Tuesday, May 19, 2026

Hermes

 compose.yaml

services:
  hermes:
#    image: nousresearch/hermes-agent:latest
    build: .
    container_name: hermes
    restart: unless-stopped
    command: gateway run
    ports:
      - "8642:8642"   # OpenAI-compatible API server + health endpoint
      - "9119:9119"   # Web dashboard 
    volumes:
      # [Synology Host Path] : [Hermes Container Path]
      - /volume1/docker/hermes/data:/opt/data
      - /volume1/docker/openclaw/workspace:/mnt/clawbert/workspace:ro
      - /volume1/docker/openclaw/config:/mnt/clawbert/config:ro
    environment:
      # --- Directing Hermes to the Mac Studio ---
      - TZ=America/Chicago
      - OPENAI_API_KEY=XXXXX
      - OPENAI_BASE_URL=XXXXX
      - HOME=/opt/data

      # --- API server ---
      - API_SERVER_ENABLED=true
      - API_SERVER_HOST=0.0.0.0
      - API_SERVER_KEY=your-secret-key-here # Make sure you set this!
      - API_SERVER_CORS_ORIGINS='*'
      
      # --- Dashboard ---
      - HERMES_DASHBOARD=1
    deploy:
      resources:
        limits:
          memory: 8G
    security_opt:
      - no-new-privileges:true # Prevents the AI from escalating to root via setuid binaries
    cap_drop:
      - ALL # Strips all Linux kernel capabilities (prevents it from messing with network routing or mounting drives)
    user: "1000:1000" # Forces the container to run as a non-root user (assuming 1000 is your Synology user ID)

Dockerfile

FROM nousresearch/hermes-agent:latest

# 1. Escalate to root
USER root

# 2. Install System Tools & Browser Libs
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl \
    jq \
    git \
    unzip \
    poppler-utils \
    ffmpeg \
    libnss3 \
    libatk1.0-0 \
    libcups2 \
    libdrm2 \
    libxkbcommon0 \
    libxcomposite1 \
    libxdamage1 \
    libxfixes3 \
    libxrandr2 \
    libgbm1 \
    libasound2 \
    && rm -rf /var/lib/apt/lists/*

# 3. Install GitHub CLI (gh)
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \
    && apt-get update && apt-get install -y gh

# 4. Install uv (Fast Python Package Manager)
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
ENV PATH="/root/.cargo/bin:${PATH}"

# 5. Use uv to install the "Heavy Hitters"
# These are the libs that make me actually useful for research and media
RUN uv pip install -p /opt/hermes/.venv/bin/python \
    google-api-python-client \
    google-auth-httplib2 \
    google-auth-oauthlib \
    chromadb \
    duckdb \
    polars \
    playwright \
    faster-whisper \
    yt-dlp \
    beautifulsoup4 \
    requests \
    python-telegram-bot

# Install Chromium browser and its system dependencies via the venv python
RUN /opt/hermes/.venv/bin/python -m playwright install --with-deps chromium
#RUN playwright install chromium
#RUN playwright install-deps chromium

# 6. Drop to restricted user
USER 1000


Posted by at No comments:

Monday, April 06, 2026

Clawbert

This is my scratch pad for setting up and managing openclaw on my synology NAS using docker.


compose.yaml

services:
  openclaw-gateway:
#   image: ghcr.io/openclaw/openclaw:latest
    build: .
    container_name: openclaw-gateway
    hostname: clawbert-brain
    mac_address: 02:42:ac:12:34:56
    user: "1000:1000"
    environment:
      - TZ=America/Chicago
      - HOME=/home/node
      - OPENCLAW__GATEWAY__MODE=local
      - OPENCLAW_BROWSER_WS_ENDPOINT=ws://browserless:3000/?token=XXXX
      - HA_URL=http://10.0.0.114:8123
      - HA_TOKEN=XXXX
      - OPENCLAW_MAX_ITERATIONS=30
      - OPENCLAW_TOKEN=XXXX
    volumes:
      - /volume1/docker/openclaw/config:/home/node/.openclaw
      - /volume1/docker/openclaw/workspace:/home/node/.openclaw/workspace
      - /volume1/docker/openclaw/gog:/usr/local/bin/gog:ro
      - ./clawbert_config/machine-id:/etc/machine-id:ro
      - ./clawbert_config:/home/node/.config
      - ./gogcli_config:/home/node/.config/gogcli
    ports:
      - "18789:18789"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    networks:
      - openclaw-net
    command: ["node", "dist/index.js", "gateway", "--bind", "lan", "--allow-unconfigured"]
    restart: unless-stopped
    depends_on:
      - browserless

  openclaw-cli:
    image: ghcr.io/openclaw/openclaw:latest
    container_name: openclaw-cli
    user: "1000:1000"
    restart: "no"
    entrypoint: ["node", "dist/index.js"]
    volumes:
      - /volume1/docker/openclaw/config:/home/node/.openclaw
      - /volume1/docker/openclaw/workspace:/home/node/.openclaw/workspace

