# systemd unit — Hermes Agent (interactive CLI / headless agent)
#
# Install:
#   sudo cp hermes-agent.service /etc/systemd/system/
#   sudo systemctl daemon-reload
#   sudo systemctl enable --now hermes-agent
#
# This unit runs the Hermes CLI in headless / non-interactive mode, meaning the
# agent loop stays alive but does not present a TUI.  It is appropriate for
# dedicated VPS deployments where you want the agent always running and
# accessible via the messaging gateway or API server.
#
# If you only want the messaging gateway, use hermes-gateway.service instead.
# Running both units simultaneously is safe — they share ~/.hermes by default.

[Unit]
Description=Hermes Agent
Documentation=https://hermes-agent.nousresearch.com/docs/
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=hermes
Group=hermes

# The working directory — adjust if Hermes is installed elsewhere.
WorkingDirectory=/home/hermes

# Load secrets from the data directory (never from the source repo).
EnvironmentFile=/home/hermes/.hermes/.env

# Run the gateway; add --replace if restarting over a stale PID file.
ExecStart=/home/hermes/.local/bin/hermes gateway start

# Graceful stop: send SIGTERM and wait up to 30 s before SIGKILL.
ExecStop=/bin/kill -TERM $MAINPID
TimeoutStopSec=30

# Restart automatically on failure; back off exponentially.
Restart=on-failure
RestartSec=5s
StartLimitBurst=5
StartLimitIntervalSec=60s

# Security hardening — tighten as appropriate for your deployment.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/hermes/.hermes /home/hermes/.local/share/hermes

# Logging — output goes to journald; read with: journalctl -u hermes-agent -f
StandardOutput=journal
StandardError=journal
SyslogIdentifier=hermes-agent

[Install]
WantedBy=multi-user.target