From 06b60b76cd76b3c2f5fa1279aa7ea3991798fbc0 Mon Sep 17 00:00:00 2001
From: Teknium <teknium1@gmail.com>
Date: Fri, 24 Apr 2026 04:46:57 -0700
Subject: [PATCH] fix(docker): safer docker-compose defaults for UID and
 dashboard bind

Follow-up to salvaged PR #13483:
- Default HERMES_UID/HERMES_GID to 10000 (matches Dockerfile's useradd
  and the entrypoint's default) instead of 1001. Users should set these
  to their own id -u / id -g; document that in the header.
- Dashboard service: bind to 127.0.0.1 without --insecure by default.
  The dashboard stores API keys; the original compose file exposed it on
  0.0.0.0 with auth explicitly disabled, which the dashboard's own
  --insecure help text flags as DANGEROUS.
- Add header comments explaining HERMES_UID usage, the dashboard
  security posture, and how to expose the API server safely.
---
 docker-compose.yml | 34 ++++++++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 4acb15306..a0fe1a100 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,23 @@
+#
+# docker-compose.yml for Hermes Agent
+#
+# Usage:
+#   HERMES_UID=$(id -u) HERMES_GID=$(id -g) docker compose up -d
+#
+# Set HERMES_UID / HERMES_GID to the host user that owns ~/.hermes so
+# files created inside the container stay readable/writable on the host.
+# The entrypoint remaps the internal `hermes` user to these values via
+# usermod/groupmod + gosu.
+#
+# Security notes:
+#   - The dashboard service binds to 127.0.0.1 by default. It stores API
+#     keys; exposing it on LAN without auth is unsafe. If you want remote
+#     access, use an SSH tunnel or put it behind a reverse proxy that
+#     adds authentication — do NOT pass --insecure --host 0.0.0.0.
+#   - The gateway's API server is off unless you uncomment API_SERVER_KEY
+#     and API_SERVER_HOST. See docs/user-guide/api-server.md before doing
+#     this on an internet-facing host.
+#
 services:
   gateway:
     build: .
@@ -8,9 +28,10 @@ services:
     volumes:
       - ~/.hermes:/opt/data
     environment:
-      - HERMES_UID=${HERMES_UID:-1001}
-      - HERMES_GID=${HERMES_GID:-1001}
-      # Uncomment to expose API server beyond localhost (requires API_SERVER_KEY):
+      - HERMES_UID=${HERMES_UID:-10000}
+      - HERMES_GID=${HERMES_GID:-10000}
+      # To expose the OpenAI-compatible API server beyond localhost,
+      # uncomment BOTH lines (API_SERVER_KEY is mandatory for auth):
       # - API_SERVER_HOST=0.0.0.0
       # - API_SERVER_KEY=${API_SERVER_KEY}
     command: ["gateway", "run"]
@@ -25,6 +46,7 @@ services:
     volumes:
       - ~/.hermes:/opt/data
     environment:
-      - HERMES_UID=${HERMES_UID:-1001}
-      - HERMES_GID=${HERMES_GID:-1001}
-    command: ["dashboard", "--host", "0.0.0.0", "--insecure"]
+      - HERMES_UID=${HERMES_UID:-10000}
+      - HERMES_GID=${HERMES_GID:-10000}
+    # Localhost-only. For remote access, tunnel via `ssh -L 9119:localhost:9119`.
+    command: ["dashboard", "--host", "127.0.0.1", "--no-open"]