feat(oberon): deploy hermes-agent with Slack integration and OpenCode Go#31
Merged
Conversation
- Add hermes-agent flake input (NousResearch/hermes-agent v0.16.0) - Enable services.hermes-agent with openai-codex provider and messaging extras - Add SOPS-encrypted secrets for Slack tokens (hermes.env) and Codex OAuth (hermes-auth.json) - Add separate systemd unit (hermes-agent-dashboard) for the web UI on 127.0.0.1:9119, since HERMES_DASHBOARD env var is only consumed by Docker/s6 entrypoint, not native gateway - Use format = "json" for hermes-auth.json (per-field SOPS JSON, not binary envelope) - Note cloudflared ingress for hermes.thinceller.dev must be added via Cloudflare dashboard Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
format = "json" extracts a named key ["hermes-auth"] from the JSON, which does not exist in auth.json. format = "binary" writes the entire decrypted file content, which is the correct behavior for an auth.json seed file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace openai-codex OAuth setup with OpenCode Go API key: - Change model.provider to "opencode-go" (OPENCODE_GO_API_KEY in env) - Remove authFile and hermes-auth.json (no OAuth needed) - Simplifies secrets to a single hermes.env file Also fixes the previous sops activation failure that prevented /run/secrets/cloudflared from being written. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…n warning - Override TimeoutStopSec to 210s (drain_timeout 180s + 30s buffer) - Add settings.terminal.cwd as the recommended replacement for MESSAGING_CWD - Override systemd environment to remove MESSAGING_CWD (deprecated in v0.16.0, but still set by nixosModule upstream via Environment= directive) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- cloudflared.nix: adopt master's detailed comment structure, add hermes.thinceller.dev to Public Hostnames record - default.nix: include both hermes-agent and nix-index-database modules Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
opencode-go、APIキー認証)extraDependencyGroups = [ "messaging" ]で事前ベイク)hermes-agent-dashboard) で127.0.0.1:9119に常駐hermes.thinceller.devに公開主な設計判断
hermes gatewayは native mode でHERMES_DASHBOARDを読まないため、dashboard を別 unit に分離MESSAGING_CWD(nixosModule が systemdEnvironment=にセット) は v0.16.0 で deprecated →settings.terminal.cwdに移行し systemd 環境から削除hermes.env(dotenv format) のみ。OAuth 不要なためhermes-auth.jsonは削除手動手順(リポジトリ外)
hermes.thinceller.devPublic Hostname の HTTP Host Header を127.0.0.1に設定(ダッシュボードの Host 検証を通過させるため)groups:readスコープを追加してワークスペースに再インストール