feat: add Himalaya email CLI to Hermes Docker image

2026-05-12 18:05:18 -04:00
8 changed files with 76 additions and 182 deletions
--- a/ai/Dockerfile
+++ b/ai/Dockerfile
@@ -1,68 +0,0 @@
-FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
-FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
-FROM debian:13.4
-
-# Disable Python stdout buffering to ensure logs are printed immediately
-ENV PYTHONUNBUFFERED=1
-
-# Store Playwright browsers outside the volume mount so the build-time
-# install survives the /opt/data volume overlay at runtime.
-ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
-
-# Install system dependencies in one layer, clear APT cache
-# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
-# that would otherwise accumulate when hermes runs as PID 1. See #15012.
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick emacs-nox qemu-user-static binfmt-support qemu-user-binfmt && \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        chromium xvfb \
-        fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
-        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 && \
-    rm -rf /var/lib/apt/lists/*
-
-# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
-RUN useradd -u 10000 -m -d /opt/data hermes
-
-COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
-COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
-
-WORKDIR /opt/hermes
-
-# ---------- Layer-cached dependency install ----------
-# Copy only package manifests first so npm install + Playwright are cached
-# unless the lockfiles themselves change.
-COPY package.json package-lock.json ./
-COPY web/package.json web/package-lock.json web/
-
-RUN npm install --prefer-offline --no-audit && \
-    npx playwright install --with-deps chromium --only-shell && \
-    (cd web && npm install --prefer-offline --no-audit) && \
-    npm cache clean --force
-
-# ---------- Source code ----------
-# .dockerignore excludes node_modules, so the installs above survive.
-COPY --chown=hermes:hermes . .
-
-# Build web dashboard (Vite outputs to hermes_cli/web_dist/)
-RUN cd web && npm run build
-
-# ---------- Permissions ----------
-# Make install dir world-readable so any HERMES_UID can read it at runtime.
-# The venv needs to be traversable too.
-USER root
-RUN chmod -R a+rX /opt/hermes
-# Start as root so the entrypoint can usermod/groupmod + gosu.
-# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).
-
-# ---------- Python virtualenv ----------
-RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]"
-
-# ---------- Runtime ----------
-ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
-ENV HERMES_HOME=/opt/data
-ENV PATH="/opt/data/.local/bin:${PATH}"
-VOLUME [ "/opt/data" ]
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -31,9 +31,6 @@ services:
      ssh:
        - default
    container_name: hermes
-    entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
-      "hermes-entrypoint"]
    restart: always
    # Gateway run enables the internal API server on port 8642
    command: gateway run
@@ -54,10 +51,6 @@ services:
      - TZ=America/Montreal
    volumes:
      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
-      # Syncthing-shared org files — read-only view of user's agenda
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
-      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
    devices:
      - /dev/kfd:/dev/kfd
      - /dev/dri:/dev/dri
@@ -67,35 +60,6 @@ services:
    networks:
      - ai_backend

-  syncthing:
-    image: syncthing/syncthing:latest
-    container_name: syncthing
-    hostname: syncthing
-    restart: always
-    ports:
-      - "8384:8384"
-      - "22000:22000"
-      - "21027:21027/udp"
-    environment:
-      - TZ=America/Montreal
-    volumes:
-      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
-    networks:
-      - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-http.entrypoints=web"
-      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
-      - "traefik.http.routers.syncthing-https.tls=true"
-      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
-      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
-
  ollama:
    build:
      context: ./ollama
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -1,52 +1,34 @@
-# syntax=docker/dockerfile:1
-# Hermes Agent -- custom fork build
-# Builds on top of official image + overlays our forked source from Gitea.
-# Requires Docker BuildKit. Pass SSH agent for git clone:
-#   docker compose build hermes
-# Or manually:
-#   DOCKER_BUILDKIT=1 docker build --ssh default -t hermes-agent:custom .
+# 1. On récupère la version la plus récente d'UV
+FROM ghcr.io/astral-sh/uv:latest AS uv_source

-# ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
+# 2. Image officielle Hermes Agent de NousResearch
+# Contient déjà: Python, Node.js, npm, Playwright/Chromium, venv, tts_tool.py, etc.
 FROM nousresearch/hermes-agent:latest

-# ---------- Overlay our forked source ----------
-# Uses SSH agent forwarding from the build host (no key baked into image).
-# --exclude node_modules/.venv keeps the base image's pre-built layers intact.
-# Only the Python source, web UI source, and config change.
-RUN --mount=type=ssh \
-    mkdir -p /root/.ssh && \
-    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
-    cd /tmp && \
-    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
-    git clone --depth 1 --branch main \
-    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rsync -a --delete fork/ /opt/hermes/ \
-      --exclude node_modules \
-      --exclude .venv \
-      --exclude .git && \
-    rm -rf /tmp/fork /root/.ssh/
-
-# ---------- Rebuild web UI ----------
-# Source files changed; node_modules (from base image) reused.
-RUN cd /opt/hermes && npm run build
-
-# ---------- Reinstall Python package (editable) ----------
-# Picks up source changes from our fork.
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir --no-deps -e /opt/hermes
-
-# ---------- Extra system deps ----------
+# ---------- System dependencies ----------
+# The official hermes-agent image already has: git, curl, ffmpeg, python3,
+# gcc, build-essential, openssh-client, procps, tini, ripgrep, docker-cli,
+# libportaudio2, ca-certificates, etc.
 USER root
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
-        libportaudio2 ca-certificates poppler-utils imagemagick \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
-        texlive-xetex texlive-science \
-        qemu-user-static binfmt-support emacs-nox && \
+        poppler-utils \
+        imagemagick \
+        texlive-latex-base \
+        texlive-latex-extra \
+        texlive-fonts-recommended \
+        texlive-xetex \
+        texlive-science && \
    rm -rf /var/lib/apt/lists/*

