Fix Hermes Matrix deps for v2026.5.16

hosts/m3-hermes/services/hermes-agent.nix

@@ -7,13 +7,30 @@
   # Edge TTS: Seraphina — friendly, multilingual German female voice (free, no API key)
   edgeVoice = "de-DE-SeraphinaMultilingualNeural";
 
-  # Extra Python packages from the container's writable venv layer.
-  # matrix-nio is installed via pip in /home/hermes/.venv but the hermes
-  # process uses the read-only Nix store Python, so we inject the venv's
-  # site-packages via PYTHONPATH and provide libstdc++ for libolm (e2e).
-  # NOTE: v0.13.0 upgraded to Python 3.12 — path updated accordingly.
-  venvSitePackages = "/home/hermes/.venv/lib/python3.12/site-packages";
-  gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
+  # Hermes v0.14 moved Matrix from matrix-nio to lazy-installed mautrix.
+  # Lazy pip installs cannot work in the read-only Nix Python environment, so
+  # provide the Matrix runtime deps declaratively and put their site-packages on
+  # the gateway process PYTHONPATH at interpreter startup.
+  matrixPython = pkgs.python312.withPackages (ps: let
+    # Hermes lazy_deps pins this exact version. nixpkgs currently ships an
+    # older aiosqlite, and lazy_deps treats version mismatches as missing.
+    aiosqlite_0_22_1 = ps.aiosqlite.overridePythonAttrs (_old: rec {
+      version = "0.22.1";
+      src = pkgs.fetchFromGitHub {
+        owner = "omnilib";
+        repo = "aiosqlite";
+        tag = "v${version}";
+        hash = "sha256-voOOFo1OwaRQ3JsDHlBrngP+8ajf0kTNKXJyOaJiTs4=";
+      };
+    });
+  in [
+    (ps.mautrix.override {withOlm = true;})
+    ps.markdown
+    aiosqlite_0_22_1
+    ps.asyncpg
+    ps.aiohttp-socks
+  ]);
+  matrixPythonPath = "${matrixPython}/lib/python3.12/site-packages";
 
   # Build skills using agents flake lib for hermes user
   hermesSkills = inputs.agents.lib.mkSkills {
@@ -37,6 +54,13 @@
 in {
   virtualisation.docker.enable = true;
 
+  # Matrix E2EE uses libolm via python-olm. libolm is archived upstream and
+  # marked insecure in nixpkgs, but Hermes Matrix encrypted rooms currently
+  # still require it through mautrix[encryption].
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
   systemd.tmpfiles.rules = [
     "d /home/hermes/.config 0755 hermes hermes -"
     "d /home/hermes/.config/tea 0755 hermes hermes -"
@@ -66,7 +90,12 @@ in {
 
   # Ensure 'uv' is in the hermes-agent service PATH so CronJobs and terminal
   # sessions can use 'uv run' for PEP 723 scripts (e.g. garmin-daily.py).
-  systemd.services.hermes-agent.path = [pkgs.uv];
+  systemd.services.hermes-agent = {
+    path = [pkgs.uv];
+    environment = {
+      PYTHONPATH = matrixPythonPath;
+    };
+  };
 
   services.hermes-agent = {
     enable = true;
@@ -113,12 +142,7 @@ in {
       enable = false;
       backend = "podman";
       extraVolumes = ["/home/m3tam3re/p:/projects:rw"];
-      extraOptions = [
-        "--env"
-        "PYTHONPATH=${venvSitePackages}"
-        "--env"
-        "LD_LIBRARY_PATH=${gccLibPath}"
-      ];
+      extraOptions = [];
     };
 
     settings = {