper TTS ----------
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
-    mkdir -p /opt/hermes/.venv/share/piper/voices
+# Create hermes user (non-root runtime)
+RUN useradd -u 10000 -m -d /opt/data hermes
 
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request
-base = '/opt/hermes/.venv/share/piper/voices'
-url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
-urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
-urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
-PYEOF
+# Install Hermes Agent from PyPI with gateway support for messaging
+RUN uv pip install --system --no-cache-dir \
+        'hermes-agent[gateway]' \
+        croniter && \
+    uv cache clean
 
-# ---------- Install Himalaya email CLI ----------
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request, tarfile, os, shutil
-url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
-tgz = '/tmp/himalaya.tgz'
-urllib.request.urlretrieve(url, tgz)
-with tarfile.open(tgz) as t:
-    t.extractall('/tmp')
-shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
-os.chmod('/usr/local/bin/himalaya', 0o755)
-os.remove(tgz)
-print('himalaya v1.2.0 installed')
-PYEOF
+# Create the /opt/hermes directory structure expected by entrypoint
+RUN mkdir -p /opt/hermes/.venv/bin && \
+    mkdir -p /opt/hermes/docker && \
+    ln -sf /usr/local/bin/uv /opt/hermes/.venv/bin/uv && \
+    ln -sf /usr/local/bin/uvx /opt/hermes/.venv/bin/uvx
 
-# ---------- Install himalaya-ro wrapper ----------
-COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+# ---------- Entrypoint script ----------
+COPY entrypoint.sh /opt/hermes/docker/entrypoint.sh
+RUN chmod +x /opt/hermes/docker/entrypoint.sh
 
+# ---------- Environment variables ----------
+# Point browser tool to system Chromium (installed via apt-get)
+ENV CHROME_EXECUTABLE=/usr/bin/chromium
+
+# Hermes paths
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+
+# Playwright browsers path (for agent-browser install at runtime)
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
+
+# Virtual framebuffer display for headless Chromium
+ENV DISPLAY=:99
+
+# ---------- Data volume ----------
+VOLUME [ "/opt/data" ]
 
 # ---------- Runtime ----------
 USER hermes
-ENV HERMES_HOME=/opt/data
-ENV PATH="/opt/data/.local/bin:${PATH}"
-# Point browser tool to Playwright's Chromium (already in base image)
-ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
+WORKDIR /opt/data
 
-# Ensure tools directory and toolsets.py are writable by the hermes runtime user
-# so custom tools can be injected from the persistent volume at startup.
-RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
-
-VOLUME [ "/opt/data" ]
+ENTRYPOINT [ "/opt/hermes/docker/entrypoint.sh" ]
+CMD [ "gateway", "run" ]

ai/hermes/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+# Hermes Agent entrypoint script
+# Installs custom tools and runtime dependencies,
+# then delegates to the passed command (usually "gateway run").
+
+# Install custom tools from persistent volume if available
+if [ -f /opt/data/hermes-tools/install.sh ]; then
+    bash /opt/data/hermes-tools/install.sh
+fi
+
+# Install additional runtime deps (idempotent)
+if command -v uv &>/dev/null; then
+    uv pip install --system --no-cache-dir --quiet \
+        openai mautrix[encryption] 2>/dev/null || true
+fi
+
+# Execute the passed command with tini for proper signal handling
+exec tini -g -- "$@"

ai/llama-cpp/Dockerfile

@@ -1,30 +0,0 @@
-# llama-cpp-rocm6/Dockerfile
-# Custom llama.cpp server with ROCm 6.1 + gfx906 (MI50) support.
-# Build: docker build -t llama-cpp:rocm-gfx906 .
-
-FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl git build-essential pkg-config cmake make && rm -rf /var/lib/apt/lists/*
-ARG LLAMACPP_VERSION=b9596
-RUN git clone --depth 1 --branch ${LLAMACPP_VERSION} https://github.com/ggml-org/llama.cpp.git /build
-WORKDIR /build
-ENV HIP_PATH=/opt/rocm ROCM_PATH=/opt/rocm PATH=/opt/rocm/bin:/opt/rocm/llvm/bin:${PATH} CMAKE_PREFIX_PATH=/opt/rocm
-RUN mkdir build && cd build && \
-    cmake .. -DGGML_HIP=ON -DCMAKE_BUILD_TYPE=Release \
-      -DAMDGPU_TARGETS="gfx906:xnack-" \
-      -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
-      -DGGML_CUDA=OFF -DGGML_VULKAN=OFF -DGGML_METAL=OFF \
-      -DBUILD_SHARED_LIBS=OFF && \
-    cmake --build . --target llama-server -- -j $(nproc)
-
-FROM ubuntu:24.04
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    ca-certificates curl libstdc++6 libgomp1 libopenblas0 \
-    libnuma1 libelf1 libdrm2 libdrm-amdgpu1 \
-    && rm -rf /var/lib/apt/lists/*
-COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
-COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
-COPY --from=builder /build/build/bin/llama-server /usr/local/bin/llama-server
-RUN echo /opt/rocm/lib > /etc/ld.so.conf.d/rocm.conf && ldconfig
-ENV HSA_OVERRIDE_GFX_VERSION=9.0.6 HCC_AMDGPU_TARGET=gfx906 HSA_ENABLE_SDMA=0
-EXPOSE 8080
-ENTRYPOINT ["/usr/local/bin/llama-server"]