The hermes service account has no password or SSH keys and cannot
be used to log in. Access is via root (standard PVE Helper Scripts
pattern). Also add -fN flags to the dashboard tunnel command so it
runs in the background without opening a shell session.
Adds container scripts for Hermes Agent (Nous Research), a self-improving
AI agent with LLM provider integration, terminal execution, web browsing,
and multi-platform messaging support.
Files:
- ct/hermes-agent.sh
- install/hermes-agent-install.sh
- json/hermes-agent.json
- ct/headers/hermes-agent
Deviations from standard patterns (justified):
1. Uses upstream installer (curl-pipe) instead of fetch_and_deploy_gh_release:
Hermes is a uv-managed Python application with complex dependency
resolution, virtualenv management, and binary placement—not a single
binary or tarball from GitHub Releases.
2. Dedicated 'hermes' service user (not running as root):
The agent executes arbitrary terminal commands on behalf of the user.
Running as root would give the AI unrestricted system access. This
follows the protonmail-bridge service-user pattern for isolation.
3. Dashboard (port 9119) bound to localhost only, requiring SSH tunnel:
The web UI provides admin access to an AI that can execute commands.
SSH tunnel provides an authentication/authorization boundary.
4. /usr/bin/hermes shim script:
The hermes CLI validates cwd permissions; running 'hermes' as root
from /root fails. The shim cd's to /home/hermes and exec's as the
hermes user via runuser.
5. setsid --wait wrapping of upstream installer:
The upstream installer probes /dev/tty for interactive prompts even
with --skip-setup; setsid detaches the controlling terminal.
- drop redundant curl of default.yml (file is part of release tarball)
- stop creating /opt/authentik-data dirs in install (mounted later as separate volume)
- enable services without --now in install (started after data volume is attached)
Introduce GitLab release helpers and use them to conditionally update Storyteller.
- misc/tools.func: add get_latest_gitlab_release and check_for_gl_release functions (GitLab API calls, token support, pinning, error handling, requires jq).
- ct/storyteller.sh: wrap update sequence with check_for_gl_release so rebuild/deploy only runs when a new GitLab release is detected; update author metadata.
- install/storyteller-install.sh: remove python3 from apt dependencies and drop NODE_OPTIONS export; minor whitespace cleanup.
These changes prevent unnecessary rebuilds by detecting upstream GitLab releases and improve robustness of release detection and error reporting.
Download authentik's lib/default.yml for the specified AUTHENTIK_VERSION before running go mod/download and build (added curl to ct/authentik.sh and install/authentik-install.sh to write to /opt/authentik/authentik/lib/default.yml). Also normalize Bitfocus Companion app name to "Bitfocus-Companion" in ct/bitfocus-companion.sh.
Add Arch Linux container support and integrate pacman into install utilities. New files: ct/archlinux.sh (container build/update script), install/archlinux-install.sh (install entrypoint), and json/archlinux.json (metadata). misc/install.func: detect_arch in detect_os, add pacman bootstrap, and implement pacman handlers for pkg_upgrade, pkg_install, pkg_remove, pkg_clean and package refresh; include openssh install path for pacman and provide a cleanup_lxc override to run pkg_clean. Enables creating/updating Arch Linux LXC containers and proper package manager handling.
Bump Fedora template to 43 and enhance container installation tooling. Persist DIAGNOSTICS setting and introduce post_progress_to_api() to send lightweight telemetry pings from inside containers (fire-and-forget, enabled when DIAGNOSTICS=yes and RANDOM_UUID set). Harden package management flows: re-detect PKG_MANAGER when commands are missing, add apt mirror fallback logic (apt_update_safe) and more robust apt-cacher proxy parsing. Fix Debian 13 LXC root ownership bug (chown /) and add additional DNS/Git host checks (including api.github.com). Improve downloading and validation of tools.func, add multiple post_progress_to_api hooks to signal progress, and add two new install entrypoints (misc/main/install.func and misc/main/alpine-install.func) that consolidate network checks, OS updates, MOTD/SSH setup and container customization.