  browserless:
    image: ghcr.io/browserless/chromium:latest
    container_name: openclaw-browser
    restart: unless-stopped
    ports:
      - "3000:3000"
    environment:
      # Optional: Protect your browser so random internet scanners can't use it
      - TOKEN=XXXX
      - CONNECTION_TIMEOUT=6000000
      - MAX_CONCURRENT_SESSIONS=10
      - MAX_QUEUE_LENGTH=5
      - DEFAULT_BLOCK_ADS=true
      - HOST=browserless
    # CRITICAL: Chrome crashes without this shared memory setting
    shm_size: "2gb"
    networks:
      - openclaw-net
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined

networks:
  openclaw-net:
    driver: bridge

Dockerfile V1.0

# 1. Start with the official OpenClaw image
FROM ghcr.io/openclaw/openclaw:latest

# 2. Switch to root to install system-level tools
USER root

# 3. Install Playwright OS dependencies AND the Google Cloud SDK
RUN apt-get update && apt-get install -y \
    libnss3 libnspr4 libatk1.0-0 libatk-bridge2.0-0 \
    libcups2 libdrm2 libxkbcommon0 libxcomposite1 \
    libxdamage1 libxfixes3 libxrandr2 libgbm1 libasound2 \
    apt-transport-https ca-certificates gnupg curl \
    && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg \
    && echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
    && apt-get update \
    && apt-get install -y google-cloud-cli \
    && rm -rf /var/lib/apt/lists/*

# 4. Permanently install the official Google Workspace CLI
RUN npm install -g @googleworkspace/cli

RUN chown -R node:node /home/node

# 5. Drop back down to the secure node user for normal operation
USER node

Dockerfile V2.0

# --- STAGE 1: Build the Go binary using the latest compiler ---
FROM golang:latest AS builder
RUN go install github.com/steipete/gifgrep/cmd/gifgrep@latest

# --- STAGE 2: Build the OpenClaw image ---
# 1. Start with the official OpenClaw image
FROM ghcr.io/openclaw/openclaw:latest

# 2. Switch to root to install system-level tools
USER root

# 3. Add PIP global override (Debian 12+ protection bypass)
ENV PIP_BREAK_SYSTEM_PACKAGES=1

# 4. Install OS dependencies, Google SDK, GitHub CLI, and Core Tools
RUN apt-get update && apt-get install -y \
    libnss3 libnspr4 libatk1.0-0 libatk-bridge2.0-0 \
    libcups2 libdrm2 libxkbcommon0 libxcomposite1 \
    libxdamage1 libxfixes3 libxrandr2 libgbm1 libasound2 \
    apt-transport-https ca-certificates gnupg curl \
    python3 python3-pip python3-venv \
    git golang jq wget unzip build-essential ripgrep \
    && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg \
    && echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
    && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
    && apt-get update \
    && apt-get install -y google-cloud-cli gh \
    && rm -rf /var/lib/apt/lists/*

# 5. Bake in Qwen's Python Wishlist
RUN pip3 install uv

# 6. The Global Graph: Feed the entire IT-approved and Stretch AI list to uv
# uv will resolve the entire dependency graph instantly before downloading a single file.
RUN uv pip install --system --break-system-packages --no-cache \
    setuptools \
    requests \
    beautifulsoup4 \
    aiofiles \
    "pydantic>=2.0" \
    python-docx \
    playwright \
    yfinance \
    markitdown \
    polars \
    duckdb \
    chromadb \
    agentlightning \
    browser-use \
    faster-whisper

# 7. Copy the compiled gifgrep binary from STAGE 1
COPY --from=builder /go/bin/gifgrep /usr/local/bin/gifgrep

# Install Rust globally for all users
ENV RUSTUP_HOME=/usr/local/rustup \
    CARGO_HOME=/usr/local/cargo \
    PATH=/usr/local/cargo/bin:$PATH

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path && \
    chmod -R a+w $RUSTUP_HOME $CARGO_HOME

# 8. Permanently install the official Google Workspace CLI
RUN npm install -g @googleworkspace/cli typescript ts-node

# 9. BAKE IN THE MEMORY ENGINE: Download Nomic to a safe directory
RUN mkdir -p /models && \
    wget https://huggingface.co/nomic-ai/nomic-embed-text-v1.5-GGUF/resolve/main/nomic-embed-text-v1.5.Q8_0.gguf -O /models/nomic-embed.gguf && \
    chown -R node:node /models

# 10. Fix permissions so the node user owns everything in their home directory
RUN chown -R node:node /home/node

# 11. Drop back down to the secure node user for normal operation
USER node

Updates

docker compose -p clawbert down
docker compose -p clawbert up -d --build --pull always
docker-compose run --rm openclaw-cli doctor --fix
Posted by at No comments:
Subscribe to: Posts (Atom)