mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(docker): safer docker-compose defaults for UID and dashboard bind

Browse source 
Follow-up to salvaged PR #13483:
- Default HERMES_UID/HERMES_GID to 10000 (matches Dockerfile's useradd
  and the entrypoint's default) instead of 1001. Users should set these
  to their own id -u / id -g; document that in the header.
- Dashboard service: bind to 127.0.0.1 without --insecure by default.
  The dashboard stores API keys; the original compose file exposed it on
  0.0.0.0 with auth explicitly disabled, which the dashboard's own
  --insecure help text flags as DANGEROUS.
- Add header comments explaining HERMES_UID usage, the dashboard
  security posture, and how to expose the API server safely.
This commit is contained in:
Teknium 2026-04-24 04:46:57 -07:00 committed by Teknium
parent 14c9f7272c
commit 06b60b76cd
1 changed files with 28 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

34
docker-compose.yml
View file

@ -1,3 +1,23 @@
#
# docker-compose.yml for Hermes Agent
#
# Usage:
# HERMES_UID=$(id -u) HERMES_GID=$(id -g) docker compose up -d
#
# Set HERMES_UID / HERMES_GID to the host user that owns ~/.hermes so
# files created inside the container stay readable/writable on the host.
# The entrypoint remaps the internal `hermes` user to these values via
# usermod/groupmod + gosu.
#
# Security notes:
# - The dashboard service binds to 127.0.0.1 by default. It stores API
# keys; exposing it on LAN without auth is unsafe. If you want remote
# access, use an SSH tunnel or put it behind a reverse proxy that
# adds authentication — do NOT pass --insecure --host 0.0.0.0.
# - The gateway's API server is off unless you uncomment API_SERVER_KEY
# and API_SERVER_HOST. See docs/user-guide/api-server.md before doing
# this on an internet-facing host.
#
services: services:
gateway: gateway:
build: . build: .
@ -8,9 +28,10 @@ services:
volumes: volumes:
- ~/.hermes:/opt/data - ~/.hermes:/opt/data
environment: environment:
- HERMES_UID=${HERMES_UID:-1001} - HERMES_UID=${HERMES_UID:-10000}
- HERMES_GID=${HERMES_GID:-1001} - HERMES_GID=${HERMES_GID:-10000}
# Uncomment to expose API server beyond localhost (requires API_SERVER_KEY): # To expose the OpenAI-compatible API server beyond localhost,
# uncomment BOTH lines (API_SERVER_KEY is mandatory for auth):
# - API_SERVER_HOST=0.0.0.0 # - API_SERVER_HOST=0.0.0.0
# - API_SERVER_KEY=${API_SERVER_KEY} # - API_SERVER_KEY=${API_SERVER_KEY}
command: ["gateway", "run"] command: ["gateway", "run"]
@ -25,6 +46,7 @@ services:
volumes: volumes:
- ~/.hermes:/opt/data - ~/.hermes:/opt/data
environment: environment:
- HERMES_UID=${HERMES_UID:-1001} - HERMES_UID=${HERMES_UID:-10000}
- HERMES_GID=${HERMES_GID:-1001} - HERMES_GID=${HERMES_GID:-10000}
command: ["dashboard", "--host", "0.0.0.0", "--insecure"] # Localhost-only. For remote access, tunnel via `ssh -L 9119:localhost:9119`.
command: ["dashboard", "--host", "127.0.0.1", "--no-open"]