docker-compose.yml

#
# docker-compose.yml for Hermes Agent
#
# Usage:
#   HERMES_UID=$(id -u) HERMES_GID=$(id -g) docker compose up -d
#
# Set HERMES_UID / HERMES_GID to the host user that owns ~/.hermes so
# files created inside the container stay readable/writable on the host.
# The entrypoint remaps the internal `hermes` user to these values via
# usermod/groupmod + gosu.
#
# Security notes:
#   - The dashboard service binds to 127.0.0.1 by default. It stores API
#     keys; exposing it on LAN without auth is unsafe. If you want remote
#     access, use an SSH tunnel or put it behind a reverse proxy that
#     adds authentication — do NOT pass --insecure --host 0.0.0.0.
#   - The gateway's API server is off unless you uncomment API_SERVER_KEY
#     and API_SERVER_HOST. See docs/user-guide/api-server.md before doing
#     this on an internet-facing host.
#
services:
  gateway:
    build: .
    image: hermes-agent
    container_name: hermes
    restart: unless-stopped
    network_mode: host
    volumes:
      - ~/.hermes:/opt/data
    environment:
      - HERMES_UID=${HERMES_UID:-10000}
      - HERMES_GID=${HERMES_GID:-10000}
      # To expose the OpenAI-compatible API server beyond localhost,
      # uncomment BOTH lines (API_SERVER_KEY is mandatory for auth):
      # - API_SERVER_HOST=0.0.0.0
      # - API_SERVER_KEY=${API_SERVER_KEY}
    command: ["gateway", "run"]

  dashboard:
    image: hermes-agent
    container_name: hermes-dashboard
    restart: unless-stopped
    network_mode: host
    depends_on:
      - gateway
    volumes:
      - ~/.hermes:/opt/data
    environment:
      - HERMES_UID=${HERMES_UID:-10000}
      - HERMES_GID=${HERMES_GID:-10000}
    # Localhost-only. For remote access, tunnel via `ssh -L 9119:localhost:9119`.
    command: ["dashboard", "--host", "127.0.0.1", "--no-open"]
fix(docker): safer docker-compose defaults for UID and dashboard bind Follow-up to salvaged PR #13483: - Default HERMES_UID/HERMES_GID to 10000 (matches Dockerfile's useradd and the entrypoint's default) instead of 1001. Users should set these to their own id -u / id -g; document that in the header. - Dashboard service: bind to 127.0.0.1 without --insecure by default. The dashboard stores API keys; the original compose file exposed it on 0.0.0.0 with auth explicitly disabled, which the dashboard's own --insecure help text flags as DANGEROUS. - Add header comments explaining HERMES_UID usage, the dashboard security posture, and how to expose the API server safely. 2026-04-24 04:46:57 -07:00			`#`
			`# docker-compose.yml for Hermes Agent`
			`#`
			`# Usage:`
			`# HERMES_UID=$(id -u) HERMES_GID=$(id -g) docker compose up -d`
			`#`
			`# Set HERMES_UID / HERMES_GID to the host user that owns ~/.hermes so`
			`# files created inside the container stay readable/writable on the host.`
			# The entrypoint remaps the internal `hermes` user to these values via
			`# usermod/groupmod + gosu.`
			`#`
			`# Security notes:`
			`# - The dashboard service binds to 127.0.0.1 by default. It stores API`
			`# keys; exposing it on LAN without auth is unsafe. If you want remote`
			`# access, use an SSH tunnel or put it behind a reverse proxy that`
			`# adds authentication — do NOT pass --insecure --host 0.0.0.0.`
			`# - The gateway's API server is off unless you uncomment API_SERVER_KEY`
			`# and API_SERVER_HOST. See docs/user-guide/api-server.md before doing`
			`# this on an internet-facing host.`
			`#`
fix(docker): fix HERMES_UID permission handling and add docker-compose.yml - Remove 'USER hermes' from Dockerfile so entrypoint runs as root and can usermod/groupmod before gosu drop. Add chmod -R a+rX /opt/hermes so any remapped UID can read the install directory. - Fix entrypoint chown logic: always chown -R when HERMES_UID is remapped from default 10000, not just when top-level dir ownership mismatches. - Add docker-compose.yml with gateway + dashboard services. - Add .hermes to .gitignore. 2026-04-21 19:12:15 +08:00			`services:`
			`gateway:`
			`build: .`
			`image: hermes-agent`
			`container_name: hermes`
			`restart: unless-stopped`
			`network_mode: host`
			`volumes:`
			`- ~/.hermes:/opt/data`
			`environment:`
fix(docker): safer docker-compose defaults for UID and dashboard bind Follow-up to salvaged PR #13483: - Default HERMES_UID/HERMES_GID to 10000 (matches Dockerfile's useradd and the entrypoint's default) instead of 1001. Users should set these to their own id -u / id -g; document that in the header. - Dashboard service: bind to 127.0.0.1 without --insecure by default. The dashboard stores API keys; the original compose file exposed it on 0.0.0.0 with auth explicitly disabled, which the dashboard's own --insecure help text flags as DANGEROUS. - Add header comments explaining HERMES_UID usage, the dashboard security posture, and how to expose the API server safely. 2026-04-24 04:46:57 -07:00			`- HERMES_UID=${HERMES_UID:-10000}`
			`- HERMES_GID=${HERMES_GID:-10000}`
			`# To expose the OpenAI-compatible API server beyond localhost,`
			`# uncomment BOTH lines (API_SERVER_KEY is mandatory for auth):`
fix(docker): fix HERMES_UID permission handling and add docker-compose.yml - Remove 'USER hermes' from Dockerfile so entrypoint runs as root and can usermod/groupmod before gosu drop. Add chmod -R a+rX /opt/hermes so any remapped UID can read the install directory. - Fix entrypoint chown logic: always chown -R when HERMES_UID is remapped from default 10000, not just when top-level dir ownership mismatches. - Add docker-compose.yml with gateway + dashboard services. - Add .hermes to .gitignore. 2026-04-21 19:12:15 +08:00			`# - API_SERVER_HOST=0.0.0.0`
			`# - API_SERVER_KEY=${API_SERVER_KEY}`
			`command: ["gateway", "run"]`

			`dashboard:`
			`image: hermes-agent`
			`container_name: hermes-dashboard`
			`restart: unless-stopped`
			`network_mode: host`
			`depends_on:`
			`- gateway`
			`volumes:`
			`- ~/.hermes:/opt/data`
			`environment:`
fix(docker): safer docker-compose defaults for UID and dashboard bind Follow-up to salvaged PR #13483: - Default HERMES_UID/HERMES_GID to 10000 (matches Dockerfile's useradd and the entrypoint's default) instead of 1001. Users should set these to their own id -u / id -g; document that in the header. - Dashboard service: bind to 127.0.0.1 without --insecure by default. The dashboard stores API keys; the original compose file exposed it on 0.0.0.0 with auth explicitly disabled, which the dashboard's own --insecure help text flags as DANGEROUS. - Add header comments explaining HERMES_UID usage, the dashboard security posture, and how to expose the API server safely. 2026-04-24 04:46:57 -07:00			`- HERMES_UID=${HERMES_UID:-10000}`
			`- HERMES_GID=${HERMES_GID:-10000}`
			# Localhost-only. For remote access, tunnel via `ssh -L 9119:localhost:9119`.
			`command: ["dashboard", "--host", "127.0.0.1", "--no-open"]`