@@ -23,6 +23,31 @@
|
||||
ip = "192.168.83.90";
|
||||
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0SNSy/MdW38NqKzLr1SG8WKrs8XkrqibacaJtJPzgW";
|
||||
};
|
||||
workspaces.hermes = {
|
||||
type = "incus";
|
||||
autoStart = true;
|
||||
config = ./workspaces/hermes.nix;
|
||||
ip = "192.168.83.91";
|
||||
extraMounts = {
|
||||
hermes-state = {
|
||||
hostPath = "/home/googlebot/sandboxed/hermes/hermes-state";
|
||||
containerPath = "/var/lib/hermes";
|
||||
};
|
||||
hermes-env = {
|
||||
hostPath = "/run/agenix/hermes-env";
|
||||
containerPath = "/etc/hermes-env";
|
||||
createHostPath = false; # managed by agenix
|
||||
shift = false; # /run is tmpfs; idmapping not supported
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# Bind-mounted into the hermes workspace with shift=false (tmpfs can't be
|
||||
# idmapped). Mode 0444 lets systemd inside the container read it via the
|
||||
# "other" bits — the file shows up as nobody:nogroup over an un-shifted mount.
|
||||
age.secrets.hermes-env = {
|
||||
file = ../../secrets/hermes-env.age;
|
||||
mode = "0444";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
{ pkgs, hostConfig, ... }:
|
||||
|
||||
{
|
||||
imports = [ hostConfig.inputs.hermes-agent.nixosModules.default ];
|
||||
|
||||
services.hermes-agent = {
|
||||
enable = true;
|
||||
addToSystemPackages = true;
|
||||
container.enable = false;
|
||||
|
||||
# Run the daemon as the same user that owns workspace files so the agent
|
||||
# can read/write the project tree without permission gymnastics.
|
||||
user = "googlebot";
|
||||
group = "users";
|
||||
createUser = false;
|
||||
|
||||
extraPackages = with pkgs; [ nix git ripgrep fd jq ];
|
||||
|
||||
# Bind-mounted from /run/agenix/hermes-env on fry (host decrypts via agenix).
|
||||
# Lives at /etc/... rather than /run/... because the workspace's systemd
|
||||
# mounts a fresh tmpfs over /run at boot, which would shadow the incus mount.
|
||||
# Codex OAuth is NOT here — it lives per-instance in /var/lib/hermes.
|
||||
environmentFiles = [ "/etc/hermes-env" ];
|
||||
|
||||
settings = {
|
||||
model = {
|
||||
provider = "openai-codex";
|
||||
default = "gpt-5.5";
|
||||
};
|
||||
toolsets = [ "all" ];
|
||||
terminal.backend = "local";
|
||||
};
|
||||
};
|
||||
|
||||
# Daemon sets HERMES_HOME to stateDir/.hermes via the systemd unit. Setting
|
||||
# it system-wide here makes interactive `hermes` (now running as googlebot)
|
||||
# pick up the same auth.json that the daemon wrote.
|
||||
environment.variables.HERMES_HOME = "/var/lib/hermes/.hermes";
|
||||
|
||||
environment.systemPackages = [ pkgs.codex ];
|
||||
}
|
||||
Reference in New Issue
Block a user