hermes-workspace/docker-compose.yml at main · outsourc-e/hermes-workspace · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Project Workspace + Agent — Docker Compose Setup
#
# Requirements:
#   - Docker & Docker Compose
#   - At least one LLM provider key in .env (ANTHROPIC_API_KEY,
#     OPENAI_API_KEY, OPENROUTER_API_KEY, GOOGLE_API_KEY, …) OR a
#     reachable local server (Ollama, LM Studio, etc.)
#
# Quick Start:
#   1. cp .env.example .env
#   2. Add at least one provider key (whichever you use)
#   3. docker compose up
#   4. Open http://localhost:3000
#
# Images:
#   This file pulls pre-built images by default — no local build required.
#     - nousresearch/hermes-agent:latest  (Project Agent, Dockerfile upstream)
#     - ghcr.io/outsourc-e/hermes-workspace:latest  (this workspace)
#
#   To build from source instead (e.g. for development), use:
#     docker compose -f docker-compose.yml -f docker-compose.dev.yml up
#
# Persistent data:
#   The `hermes-data` named volume mounts at /opt/data inside the agent
#   container. Config, sessions, skills, memory, and credentials live there
#   and survive container recreation. For host-path mounts see the commented
#   `volumes:` block on the hermes-agent service.
#
# Troubleshooting:
#   - See README.md "Docker" troubleshooting section
#   - Check logs: docker compose logs hermes-agent
#   - Agent must expose port 8642

services:
  # The Hermes AI Agent Gateway
  # Provides the backend API that the workspace connects to
  hermes-agent:
    image: nousresearch/hermes-agent:latest
    env_file:
      - .env
    environment:
      # Pass through whichever provider keys are set in .env. hermes-agent
      # uses the one that matches the provider configured in
      # ~/.hermes/config.yaml (or whatever `hermes setup` picked).
      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
      OPENROUTER_API_KEY: ${OPENROUTER_API_KEY:-}
      GOOGLE_API_KEY: ${GOOGLE_API_KEY:-}
      GROQ_API_KEY: ${GROQ_API_KEY:-}
      MISTRAL_API_KEY: ${MISTRAL_API_KEY:-}
      # Authentication for the gateway when exposing off-loopback.
      # In the default compose setup the gateway is reachable from the
      # workspace container over the docker network on hermes-agent:8642,
      # so an empty key works for localhost-only Docker installs. For any
      # deployment that publishes 8642 on the host or a LAN IP, set a
      # strong API_SERVER_KEY in .env — the workspace passes it through
      # as HERMES_API_TOKEN below. See #122.
      API_SERVER_KEY: ${API_SERVER_KEY:-}
      # Bind only on the docker-internal interface by default. Set
      # API_SERVER_HOST=0.0.0.0 in .env *and* set API_SERVER_KEY if you
      # want to expose the gateway to the LAN / Tailscale. See #122.
      API_SERVER_HOST: ${API_SERVER_HOST:-127.0.0.1}
      API_SERVER_ENABLED: 'true'
    volumes:
      # Persist agent state across container recreation. Swap for a
      # host-path mount (e.g. `./data:/opt/data`) if you want to edit
      # config/skills directly from the host.
      - hermes-data:/opt/data
    healthcheck:
      test: ['CMD-SHELL', 'curl -fsS http://localhost:8642/health || exit 1']
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 15s
    ports:
      - '8642:8642'

  # The Project Workspace Web UI
  # Connects to hermes-agent at http://hermes-agent:8642
  hermes-workspace:
    image: ghcr.io/outsourc-e/hermes-workspace:latest
    depends_on:
      hermes-agent:
        condition: service_healthy
    env_file:
      - .env
    environment:
      # Internal Docker network URL (not localhost!)
      HERMES_API_URL: http://hermes-agent:8642
      # Must match API_SERVER_KEY on the hermes-agent side when that is set
      HERMES_API_TOKEN: ${API_SERVER_KEY:-}
      # Workspace session password. REQUIRED when HOST is non-loopback (the
      # default for Docker images, so the container binds 0.0.0.0:3000).
      # Pick a strong secret. See #122.
      HERMES_PASSWORD: ${HERMES_PASSWORD:-}
      # Enable the Secure flag on session cookies when terminated behind
      # HTTPS (reverse proxy / Tailscale Funnel / Cloudflare Tunnel). See #123.
      COOKIE_SECURE: ${COOKIE_SECURE:-}
      # Trust proxy-forwarded headers (x-forwarded-for / x-real-ip) for IP
      # classification. Leave unset unless you deploy behind a trusted proxy
      # that sanitizes these headers — otherwise a client can spoof its IP
      # and bypass local-classification / rate limiting. See #125.
      TRUST_PROXY: ${TRUST_PROXY:-}
    ports:
      - '127.0.0.1:3000:3000'

volumes:
  hermes-data: