fix: add Matrix bridge deps to compose entrypoint with persistent venv

Adds uv pip install openai mautrix[encryption] to the hermes container
entrypoint, with volume mount at /opt/hermes/.venv for persistence.

Key changes:
- Entrypoint now activates venv and installs Matrix bridge deps before
  running the official entrypoint.sh
- Handles empty-volume first-boot by recreating the venv from scratch
  (matching Dockerfile install steps)
- Persists venv at /mnt/HoardingCow_docker_data/Hermes/venv so pip
  packages survive container recreation

ai/compose.yml

@@ -31,14 +31,27 @@ services:
       ssh:
         - default
     container_name: hermes
+    # Install Matrix bridge deps (mautrix[encryption]) + openai into the venv at startup.
+    # Ensures the venv is usable even on first boot with empty persistent volume.
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && \
+       if [ ! -f /opt/hermes/.venv/bin/python3 ]; then \
+         uv venv /opt/hermes/.venv --seed && \
+         . /opt/hermes/.venv/bin/activate && \
+         uv pip install --no-cache-dir --no-deps -e /opt/hermes && \
+         uv pip install --no-cache-dir piper-tts sounddevice numpy; \
+       else \
+         . /opt/hermes/.venv/bin/activate; \
+       fi && \
+       uv pip install openai 'mautrix[encryption]' -q && \
+       exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -58,6 +71,8 @@ services:
       - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
       # Syncthing-shared inbox — write tasks here, they sync to user's laptop
       - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
+      # Persist Python venv across container recreation (Matrix bridge deps, etc.)
+      - /mnt/HoardingCow_docker_data/Hermes/venv:/opt/hermes/.venv
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -76,11 +91,17 @@ services:
       - "traefik.http.routers.hermes-web-http.entrypoints=web"
       - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
 
-      # Router for HTTPS with TLS
+      # Router for HTTPS with TLS — protected by Authelia
       - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
       - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
       - "traefik.http.routers.hermes-web-https.tls=true"
       - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 
       # Service Loadbalancer (dashboard port 9119)
       - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"

ai/hermes/startup.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# This file was replaced by inline entrypoint logic in compose.yml
+# See ai/compose.yml hermes.entrypoint for the current implementation.
+echo "startup.sh is obsolete — logic is inline in compose.yml entrypoint"