flake update + hermes workaround for upstream bug

2026-04-08 17:48:27 +02:00
parent 6853bb3063
commit 6a58b3656a
46 changed files with 703 additions and 601 deletions
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -78,4 +78,11 @@
    nixPath = ["/etc/nix/path"];
  };
  users.defaultUserShell = pkgs.nushell;
+
+  # Compatibility shim: the hermes-agent nixos module references the legacy
+  # agenix activation script name "setupSecrets" (renamed to "agenixInstall"
+  # in current agenix). This empty passthrough satisfies the dependency so
+  # any host importing hermes-agent.nixosModules.default can build.
+  # Remove once upstream fixes: github:NousResearch/hermes-agent nix/nixosModules.nix:564
+  system.activationScripts.setupSecrets = lib.stringAfter [ "agenixInstall" ] "";
 }
--- a/hosts/m3-hermes/secrets.nix
+++ b/hosts/m3-hermes/secrets.nix
@@ -4,9 +4,8 @@
      hermes-env = {
        file = ../../secrets/hermes-env.age;
      };
-      m3tam3re-secrets = {
-        file = ../../secrets/m3tam3re-secrets.age;
-        owner = "m3tam3re";
+      hermes-cloud-env = {
+        file = ../../secrets/hermes-cloud-env.age;
      };
    };
  };
--- a/hosts/m3-hermes/services/hermes-agent.nix
+++ b/hosts/m3-hermes/services/hermes-agent.nix
@@ -1,4 +1,8 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
  # Default ElevenLabs voice: Bella (German-capable female)
  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
 in {
@@ -7,17 +11,21 @@ in {
    addToSystemPackages = true;

    # Secrets via agenix
-    environmentFiles = [config.age.secrets."hermes-env".path];
+    environmentFiles = [
+      config.age.secrets."hermes-env".path
+      config.age.secrets."hermes-cloud-env".path
+    ];

    # Non-secret environment variables
    environment = {
-      #
+      GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
    };

    # ── Container mode (podman) ──────────────────────────────────────────
    container = {
      enable = true;
      backend = "podman";
+      extraVolumes = ["/home/m3tam3re/p:/projects:rw"];
    };

    settings = {
@@ -25,7 +33,6 @@ in {
      model = {
        default = "glm-5.1";
        provider = "zai";
-        base_url = "https://api.z.ai/api/coding/paas/v4/";
      };

      credential_pool_strategies = {
@@ -188,4 +195,11 @@ in {
      };
    };
  };
+
+  users.users.hermes = {
+    isNormalUser = false;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAVF7jGP1S6vc5CxeBFD/UxiImHOgbPlKg8WYyNtOA3"
+    ];
+  };
 }
--- a/hosts/m3-kratos/services/default.nix
+++ b/hosts/m3-kratos/services/default.nix
@@ -1,6 +1,7 @@
 {pkgs, ...}: {
  imports = [
    ./containers
+    ./hermes-agent.nix
    ./mem0.nix
    ./n8n.nix
    ./netbird.nix
--- a/hosts/m3-kratos/services/hermes-agent.nix
+++ b/hosts/m3-kratos/services/hermes-agent.nix
@@ -0,0 +1,184 @@
+{config, ...}: let
+  # Default ElevenLabs voice: Bella (German-capable female)
+  elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
+in {
+  services.hermes-agent = {
+    enable = true;
+    addToSystemPackages = true;
+
+    # Secrets via agenix
+    environmentFiles = [config.age.secrets."hermes-env".path];
+
+    # Non-secret environment variables
+    environment = {
+      GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
+    };
+
+    settings = {
+      # ── Model ──────────────────────────────────────────────────────────
+      model = {
+        default = "glm-5.1";
+        provider = "zai";
+      };
+
+      credential_pool_strategies = {
+        zai = "fill_first";
+      };
+
+      toolsets = ["all"];
+
+      # ── Agent ──────────────────────────────────────────────────────────
+      agent = {
+        max_turns = 90;
+        gateway_timeout = 1800;
+        tool_use_enforcement = "auto";
+      };
+
+      # ── Terminal ───────────────────────────────────────────────────────
+      terminal = {
+        backend = "ssh";
+        modal_mode = "auto";
+        cwd = ".";
+        timeout = 180;
+        persistent_shell = true;
+      };
+
+      # ── Browser ────────────────────────────────────────────────────────
+      browser = {
+        inactivity_timeout = 120;
+        command_timeout = 30;
+        cloud_provider = "local";
+      };
+
+      # ── Checkpoints / Compression ──────────────────────────────────────
+      checkpoints = {
+        enabled = true;
+        max_snapshots = 50;
+      };
+
+      file_read_max_chars = 100000;
+
+      compression = {
+        enabled = true;
+        threshold = 0.5;
+        target_ratio = 0.2;
+        protect_last_n = 20;
+      };
+
+      # ── Display ────────────────────────────────────────────────────────
+      display = {
+        compact = false;
+        personality = "kawaii";
+        resume_display = "full";
+        busy_input_mode = "interrupt";
+        inline_diffs = true;
+        skin = "default";
+        tool_progress = "all";
+      };
+
+      # ── TTS / STT / Voice ──────────────────────────────────────────────
+      tts = {
+        provider = "elevenlabs";
+        elevenlabs = {
+          voice_id = elevenlabsVoiceId;
+          model_id = "eleven_multilingual_v2";
+        };
+      };
+
+      stt = {
+        enabled = true;
+        provider = "local";
+        local = {model = "base";};
+      };
+
+      voice = {
+        record_key = "ctrl+b";
+        max_recording_seconds = 120;
+        silence_threshold = 200;
+        silence_duration = 3.0;
+      };
+
+      # ── Memory ─────────────────────────────────────────────────────────
+      memory = {
+        memory_enabled = true;
+        user_profile_enabled = true;
+        memory_char_limit = 2200;
+        user_char_limit = 1375;
+      };
+
+      # ── Delegation ─────────────────────────────────────────────────────
+      delegation = {
+        max_iterations = 50;
+      };
+
+      # ── Discord ────────────────────────────────────────────────────────
+      discord = {
+        require_mention = true;
+        auto_thread = true;
+        reactions = true;
+      };
+
+      # ── Approvals / Security ───────────────────────────────────────────
+      approvals = {
+        mode = "manual";
+        timeout = 60;
+      };
+
+      security = {
+        redact_secrets = true;
+        tirith_enabled = true;
+        tirith_fail_open = true;
+      };
+
+      # ── Cron / Session ─────────────────────────────────────────────────
+      cron = {wrap_response = true;};
+
+      session_reset = {
+        mode = "both";
+        idle_minutes = 1440;
+        at_hour = 4;
+      };
+
+      # ── Web ────────────────────────────────────────────────────────────
+      web = {backend = "exa";};
+
+      # ── Platform Toolsets ──────────────────────────────────────────────
+      platform_toolsets = {
+        cli = [
+          "browser"
+          "clarify"
+          "code_execution"
+          "cronjob"
+          "delegation"
+          "file"
+          "image_gen"
+          "memory"
+          "session_search"
+          "skills"
+          "terminal"
+          "todo"
+          "tts"
+          "vision"
+          "web"
+        ];
+        telegram = [
+          "browser"
+          "clarify"
+          "code_execution"
+          "cronjob"
+          "delegation"
+          "file"
+          "image_gen"
+          "memory"
+          "session_search"
+          "skills"
+          "terminal"
+          "todo"
+          "tts"
+          "vision"
+          "web"
+        ];
+      };
+    };
+  };
+}