hosts/m3-hermes/services/hermes-agent.nix

{
  config,
  pkgs,
  ...
}: let
  # Default ElevenLabs voice: Bella (German-capable female)
  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";

  # Extra Python packages from the container's writable venv layer.
  # matrix-nio is installed via pip in /home/hermes/.venv but the hermes
  # process uses the read-only Nix store Python, so we inject the venv's
  # site-packages via PYTHONPATH and provide libstdc++ for libolm (e2e).
  venvSitePackages = "/home/hermes/.venv/lib/python3.11/site-packages";
  gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
in {
  virtualisation.docker.enable = true;

  systemd.tmpfiles.rules = [
    "d /home/hermes/.config 0755 hermes hermes -"
    "d /home/hermes/.config/tea 0755 hermes hermes -"
    "L+ /home/hermes/.config/tea/yml - - - - ${pkgs.writeText "tea-yml" ''
      logins:
        - name: m3ta
          url: https://code.m3ta.dev
          token:
          ssh_host: code.m3ta.dev
          user: m3ta-chiron
          default: true
    ''}"
    "f /home/hermes/.gitconfig 0644 hermes hermes - ${pkgs.writeText "gitconfig" ''
      [user]
        name = m3ta-chiron
        email = m3ta-chiron@agentmail.to
      [init]
        defaultBranch = main
    ''}"
  ];

  services.hermes-agent = {
    enable = true;
    addToSystemPackages = true;

    extraPackages = with pkgs; [docker git tea];

    # Secrets via agenix
    environmentFiles = [
      config.age.secrets."hermes-env".path
      config.age.secrets."hermes-cloud-env".path
    ];

    # Non-secret environment variables
    environment = {
      GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
      GIT_AUTHOR_NAME = "m3ta-chiron";
      GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to";
      GIT_COMMITTER_NAME = "m3ta-chiron";
      GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to";
    };

    # ── Container mode (podman) ──────────────────────────────────────────
    container = {
      enable = false;
      backend = "podman";
      extraVolumes = ["/home/m3tam3re/p:/projects:rw"];
      extraOptions = [
        "--env"
        "PYTHONPATH=${venvSitePackages}"
        "--env"
        "LD_LIBRARY_PATH=${gccLibPath}"
      ];
    };

    settings = {
      # ── Model ──────────────────────────────────────────────────────────
      model = {
        default = "glm-5.1";
        provider = "zai";
      };

      credential_pool_strategies = {
        zai = "fill_first";
      };

      toolsets = ["all"];

      # ── Agent ──────────────────────────────────────────────────────────
      agent = {
        max_turns = 90;
        gateway_timeout = 1800;
        tool_use_enforcement = "auto";
      };

      # ── Terminal ───────────────────────────────────────────────────────
      terminal = {
        backend = "local";
        modal_mode = "auto";
        cwd = ".";
        timeout = 180;
        persistent_shell = true;
      };

      # ── Browser ────────────────────────────────────────────────────────
      browser = {
        inactivity_timeout = 120;
        command_timeout = 30;
        cloud_provider = "local";
      };

      # ── Checkpoints / Compression ──────────────────────────────────────
      checkpoints = {
        enabled = true;
        max_snapshots = 50;
      };

      file_read_max_chars = 100000;

      compression = {
        enabled = true;
        threshold = 0.5;
        target_ratio = 0.2;
        protect_last_n = 20;
      };

      # ── Display ────────────────────────────────────────────────────────
      display = {
        compact = false;
        personality = "kawaii";
        resume_display = "full";
        busy_input_mode = "interrupt";
        inline_diffs = true;
        skin = "default";
        tool_progress = "all";
      };

      # ── TTS / STT / Voice ──────────────────────────────────────────────
      tts = {
        provider = "elevenlabs";
        elevenlabs = {
          voice_id = elevenlabsVoiceId;
          model_id = "eleven_multilingual_v2";
        };
      };

      stt = {
        enabled = true;
        provider = "local";
        local = {model = "base";};
      };

      voice = {
        record_key = "ctrl+b";
        max_recording_seconds = 120;
        silence_threshold = 200;
        silence_duration = 3.0;
      };

