From 3868f6995863a00465c1173d27fd6268bf67e3ab Mon Sep 17 00:00:00 2001
From: Chiron Agent <chiron@m3ta.dev>
Date: Sat, 11 Apr 2026 05:16:10 +0000
Subject: [PATCH] fix(hermes): inject matrix-nio via PYTHONPATH in container

matrix-nio is installed in the container's writable venv layer
(~/.venv) but the hermes process uses the read-only Nix store Python.
This adds PYTHONPATH and LD_LIBRARY_PATH as container-level env vars
so matrix-nio + libolm (e2e encryption) are importable.
---
 hosts/m3-hermes/services/hermes-agent.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hosts/m3-hermes/services/hermes-agent.nix b/hosts/m3-hermes/services/hermes-agent.nix
index d415e2e..28b9fd5 100644
--- a/hosts/m3-hermes/services/hermes-agent.nix
+++ b/hosts/m3-hermes/services/hermes-agent.nix
@@ -5,6 +5,13 @@
 }: let
   # Default ElevenLabs voice: Bella (German-capable female)
   elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
+
+  # Extra Python packages from the container's writable venv layer.
+  # matrix-nio is installed via pip in /home/hermes/.venv but the hermes
+  # process uses the read-only Nix store Python, so we inject the venv's
+  # site-packages via PYTHONPATH and provide libstdc++ for libolm (e2e).
+  venvSitePackages = "/home/hermes/.venv/lib/python3.11/site-packages";
+  gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
 in {
   services.hermes-agent = {
     enable = true;
@@ -26,6 +33,10 @@ in {
       enable = true;
       backend = "podman";
       extraVolumes = ["/home/m3tam3re/p:/projects:rw"];
+      extraOptions = [
+        "--env" "PYTHONPATH=${venvSitePackages}"
+        "--env" "LD_LIBRARY_PATH=${gccLibPath}"
+      ];
     };
 
     settings = {