feat(nix): container-aware CLI — auto-route into managed container (#7543)

* feat(nix): container-aware CLI — auto-route all subcommands into managed container When container.enable = true, the host `hermes` CLI transparently execs every subcommand into the managed Docker/Podman container. A symlink bridge (~/.hermes -> /var/lib/hermes/.hermes) unifies state between host and container so sessions, config, and memories are shared. CLI changes: - Global routing before subcommand dispatch (all commands forwarded) - docker exec with -u exec_user, env passthrough (TERM, COLORTERM, LANG, LC_ALL), TTY-aware flags - Retry with spinner on failure (TTY: 5s, non-TTY: 10s silent) - Hard fail instead of silent fallback - HERMES_DEV=1 env var bypasses routing for development - No routing messages (invisible to user) NixOS module changes: - container.hostUsers option: lists users who get ~/.hermes symlink and automatic hermes group membership - Activation script creates symlink bridge (with backup of existing ~/.hermes dirs), writes exec_user to .container-mode - Cleanup on disable: removes symlinks + .container-mode + stops service - Warning when hostUsers set without addToSystemPackages * fix: address review — reuse sudo var, add chown -h on symlink update - hermes_cli/main.py: reuse the existing `sudo` variable instead of redundant `shutil.which("sudo")` call that could return None - nix/nixosModules.nix: add missing `chown -h` when updating an existing symlink target so ownership stays consistent with the fresh-create and backup-replace branches * fix: address remaining review items from cursor bugbot - hermes_cli/main.py: move container routing BEFORE parse_args() so --help, unrecognised flags, and all subcommands are forwarded transparently into the container instead of being intercepted by argparse on the host (high severity) - nix/nixosModules.nix: resolve home dirs via config.users.users.${user}.home instead of hardcoding /home/${user}, supporting users with custom home directories (medium severity) - nix/nixosModules.nix: gate hostUsers group membership on container.enable so setting hostUsers without container mode doesn't silently add users to the hermes group (low severity) * fix: simplify container routing — execvp, no retries, let it crash - Replace subprocess.run retry loop with os.execvp (no idle parent process) - Extract _probe_container helper for sudo detection with 15s timeout - Narrow exception handling: FileNotFoundError only in get_container_exec_info, catch TimeoutExpired specifically, remove silent except Exception: pass - Collapse needs_sudo + sudo into single sudo_path variable - Simplify NixOS symlink creation from 4 branches to 2 - Gate NixOS sudoers hint with "On NixOS:" prefix - Full test rewrite: 18 tests covering execvp, sudo probe, timeout, permissions --------- Co-authored-by: Hermes Agent <hermes@nousresearch.com>
2026-04-25 00:51:20 +00:00 · 2026-04-11 16:47:46 -07:00 · 2026-04-11 16:47:46 -07:00 · cab814af15
commit cab814af15
parent 5c2ecdec49
6 changed files with 983 additions and 1 deletions
--- a/nix/nixosModules.nix
+++ b/nix/nixosModules.nix
@ -499,6 +499,16 @@
          default = "ubuntu:24.04";
          description = "OCI container image. The container pulls this at runtime via Docker/Podman.";
        };
+
+        hostUsers = mkOption {
+          type = types.listOf types.str;
+          default = [ ];
+          description = ''
+            Interactive users who get a ~/.hermes symlink to the service
+            stateDir. These users are automatically added to the hermes group.
+          '';
+          example = [ "sidbin" ];
+        };
      };
    };

@ -557,6 +567,25 @@
        environment.variables.HERMES_HOME = "${cfg.stateDir}/.hermes";
      })

+      # ── Host user group membership ─────────────────────────────────────
+      (lib.mkIf (cfg.container.enable && cfg.container.hostUsers != []) {
+        users.users = lib.genAttrs cfg.container.hostUsers (user: {
+          extraGroups = [ cfg.group ];
+        });
+      })
+
+      # ── Warnings ──────────────────────────────────────────────────────
+      (lib.mkIf (cfg.container.enable && !cfg.addToSystemPackages && cfg.container.hostUsers != []) {
+        warnings = [
+          ''
+            services.hermes-agent: container.enable is true and container.hostUsers
+            is set, but addToSystemPackages is false. Without a host-installed hermes
+            binary, container routing will not work for interactive users.
+            Set addToSystemPackages = true or ensure hermes is on PATH.
+          ''
+        ];
+      })
+
      # ── Directories ───────────────────────────────────────────────────
      {
        systemd.tmpfiles.rules = [
@ -611,6 +640,59 @@
          chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/.hermes/.managed
          chmod 0644 ${cfg.stateDir}/.hermes/.managed

+          # Container mode metadata — tells the host CLI to exec into the
+          # container instead of running locally. Removed when container mode
+          # is disabled so the host CLI falls back to native execution.
+          ${if cfg.container.enable then ''
+            cat > ${cfg.stateDir}/.hermes/.container-mode <<'HERMES_CONTAINER_MODE_EOF'
+# Written by NixOS activation script. Do not edit manually.
+backend=${cfg.container.backend}
+container_name=${containerName}
+exec_user=${cfg.user}
+hermes_bin=${containerDataDir}/current-package/bin/hermes
+HERMES_CONTAINER_MODE_EOF
+            chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/.hermes/.container-mode
+            chmod 0644 ${cfg.stateDir}/.hermes/.container-mode
+          '' else ''
+            rm -f ${cfg.stateDir}/.hermes/.container-mode
+
+            # Remove symlink bridge for hostUsers
+            ${lib.concatStringsSep "\n" (map (user:
+              let
+                userHome = config.users.users.${user}.home;
+                symlinkPath = "${userHome}/.hermes";
+              in ''
+                if [ -L "${symlinkPath}" ] && [ "$(readlink "${symlinkPath}")" = "${cfg.stateDir}/.hermes" ]; then
+                  rm -f "${symlinkPath}"
+                  echo "hermes-agent: removed symlink ${symlinkPath}"
+                fi
+              '') cfg.container.hostUsers)}
+          ''}
+
+          # ── Symlink bridge for interactive users ───────────────────────
+          # Create ~/.hermes -> stateDir/.hermes for each hostUser so the
+          # host CLI shares state with the container service.
+          # Only runs when container mode is enabled.
+          ${lib.optionalString cfg.container.enable
+            (lib.concatStringsSep "\n" (map (user:
+              let
+                userHome = config.users.users.${user}.home;
+                symlinkPath = "${userHome}/.hermes";
+                target = "${cfg.stateDir}/.hermes";
+              in ''
+                if [ -d "${symlinkPath}" ] && [ ! -L "${symlinkPath}" ]; then
+                  # Real directory — back it up, then create symlink.
+                  # (ln -sfn cannot atomically replace a directory.)
+                  _backup="${symlinkPath}.bak.$(date +%s)"
+                  echo "hermes-agent: backing up existing ${symlinkPath} to $_backup"
+                  mv "${symlinkPath}" "$_backup"
+                fi
+                # For everything else (existing symlink, doesn't exist, etc.)
+                # ln -sfn handles it: replaces symlinks, creates new ones.
+                ln -sfn "${target}" "${symlinkPath}"
+                chown -h ${user}:${cfg.group} "${symlinkPath}"
+              '') cfg.container.hostUsers))}
+
          # Seed auth file if provided
          ${lib.optionalString (cfg.authFile != null) ''
            ${if cfg.authFileForceOverwrite then ''