      # ── Memory ─────────────────────────────────────────────────────────
      memory = {
        provider = "honcho";
        memory_enabled = true;
        user_profile_enabled = true;
        memory_char_limit = 2200;
        user_char_limit = 1375;
      };

      # ── Delegation ─────────────────────────────────────────────────────
      delegation = {
        max_iterations = 50;
      };

      # ── Matrix ────────────────────────────────────────────────────────
      matrix = {
        homeserver = "https://matrix.m3ta.dev";
        user_id = "@chiron:m3ta.dev";
        allowed_users = ["@m3tam3re:m3ta.dev"];
        encryption = true;
      };

      # ── Approvals / Security ───────────────────────────────────────────
      approvals = {
        mode = "manual";
        timeout = 60;
      };

      security = {
        redact_secrets = true;
        tirith_enabled = true;
        tirith_fail_open = true;
      };

      # ── Cron / Session ─────────────────────────────────────────────────
      cron = {wrap_response = true;};

      session_reset = {
        mode = "both";
        idle_minutes = 1440;
        at_hour = 4;
      };

      # ── Web ────────────────────────────────────────────────────────────
      web = {backend = "exa";};
    };
  };

  users.users.hermes = {
    isNormalUser = false;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAVF7jGP1S6vc5CxeBFD/UxiImHOgbPlKg8WYyNtOA3"
    ];
  };
}
flake update + hermes workaround for upstream bug 2026-04-08 17:48:27 +02:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}: let`
+m3-hermes 2026-04-07 06:19:05 +02:00			`# Default ElevenLabs voice: Bella (German-capable female)`
			`elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";`
fix(hermes): inject matrix-nio via PYTHONPATH in container matrix-nio is installed in the container's writable venv layer (~/.venv) but the hermes process uses the read-only Nix store Python. This adds PYTHONPATH and LD_LIBRARY_PATH as container-level env vars so matrix-nio + libolm (e2e encryption) are importable. 2026-04-11 05:16:10 +00:00
			`# Extra Python packages from the container's writable venv layer.`
			`# matrix-nio is installed via pip in /home/hermes/.venv but the hermes`
			`# process uses the read-only Nix store Python, so we inject the venv's`
			`# site-packages via PYTHONPATH and provide libstdc++ for libolm (e2e).`
			`venvSitePackages = "/home/hermes/.venv/lib/python3.11/site-packages";`
			`gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";`
+m3-hermes 2026-04-07 06:19:05 +02:00			`in {`
fix: code review fixes - Fix hardcoded user path in webapps.nix (use homeDirectory) - Normalize wallpapers option to use .enable suffix - Remove duplicate FZF keybind declaration - Update comments to match actual implementation 2026-04-26 10:48:52 +02:00			`virtualisation.docker.enable = true;`

			`systemd.tmpfiles.rules = [`
			`"d /home/hermes/.config 0755 hermes hermes -"`
			`"d /home/hermes/.config/tea 0755 hermes hermes -"`
			`"L+ /home/hermes/.config/tea/yml - - - - ${pkgs.writeText "tea-yml" ''`
			`logins:`
			`- name: m3ta`
			`url: https://code.m3ta.dev`
			`token:`
			`ssh_host: code.m3ta.dev`
			`user: m3ta-chiron`
			`default: true`
			`''}"`
			`"f /home/hermes/.gitconfig 0644 hermes hermes - ${pkgs.writeText "gitconfig" ''`
			`[user]`
			`name = m3ta-chiron`
			`email = m3ta-chiron@agentmail.to`
			`[init]`
			`defaultBranch = main`
			`''}"`
			`];`

