mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-04-25 00:51:20 +00:00
fix(docker): safer docker-compose defaults for UID and dashboard bind
Follow-up to salvaged PR #13483: - Default HERMES_UID/HERMES_GID to 10000 (matches Dockerfile's useradd and the entrypoint's default) instead of 1001. Users should set these to their own id -u / id -g; document that in the header. - Dashboard service: bind to 127.0.0.1 without --insecure by default. The dashboard stores API keys; the original compose file exposed it on 0.0.0.0 with auth explicitly disabled, which the dashboard's own --insecure help text flags as DANGEROUS. - Add header comments explaining HERMES_UID usage, the dashboard security posture, and how to expose the API server safely.
This commit is contained in:
parent
14c9f7272c
commit
06b60b76cd
1 changed files with 28 additions and 6 deletions
|
|
@ -1,3 +1,23 @@
|
||||||
|
#
|
||||||
|
# docker-compose.yml for Hermes Agent
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# HERMES_UID=$(id -u) HERMES_GID=$(id -g) docker compose up -d
|
||||||
|
#
|
||||||
|
# Set HERMES_UID / HERMES_GID to the host user that owns ~/.hermes so
|
||||||
|
# files created inside the container stay readable/writable on the host.
|
||||||
|
# The entrypoint remaps the internal `hermes` user to these values via
|
||||||
|
# usermod/groupmod + gosu.
|
||||||
|
#
|
||||||
|
# Security notes:
|
||||||
|
# - The dashboard service binds to 127.0.0.1 by default. It stores API
|
||||||
|
# keys; exposing it on LAN without auth is unsafe. If you want remote
|
||||||
|
# access, use an SSH tunnel or put it behind a reverse proxy that
|
||||||
|
# adds authentication — do NOT pass --insecure --host 0.0.0.0.
|
||||||
|
# - The gateway's API server is off unless you uncomment API_SERVER_KEY
|
||||||
|
# and API_SERVER_HOST. See docs/user-guide/api-server.md before doing
|
||||||
|
# this on an internet-facing host.
|
||||||
|
#
|
||||||
services:
|
services:
|
||||||
gateway:
|
gateway:
|
||||||
build: .
|
build: .
|
||||||
|
|
@ -8,9 +28,10 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- ~/.hermes:/opt/data
|
- ~/.hermes:/opt/data
|
||||||
environment:
|
environment:
|
||||||
- HERMES_UID=${HERMES_UID:-1001}
|
- HERMES_UID=${HERMES_UID:-10000}
|
||||||
- HERMES_GID=${HERMES_GID:-1001}
|
- HERMES_GID=${HERMES_GID:-10000}
|
||||||
# Uncomment to expose API server beyond localhost (requires API_SERVER_KEY):
|
# To expose the OpenAI-compatible API server beyond localhost,
|
||||||
|
# uncomment BOTH lines (API_SERVER_KEY is mandatory for auth):
|
||||||
# - API_SERVER_HOST=0.0.0.0
|
# - API_SERVER_HOST=0.0.0.0
|
||||||
# - API_SERVER_KEY=${API_SERVER_KEY}
|
# - API_SERVER_KEY=${API_SERVER_KEY}
|
||||||
command: ["gateway", "run"]
|
command: ["gateway", "run"]
|
||||||
|
|
@ -25,6 +46,7 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- ~/.hermes:/opt/data
|
- ~/.hermes:/opt/data
|
||||||
environment:
|
environment:
|
||||||
- HERMES_UID=${HERMES_UID:-1001}
|
- HERMES_UID=${HERMES_UID:-10000}
|
||||||
- HERMES_GID=${HERMES_GID:-1001}
|
- HERMES_GID=${HERMES_GID:-10000}
|
||||||
command: ["dashboard", "--host", "0.0.0.0", "--insecure"]
|
# Localhost-only. For remote access, tunnel via `ssh -L 9119:localhost:9119`.
|
||||||
|
command: ["dashboard", "--host", "127.0.0.1", "--no-open"]
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue