Compare commits
3 Commits
feat/7zz-c
...
ebad994d60
| Author | SHA1 | Date | |
|---|---|---|---|
| ebad994d60 | |||
| 5f25c87775 | |||
| 4e566b2408 |
@@ -39,6 +39,7 @@ services:
|
||||
command: gateway run
|
||||
environment:
|
||||
- OLLAMA_HOST=http://ollama:11434
|
||||
- HERMES_DASHBOARD=1
|
||||
- API_SERVER_ENABLED=true
|
||||
- API_SERVER_PORT=8642
|
||||
- API_SERVER_HOST=0.0.0.0
|
||||
@@ -66,6 +67,30 @@ services:
|
||||
- "26"
|
||||
networks:
|
||||
- ai_backend
|
||||
- ai_net
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=ai_net"
|
||||
|
||||
# Router for HTTP + redirection to HTTPS
|
||||
- "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
|
||||
- "traefik.http.routers.hermes-web-http.entrypoints=web"
|
||||
- "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
|
||||
|
||||
# Router for HTTPS with TLS — protected by Authelia
|
||||
- "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
|
||||
- "traefik.http.routers.hermes-web-https.entrypoints=websecure"
|
||||
- "traefik.http.routers.hermes-web-https.tls=true"
|
||||
- "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
|
||||
- "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
|
||||
|
||||
# Authelia forwardAuth
|
||||
- "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
|
||||
- "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
|
||||
- "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
|
||||
|
||||
# Service Loadbalancer (dashboard port 9119)
|
||||
- "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
|
||||
|
||||
syncthing:
|
||||
image: syncthing/syncthing:latest
|
||||
|
||||
@@ -20,16 +20,10 @@ RUN --mount=type=ssh \
|
||||
GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
|
||||
git clone --depth 1 --branch main \
|
||||
git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
|
||||
rsync -a --delete fork/ /opt/hermes/ \
|
||||
--exclude node_modules \
|
||||
--exclude .venv \
|
||||
--exclude .git && \
|
||||
rm -rf fork/node_modules fork/.venv fork/.git && \
|
||||
cp -a fork/. /opt/hermes/ && \
|
||||
rm -rf /tmp/fork /root/.ssh/
|
||||
|
||||
# ---------- Rebuild web UI ----------
|
||||
# Source files changed; node_modules (from base image) reused.
|
||||
RUN cd /opt/hermes && npm run build
|
||||
|
||||
# ---------- Reinstall Python package (editable) ----------
|
||||
# Picks up source changes from our fork.
|
||||
RUN . /opt/hermes/.venv/bin/activate && \
|
||||
@@ -75,43 +69,6 @@ os.remove(tgz)
|
||||
print('himalaya v1.2.0 installed')
|
||||
PYEOF
|
||||
|
||||
# ---------- Install himalaya-ro wrapper ----------
|
||||
COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
|
||||
|
||||
|
||||
# ---------- Install 7-Zip (7zz) for CHM extraction ----------
|
||||
RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
|
||||
import urllib.request, tarfile, os, shutil, re, subprocess
|
||||
|
||||
# Scrape 7-zip.org for latest Linux x64 binary link
|
||||
url = 'https://7-zip.org/download.html'
|
||||
req = urllib.request.Request(url, headers={'User-Agent': 'Mozilla/5.0'})
|
||||
r = urllib.request.urlopen(req, timeout=15)
|
||||
html = r.read().decode()
|
||||
match = re.search(r'href="(a/7z[\d]+-linux-x64\.tar\.xz)"', html)
|
||||
if not match:
|
||||
raise RuntimeError('Could not find 7z Linux x64 download link on 7-zip.org')
|
||||
dl_url = f'https://7-zip.org/{match.group(1)}'
|
||||
|
||||
# Follow Himalaya pattern: download, extract, install, verify
|
||||
xz = '/tmp/7z.tar.xz'
|
||||
urllib.request.urlretrieve(dl_url, xz)
|
||||
os.makedirs('/tmp/7z', exist_ok=True)
|
||||
with tarfile.open(xz, 'r:xz') as t:
|
||||
t.extractall('/tmp/7z')
|
||||
shutil.move('/tmp/7z/7zz', '/usr/local/bin/7zz')
|
||||
os.chmod('/usr/local/bin/7zz', 0o755)
|
||||
shutil.rmtree('/tmp/7z', ignore_errors=True)
|
||||
os.remove(xz)
|
||||
|
||||
# Verify
|
||||
result = subprocess.run(['/usr/local/bin/7zz'], capture_output=True, text=True)
|
||||
assert result.returncode == 0, f'7zz verify failed: {result.stderr}'
|
||||
version = result.stdout.split()[2] if result.stdout else 'unknown'
|
||||
print(f'7-Zip {version} installed successfully')