+m3-hermes 2026-04-07 06:19:05 +02:00			`services.hermes-agent = {`
			`enable = true;`
			`addToSystemPackages = true;`

fix: code review fixes - Fix hardcoded user path in webapps.nix (use homeDirectory) - Normalize wallpapers option to use .enable suffix - Remove duplicate FZF keybind declaration - Update comments to match actual implementation 2026-04-26 10:48:52 +02:00			`extraPackages = with pkgs; [docker git tea];`

+m3-hermes 2026-04-07 06:19:05 +02:00			`# Secrets via agenix`
flake update + hermes workaround for upstream bug 2026-04-08 17:48:27 +02:00			`environmentFiles = [`
			`config.age.secrets."hermes-env".path`
			`config.age.secrets."hermes-cloud-env".path`
			`];`
+m3-hermes 2026-04-07 06:19:05 +02:00
			`# Non-secret environment variables`
			`environment = {`
flake update + hermes workaround for upstream bug 2026-04-08 17:48:27 +02:00			`GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";`
fix: code review fixes - Fix hardcoded user path in webapps.nix (use homeDirectory) - Normalize wallpapers option to use .enable suffix - Remove duplicate FZF keybind declaration - Update comments to match actual implementation 2026-04-26 10:48:52 +02:00			`GIT_AUTHOR_NAME = "m3ta-chiron";`
			`GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to";`
			`GIT_COMMITTER_NAME = "m3ta-chiron";`
			`GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to";`
+m3-hermes 2026-04-07 06:19:05 +02:00			`};`

			`# ── Container mode (podman) ──────────────────────────────────────────`
			`container = {`
fix: code review fixes - Fix hardcoded user path in webapps.nix (use homeDirectory) - Normalize wallpapers option to use .enable suffix - Remove duplicate FZF keybind declaration - Update comments to match actual implementation 2026-04-26 10:48:52 +02:00			`enable = false;`
+m3-hermes 2026-04-07 06:19:05 +02:00			`backend = "podman";`
flake update + hermes workaround for upstream bug 2026-04-08 17:48:27 +02:00			`extraVolumes = ["/home/m3tam3re/p:/projects:rw"];`
fix(hermes): inject matrix-nio via PYTHONPATH in container matrix-nio is installed in the container's writable venv layer (~/.venv) but the hermes process uses the read-only Nix store Python. This adds PYTHONPATH and LD_LIBRARY_PATH as container-level env vars so matrix-nio + libolm (e2e encryption) are importable. 2026-04-11 05:16:10 +00:00			`extraOptions = [`
chore: hermes update 2026-04-21 19:00:49 +02:00			`"--env"`
			`"PYTHONPATH=${venvSitePackages}"`
			`"--env"`
			`"LD_LIBRARY_PATH=${gccLibPath}"`
fix(hermes): inject matrix-nio via PYTHONPATH in container matrix-nio is installed in the container's writable venv layer (~/.venv) but the hermes process uses the read-only Nix store Python. This adds PYTHONPATH and LD_LIBRARY_PATH as container-level env vars so matrix-nio + libolm (e2e encryption) are importable. 2026-04-11 05:16:10 +00:00			`];`
+m3-hermes 2026-04-07 06:19:05 +02:00			`};`

			`settings = {`
			`# ── Model ──────────────────────────────────────────────────────────`
			`model = {`
			`default = "glm-5.1";`
			`provider = "zai";`
			`};`

			`credential_pool_strategies = {`
			`zai = "fill_first";`
			`};`

			`toolsets = ["all"];`

			`# ── Agent ──────────────────────────────────────────────────────────`
			`agent = {`
			`max_turns = 90;`
			`gateway_timeout = 1800;`
			`tool_use_enforcement = "auto";`
			`};`

			`# ── Terminal ───────────────────────────────────────────────────────`
			`terminal = {`
fix: code review fixes - Fix hardcoded user path in webapps.nix (use homeDirectory) - Normalize wallpapers option to use .enable suffix - Remove duplicate FZF keybind declaration - Update comments to match actual implementation 2026-04-26 10:48:52 +02:00			`backend = "local";`
+m3-hermes 2026-04-07 06:19:05 +02:00			`modal_mode = "auto";`
			`cwd = ".";`
			`timeout = 180;`
			`persistent_shell = true;`
			`};`

