compose/ai/hermes/Dockerfile

# 1. On récupère la version la plus récente d'UV
FROM ghcr.io/astral-sh/uv:latest AS uv_source

# 2. Image officielle Hermes Agent de NousResearch
# Contient déjà: Python, Node.js, npm, Playwright/Chromium, venv, tts_tool.py, etc.
FROM nousresearch/hermes-agent:latest

# ---------- System dependencies ----------
# The official hermes-agent image already has: git, curl, ffmpeg, python3,
# gcc, build-essential, openssh-client, procps, tini, ripgrep, docker-cli,
# libportaudio2, ca-certificates, etc.
#
# These extras we need to add back:
#   - poppler-utils, imagemagick  (PDF/image processing)
#   - texlive-*                   (LaTeX typesetting for reports)
#   - qemu-user-static, binfmt-support (QEMU cross-compilation)
#   - emacs-nox                   (text editing in container)
USER root
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        libportaudio2 \
        ca-certificates \
        poppler-utils \
        imagemagick \
        texlive-latex-base \
        texlive-latex-extra \
        texlive-fonts-recommended \
        texlive-xetex \
        texlive-science \
        qemu-user-static \
        binfmt-support \
        emacs-nox && \
    rm -rf /var/lib/apt/lists/*

# ---------- UV (hyperfast pip alternative) ----------
COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/

WORKDIR /opt/hermes

# ---------- Piper TTS dans le venv existant ----------
# Le venv de l'image de base est root-owned, on doit installer en root aussi
RUN . /opt/hermes/.venv/bin/activate && \
    uv pip install --no-cache-dir piper-tts sounddevice numpy

# ---------- Télécharger la voix Piper Ryan (high quality) ----------
RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
import urllib.request
base = '/opt/hermes/.venv/share/piper/voices'
url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
PYEOF

# ---------- Patch tts_tool.py: remplacer Edge TTS par Piper ----------
# Edge TTS appelle les serveurs Microsoft — on ne veut jamais ça.
# Piper roule localement sur CPU, aucun cloud, aucune donnée qui sort.
COPY patch_tts_tool.py /tmp/patch_tts_tool.py
RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py

# ---------- Runtime ----------
# Retour à l'utilisateur non-root pour la sécurité
USER hermes

ENV HERMES_HOME=/opt/data
ENV PATH="/opt/data/.local/bin:${PATH}"

VOLUME [ "/opt/data" ]

# Script de réparation des permissions + patch TTS au démarrage
COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh

ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]