|
||||
PYEOF
|
||||
|
||||
|
||||
# ---------- Runtime ----------
|
||||
USER hermes
|
||||
ENV HERMES_HOME=/opt/data
|
||||
@@ -121,6 +78,7 @@ ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
|
||||
|
||||
# Ensure tools directory and toolsets.py are writable by the hermes runtime user
|
||||
# so custom tools can be injected from the persistent volume at startup.
|
||||
USER root
|
||||
RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
|
||||
|
||||
VOLUME [ "/opt/data" ]
|
||||
@@ -1,73 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# himalaya-ro — Read-only wrapper for himalaya
|
||||
#
|
||||
# Blocks destructive commands and logs audit trail.
|
||||
# Pass-through for read-only commands (list, read, search).
|
||||
#
|
||||
# Usage: himalaya-ro [options] <command> [args...]
|
||||
#
|
||||
# Install: place in PATH before the real himalaya, or use
|
||||
# `ln -sf himalaya-ro /usr/local/bin/himalaya`
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
set -o pipefail
|
||||
|
||||
# ── Configuration ───────────────────────────────────────────
|
||||
HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
|
||||
AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
|
||||
|
||||
# ── Destructive commands we block ──────────────────────────
|
||||
BLOCKED_CMDS=(
|
||||
"message move"
|
||||
"message delete"
|
||||
"message copy"
|
||||
"flag add"
|
||||
"flag remove"
|
||||
"folder create"
|
||||
"folder delete"
|
||||
"folder rename"
|
||||
"template send"
|
||||
"account configure"
|
||||
"account delete"
|
||||
)
|
||||
|
||||
# ── Determine the subcommand being invoked ─────────────────
|
||||
# Strip leading options (--account, --output, etc.) to find the verb
|
||||
ARGS=()
|
||||
SKIP_NEXT=false
|
||||
for arg in "$@"; do
|
||||
if $SKIP_NEXT; then
|
||||
SKIP_NEXT=false
|
||||
continue
|
||||
fi
|
||||
if [[ "$arg" == --* ]]; then
|
||||
case "$arg" in
|
||||
--account|--output|--page|--page-size|--folder|--color|--format)
|
||||
SKIP_NEXT=true ;;
|
||||
esac
|
||||
continue
|
||||
fi
|
||||
ARGS+=("$arg")
|
||||
done
|
||||
|
||||
# Build subcommand string and check against blocklist
|
||||
CMD_STR=""
|
||||
for ((i=0; i<${#ARGS[@]}; i++)); do
|
||||
if [ -z "$CMD_STR" ]; then
|
||||
CMD_STR="${ARGS[$i]}"
|
||||
else
|
||||
CMD_STR="$CMD_STR ${ARGS[$i]}"
|
||||
fi
|
||||
for blocked in "${BLOCKED_CMDS[@]}"; do
|
||||
if [[ "$CMD_STR" == "$blocked" ]]; then
|
||||
TS=$(date '+%Y-%m-%d %H:%M:%S')
|
||||
echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
|
||||
echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
|
||||
echo " Audit log: $AUDIT_LOG" >&2
|
||||
exit 100
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# ── Allow pass-through ─────────────────────────────────────
|
||||
exec "$HIMALAYA_BIN" "$@"
|
||||
Reference in New Issue
Block a user