Hermes

 compose.yaml

services:

  hermes:

#    image: nousresearch/hermes-agent:latest

    build: .

    container_name: hermes

    restart: unless-stopped

    command: gateway run

    ports:

      - "8642:8642"   # OpenAI-compatible API server + health endpoint

      - "9119:9119"   # Web dashboard 

    volumes:

      # [Synology Host Path] : [Hermes Container Path]

      - /volume1/docker/hermes/data:/opt/data

      - /volume1/docker/openclaw/workspace:/mnt/clawbert/workspace:ro

      - /volume1/docker/openclaw/config:/mnt/clawbert/config:ro

    environment:

      # --- Directing Hermes to the Mac Studio ---

      - TZ=America/Chicago

      - OPENAI_API_KEY=XXXXX

      - OPENAI_BASE_URL=XXXXX

      - HOME=/opt/data

      # --- API server ---

      - API_SERVER_ENABLED=true

      - API_SERVER_HOST=0.0.0.0

      - API_SERVER_KEY=your-secret-key-here # Make sure you set this!

      - API_SERVER_CORS_ORIGINS='*'

      

      # --- Dashboard ---

      - HERMES_DASHBOARD=1

    deploy:

      resources:

        limits:

          memory: 8G

    security_opt:

      - no-new-privileges:true # Prevents the AI from escalating to root via setuid binaries

    cap_drop:

      - ALL # Strips all Linux kernel capabilities (prevents it from messing with network routing or mounting drives)

    user: "1000:1000" # Forces the container to run as a non-root user (assuming 1000 is your Synology user ID)

Dockerfile

FROM nousresearch/hermes-agent:latest

# 1. Escalate to root

USER root

# 2. Install System Tools & Browser Libs

RUN apt-get update && apt-get install -y --no-install-recommends \

    curl \

    jq \

    git \

    unzip \

    poppler-utils \

    ffmpeg \

    libnss3 \

    libatk1.0-0 \

    libcups2 \

    libdrm2 \

    libxkbcommon0 \

    libxcomposite1 \

    libxdamage1 \

    libxfixes3 \

    libxrandr2 \

    libgbm1 \

    libasound2 \

    && rm -rf /var/lib/apt/lists/*

# 3. Install GitHub CLI (gh)

RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \

    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \

    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \

    && apt-get update && apt-get install -y gh

# 4. Install uv (Fast Python Package Manager)

RUN curl -LsSf https://astral.sh/uv/install.sh | sh

ENV PATH="/root/.cargo/bin:${PATH}"

# 5. Use uv to install the "Heavy Hitters"

# These are the libs that make me actually useful for research and media

RUN uv pip install -p /opt/hermes/.venv/bin/python \

    google-api-python-client \

    google-auth-httplib2 \

    google-auth-oauthlib \

    chromadb \

    duckdb \

    polars \

    playwright \

    faster-whisper \

    yt-dlp \

    beautifulsoup4 \

    requests \

    python-telegram-bot

# Install Chromium browser and its system dependencies via the venv python

RUN /opt/hermes/.venv/bin/python -m playwright install --with-deps chromium

#RUN playwright install chromium

#RUN playwright install-deps chromium

# 6. Drop to restricted user

USER 1000