Optimize Hermes Nix service configuration

hosts/m3-hermes/services/hermes-agent.nix

@@ -7,31 +7,6 @@
   # Edge TTS: Seraphina — friendly, multilingual German female voice (free, no API key)
   edgeVoice = "de-DE-SeraphinaMultilingualNeural";
 
-  # Hermes v0.14 moved Matrix from matrix-nio to lazy-installed mautrix.
-  # Lazy pip installs cannot work in the read-only Nix Python environment, so
-  # provide the Matrix runtime deps declaratively and put their site-packages on
-  # the gateway process PYTHONPATH at interpreter startup.
-  matrixPython = pkgs.python312.withPackages (ps: let
-    # Hermes lazy_deps pins this exact version. nixpkgs currently ships an
-    # older aiosqlite, and lazy_deps treats version mismatches as missing.
-    aiosqlite_0_22_1 = ps.aiosqlite.overridePythonAttrs (_old: rec {
-      version = "0.22.1";
-      src = pkgs.fetchFromGitHub {
-        owner = "omnilib";
-        repo = "aiosqlite";
-        tag = "v${version}";
-        hash = "sha256-voOOFo1OwaRQ3JsDHlBrngP+8ajf0kTNKXJyOaJiTs4=";
-      };
-    });
-  in [
-    (ps.mautrix.override {withOlm = true;})
-    ps.markdown
-    aiosqlite_0_22_1
-    ps.asyncpg
-    ps.aiohttp-socks
-  ]);
-  matrixPythonPath = "${matrixPython}/lib/python3.12/site-packages";
-
   # Build skills using agents flake lib for hermes user
   hermesSkills = inputs.agents.lib.mkSkills {
     inherit pkgs;
@@ -54,17 +29,10 @@
 in {
   virtualisation.docker.enable = true;
 
-  # Matrix E2EE uses libolm via python-olm. libolm is archived upstream and
-  # marked insecure in nixpkgs, but Hermes Matrix encrypted rooms currently
-  # still require it through mautrix[encryption].
-  nixpkgs.config.permittedInsecurePackages = [
-    "olm-3.2.16"
-  ];
-
   systemd.tmpfiles.rules = [
-    "d /home/hermes/.config 0755 hermes hermes -"
-    "d /home/hermes/.config/tea 0755 hermes hermes -"
-    "L+ /home/hermes/.config/tea/yml - - - - ${pkgs.writeText "tea-yml" ''
+    "d /var/lib/hermes/.config 0755 hermes hermes -"
+    "d /var/lib/hermes/.config/tea 0755 hermes hermes -"
+    "L+ /var/lib/hermes/.config/tea/yml - - - - ${pkgs.writeText "tea-yml" ''
       logins:
         - name: m3ta
           url: https://code.m3ta.dev
@@ -88,24 +56,29 @@ in {
     '';
   };
 
-  # Ensure 'uv' is in the hermes-agent service PATH so CronJobs and terminal
-  # sessions can use 'uv run' for PEP 723 scripts (e.g. garmin-daily.py).
-  systemd.services.hermes-agent = {
-    path = [pkgs.uv];
-    environment = {
-      PYTHONPATH = matrixPythonPath;
-    };
-  };
-
   services.hermes-agent = {
     enable = true;
     addToSystemPackages = true;
+    # v0.14 lazy-installs heavy optional backends by default. In the sealed
+    # Nix package, include the backends this host config actively uses so the
+    # gateway, Matrix bridge, memory, web search, and TTS work
+    # without runtime pip/uv mutation.
+    extraDependencyGroups = [
+      "matrix"
+      "honcho"
+      "exa"
+      "edge-tts"
+    ];
 
     extraPackages = with pkgs; [
       docker
       git
+      curl
+      jq
       tea
       nix
+      python3Minimal
+      uv
       zellij
     ];
 
@@ -134,7 +107,7 @@ in {
       # Bind to 0.0.0.0 so the Netbird interface can reach it.
       API_SERVER_ENABLED = "true";
       API_SERVER_HOST = "0.0.0.0";
-      API_SERVER_PORT = "8642";
+      API_SERVER_PORT = toString (config.m3ta.ports.get "hermes-api");
     };
 
     # ── Container mode (podman) ──────────────────────────────────────────