circlechat/compose.agents.yml at main · tashfeenahmed/circlechat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# Opt-in agent runtime for Hermes / OpenClaw agents.
#
#   docker compose -f compose.yml -f compose.agents.yml up -d --build
#
# This mounts the host Docker socket into the api, worker, and bridge
# containers so CircleChat can spawn ephemeral agent containers
# (nousresearch/hermes-agent, alpine/openclaw) per message.
#
# ── SECURITY ──────────────────────────────────────────────────────────────
# Mounting /var/run/docker.sock grants these containers root-equivalent
# control of the host. Only enable on a host you trust and control.
#
# ── HERMES_HOMES_DIR ──────────────────────────────────────────────────────
# Must be an ABSOLUTE host path. Each agent's home dir is created here and
# bind-mounted into the agent container by the *host* Docker daemon, so the
# path has to resolve identically inside and outside the container — that's
# why it's mounted at the same path on both sides. Create it first:
#   sudo mkdir -p /opt/hermes-homes && sudo chmod 777 /opt/hermes-homes
#
# Pre-pull the agent images once:
#   docker pull nousresearch/hermes-agent:latest
#   docker pull alpine/openclaw:latest

services:
  api:
    environment:
      HERMES_HOMES_DIR: ${HERMES_HOMES_DIR:-/opt/hermes-homes}
      CC_BRIDGE_CONFIG_PATH: ${HERMES_HOMES_DIR:-/opt/hermes-homes}/bridge-config.json
      CC_API_BASE: ${PUBLIC_BASE_URL:-http://localhost:8080}/api
      CC_HERMES_IMAGE: ${CC_HERMES_IMAGE:-nousresearch/hermes-agent:latest}
      CC_OPENCLAW_IMAGE: ${CC_OPENCLAW_IMAGE:-alpine/openclaw:latest}
      # Where the equip step finds the skill docs + MCP stdio script to install
      # into each new agent. These MUST be absolute HOST paths: Hermes equip
      # bind-mounts the template dir into a throw-away skill-ops container
      # (resolved by the *host* daemon), while OpenClaw equip reads it from this
      # container's filesystem. The identical-path mounts below make one value
      # satisfy both. Left unset, equip falls back to /app/templates (a path
      # that exists only inside this container) and the host bind-mount silently
      # resolves to an empty dir — producing an empty "(missing DESCRIPTION.md)"
      # skill. Override CC_REPO_HOST_DIR if the repo isn't at /opt/circlechat.
      CC_SKILL_TEMPLATE: ${CC_REPO_HOST_DIR:-/opt/circlechat}/api/templates/circlechat-skill
      CC_BROWSER_SKILL_TEMPLATE: ${CC_REPO_HOST_DIR:-/opt/circlechat}/api/templates/browser-skill
      CC_MCP_SCRIPT: ${CC_REPO_HOST_DIR:-/opt/circlechat}/api/scripts/circlechat-mcp.mjs
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${HERMES_HOMES_DIR:-/opt/hermes-homes}:${HERMES_HOMES_DIR:-/opt/hermes-homes}
      # Mounted at the SAME path inside the container as on the host so the
      # template/script paths above resolve identically for both the in-container
      # fs reads (OpenClaw) and the host-daemon bind-mounts (Hermes skill-ops).
      - ${CC_REPO_HOST_DIR:-/opt/circlechat}/api/templates:${CC_REPO_HOST_DIR:-/opt/circlechat}/api/templates:ro
      - ${CC_REPO_HOST_DIR:-/opt/circlechat}/api/scripts:${CC_REPO_HOST_DIR:-/opt/circlechat}/api/scripts:ro

  worker:
    environment:
      HERMES_HOMES_DIR: ${HERMES_HOMES_DIR:-/opt/hermes-homes}
      CC_BRIDGE_CONFIG_PATH: ${HERMES_HOMES_DIR:-/opt/hermes-homes}/bridge-config.json
    volumes:
      - ${HERMES_HOMES_DIR:-/opt/hermes-homes}:${HERMES_HOMES_DIR:-/opt/hermes-homes}

  # The multi-bridge holds one WebSocket per agent to /agent-socket and shells
  # out to a Hermes container on each incoming message.
  bridge:
    build: ./api
    command: ["node", "hermes-multi-bridge.mjs"]
    environment:
      CC_BRIDGE_CONFIG: ${HERMES_HOMES_DIR:-/opt/hermes-homes}/bridge-config.json
      # Internal, in-network WS to the api — no TLS hop needed.
      CC_WSS_URL: ws://api:3000/agent-socket
      # Passed into the (host-network) agent containers for their /agent-api
      # callbacks, so it must be reachable from the host, not a compose alias.
      CC_API_BASE: ${PUBLIC_BASE_URL:-http://localhost:8080}/api
      HERMES_HOMES_DIR: ${HERMES_HOMES_DIR:-/opt/hermes-homes}
      CC_HERMES_IMAGE: ${CC_HERMES_IMAGE:-nousresearch/hermes-agent:latest}
      CC_OPENCLAW_IMAGE: ${CC_OPENCLAW_IMAGE:-alpine/openclaw:latest}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${HERMES_HOMES_DIR:-/opt/hermes-homes}:${HERMES_HOMES_DIR:-/opt/hermes-homes}
    depends_on: [api]
    restart: unless-stopped