			`# ── Browser ────────────────────────────────────────────────────────`
			`browser = {`
			`inactivity_timeout = 120;`
			`command_timeout = 30;`
			`cloud_provider = "local";`
			`};`

			`# ── Checkpoints / Compression ──────────────────────────────────────`
			`checkpoints = {`
			`enabled = true;`
			`max_snapshots = 50;`
			`};`

			`file_read_max_chars = 100000;`

			`compression = {`
			`enabled = true;`
			`threshold = 0.5;`
			`target_ratio = 0.2;`
			`protect_last_n = 20;`
			`};`

			`# ── Display ────────────────────────────────────────────────────────`
			`display = {`
			`compact = false;`
			`personality = "kawaii";`
			`resume_display = "full";`
			`busy_input_mode = "interrupt";`
			`inline_diffs = true;`
			`skin = "default";`
			`tool_progress = "all";`
			`};`

			`# ── TTS / STT / Voice ──────────────────────────────────────────────`
			`tts = {`
			`provider = "elevenlabs";`
			`elevenlabs = {`
			`voice_id = elevenlabsVoiceId;`
			`model_id = "eleven_multilingual_v2";`
			`};`
			`};`

			`stt = {`
			`enabled = true;`
			`provider = "local";`
			`local = {model = "base";};`
			`};`

			`voice = {`
			`record_key = "ctrl+b";`
			`max_recording_seconds = 120;`
			`silence_threshold = 200;`
			`silence_duration = 3.0;`
			`};`

			`# ── Memory ─────────────────────────────────────────────────────────`
			`memory = {`
fix: code review fixes - Fix hardcoded user path in webapps.nix (use homeDirectory) - Normalize wallpapers option to use .enable suffix - Remove duplicate FZF keybind declaration - Update comments to match actual implementation 2026-04-26 10:48:52 +02:00			`provider = "honcho";`
+m3-hermes 2026-04-07 06:19:05 +02:00			`memory_enabled = true;`
			`user_profile_enabled = true;`
			`memory_char_limit = 2200;`
			`user_char_limit = 1375;`
			`};`

			`# ── Delegation ─────────────────────────────────────────────────────`
			`delegation = {`
			`max_iterations = 50;`
			`};`

feat: config with agents rework 2026-04-13 16:44:18 +02:00			`# ── Matrix ────────────────────────────────────────────────────────`
			`matrix = {`
			`homeserver = "https://matrix.m3ta.dev";`
			`user_id = "@chiron:m3ta.dev";`
			`allowed_users = ["@m3tam3re:m3ta.dev"];`
			`encryption = true;`
+m3-hermes 2026-04-07 06:19:05 +02:00			`};`

			`# ── Approvals / Security ───────────────────────────────────────────`
			`approvals = {`
			`mode = "manual";`
			`timeout = 60;`
			`};`

			`security = {`
			`redact_secrets = true;`
			`tirith_enabled = true;`
			`tirith_fail_open = true;`
			`};`

			`# ── Cron / Session ─────────────────────────────────────────────────`
			`cron = {wrap_response = true;};`

			`session_reset = {`
			`mode = "both";`
			`idle_minutes = 1440;`
			`at_hour = 4;`
			`};`

			`# ── Web ────────────────────────────────────────────────────────────`
			`web = {backend = "exa";};`
			`};`
			`};`
flake update + hermes workaround for upstream bug 2026-04-08 17:48:27 +02:00
			`users.users.hermes = {`
			`isNormalUser = false;`
			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAVF7jGP1S6vc5CxeBFD/UxiImHOgbPlKg8WYyNtOA3"`
			`];`
			`};`
+m3-hermes 2026-04-07 06:19:05 +02:00			`}`