-# ---------- UV ----------
-COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
+# ---------- UV (hyperfast pip alternative) ----------
+COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
+
+WORKDIR /opt/hermes
+
+# ---------- Extra Python deps ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir httpx

 # ---------- Piper TTS ----------
 RUN . /opt/hermes/.venv/bin/activate && \
@@ -59,6 +41,7 @@ base = '/opt/hermes/.venv/share/piper/voices'
 url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
 urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
+print('Piper voice downloaded')
 PYEOF

 # ---------- Install Himalaya email CLI ----------
@@ -78,6 +61,11 @@ PYEOF
 # ---------- Install himalaya-ro wrapper ----------
 COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro

+# ---------- Patch tts_tool.py: remplacer Edge TTS par Piper ----------
+# Edge TTS appelle les serveurs Microsoft — on ne veut jamais ça.
+# Piper roule localement sur CPU, aucun cloud, aucune donnée qui sort.
+COPY patch_tts_tool.py /tmp/patch_tts_tool.py
+RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py

 # ---------- Runtime ----------
 USER hermes
@@ -86,8 +74,9 @@ ENV PATH="/opt/data/.local/bin:${PATH}"
 # Point browser tool to Playwright's Chromium (already in base image)
 ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome

-# Ensure tools directory and toolsets.py are writable by the hermes runtime user
-# so custom tools can be injected from the persistent volume at startup.
-RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
+VOLUME [ "/opt/data" ]

-VOLUME [ "/opt/data" ]
+# Startup permission fix + config generation + TTS patch
+COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
+
+ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]
--- a/ai/hermes/entrypoint.sh
+++ b/ai/hermes/entrypoint.sh
@@ -1,20 +0,0 @@
-#!/bin/bash
-set -e
-
-# Hermes Agent entrypoint script
-# Installs custom tools and runtime dependencies,
-# then delegates to the passed command (usually "gateway run").
-
-# Install custom tools from persistent volume if available
-if [ -f /opt/data/hermes-tools/install.sh ]; then
-    bash /opt/data/hermes-tools/install.sh
-fi
-
-# Install additional runtime deps (idempotent)
-if command -v uv &>/dev/null; then
-    uv pip install --system --no-cache-dir --quiet \
-        openai mautrix[encryption] 2>/dev/null || true
-fi
-
-# Execute the passed command with tini for proper signal handling
-exec tini -g -- "$@"
--- a/ai/hermes/fix-permissions.sh
+++ b/ai/hermes/fix-permissions.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Startup permission fix + TTS patch.
+# Runs as root before the entrypoint drops to the hermes user.
+set -e
+
+HERMES_HOME="${HERMES_HOME:-/opt/data}"
+
+# Fix ownership on critical writable directories
+chown -R hermes:hermes \
+  "$HERMES_HOME/sessions" \
+  "$HERMES_HOME/checkpoints" \
+  "$HERMES_HOME/skills" \
+  "$HERMES_HOME/memories" \
+  "$HERMES_HOME/workspace" \
+  "$HERMES_HOME/pastes" \
+  "$HERMES_HOME/logs" \
+  "$HERMES_HOME/cron" \
+  "$HERMES_HOME/plans" \
+  "$HERMES_HOME/hooks" \
+  "$HERMES_HOME/cache" \
+  2>/dev/null || true
+
+# Fix data volume root ownership
+if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
+  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
+fi
+
+# ---------- Patch tts_tool.py: replace Edge TTS with Piper ----------
+# Fallback runtime patch in case the volume's site-packages differ from the image.
+# Idempotent: if already patched, the script does nothing.
+PATCH_SCRIPT="/opt/hermes/patch_tts_tool.py"
+if [ -f "$PATCH_SCRIPT" ]; then
+  echo "Applying TTS patch (Piper only, no Edge fallback)..."
+  /opt/hermes/.venv/bin/python3 "$PATCH_SCRIPT" 2>&1 || true
+fi
+
+# Chain to the official Hermes entrypoint
+exec /opt/hermes/docker/entrypoint.sh "$@"
--- a/versioncontrol/compose.yml
+++ b/versioncontrol/compose.yml
@@ -8,10 +8,13 @@ services:
      - USER_GID=1000
      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
      - GITEA__actions__ENABLED=true
+      - GITEA__actions__DEFAULT_ACTIONS_URL=off
      - SSH_PORT=2222
      - SSH_LISTEN_PORT=2222
      # Enable Gitea Actions (act_runner required on host)
      - GITEA__actions__ENABLED=true
+      # Don't fetch actions from GitHub (offline mode + local only)
+      - GITEA__actions__DEFAULT_ACTIONS_URL=off
    volumes:
      - /mnt/HoardingCow_docker_data/Gitea:/data
    networks:
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -1,9 +0,0 @@
-# Custom wg-easy with iptables-nft (nftables-backed iptables)
-# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM ghcr.io/wg-easy/wg-easy:latest
-
-# The upstream image registers only iptables-legacy with update-alternatives.
-# iptables-nft binary exists but isn't registered as an alternative key.
-# Override the alternatives-managed symlinks directly.
-RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
-    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -2,10 +2,7 @@ version: "3.8"

 services:
  wireguard:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: wg-easy-iptables-nft:latest
+    image: weejewel/wg-easy:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN