hermes-workspace: deploy as the default MiOS chat frontend

Operator directive 2026-05-11:
  'forget open webui for now -- Ollama >> hermes agent >>
  hermes-workspace app is the front-end'

Chain:
  mios-ollama       (LLM models, GPU on the dev VM)
    -> mios-hermes  (OpenAI-compatible gateway, port 8642)
    -> mios-hermes-workspace  (web frontend, port 3030 -- the URL
                               the operator opens in their browser)

Files added:

* etc/containers/systemd/mios-hermes-workspace.container -- Quadlet
  pulling ghcr.io/outsourc-e/hermes-workspace:latest. Wires
  HERMES_API_URL to the local mios-hermes; HERMES_API_TOKEN pulls the
  shared API_SERVER_KEY from /etc/mios/hermes/api.env so the same
  secret authenticates the gateway and the workspace. PORT=3030
  overrides the image's PORT=3000 default to match mios.toml
  [ports].hermes_workspace (which collides with mios-forge otherwise).
  COOKIE_SECURE=0 keeps plain-HTTP login working without a reverse-
  proxy / TLS layer.

* usr/lib/systemd/system/mios-hermes-workspace-firstboot.service +
  usr/libexec/mios/mios-hermes-workspace-firstboot.sh -- generates
  the workspace's session password (HERMES_PASSWORD) into
  /etc/mios/hermes-workspace/workspace.env on first boot. The
  upstream image makes HERMES_PASSWORD REQUIRED whenever the bind
  isn't pure loopback (we bind 0.0.0.0:3030), so without this the
  container exits immediately on first start. Rotate by deleting the
  file + restarting the firstboot service.

mios.toml changes:

* [ports] -- hermes_workspace = 3030 (canonical), webui moves to
  3031 (legacy; Quadlet disabled in [quadlets.enable]).

* [image.sidecars] -- hermes_workspace = ghcr.io/outsourc-e/
  hermes-workspace:latest.

* [quadlets.enable] -- mios-hermes-workspace = true, mios-hermes =
  true (explicit), mios-webui = false. Open WebUI stays in-tree but
  doesn't autostart by default; operators wanting it can flip the
  flag in their layered toml.

Author: Kabuki94

etc/containers/systemd/mios-hermes-workspace.container

@@ -0,0 +1,72 @@
+# /etc/containers/systemd/mios-hermes-workspace.container
+# 'MiOS' Hermes Workspace -- web frontend for the Hermes Agent stack.
+#
+# Operator directive 2026-05-11: "forget open webui for now -- Ollama
+# >> hermes agent >> hermes-workspace app is the front-end".
+#
+# Chain: mios-ollama (LLM models) -> mios-hermes (OpenAI-compatible
+# gateway) -> mios-hermes-workspace (web frontend the operator opens
+# in their browser at http://localhost:3030/).
+#
+# Upstream: https://github.com/outsourc-e/hermes-workspace
+# Image:    ghcr.io/outsourc-e/hermes-workspace:latest
+#
+# Auth: HERMES_API_TOKEN MUST equal API_SERVER_KEY in /etc/mios/hermes/
+# api.env (the same shared secret mios-hermes itself uses + that
+# mios-hermes-firstboot.service generates). HERMES_PASSWORD is the
+# workspace's session login -- generated by mios-hermes-workspace-
+# firstboot.service into /etc/mios/hermes-workspace/workspace.env on
+# first boot.
+
+[Unit]
+Description='MiOS' Hermes Workspace (web frontend for Hermes Agent)
+After=network-online.target mios-hermes.service
+Wants=network-online.target mios-hermes.service
+ConditionPathExists=/etc/mios/hermes/api.env
+
+[Container]
+# Image / Port placeholders -- resolved at image build time by
+# automation/15-render-quadlets.sh from mios.toml [image.sidecars].
+# hermes_workspace + [ports].hermes_workspace.
+Image=${MIOS_HERMES_WORKSPACE_IMAGE:-ghcr.io/outsourc-e/hermes-workspace:latest}
+ContainerName=mios-hermes-workspace
+Network=${MIOS_QUADLET_NETWORK:-mios.network}
+Network=ai-net.network
+PublishPort=${MIOS_PORT_HERMES_WORKSPACE:-3030}:${MIOS_PORT_HERMES_WORKSPACE:-3030}
+AutoUpdate=registry
+
+# Wire the workspace to the locally-running Hermes Agent. HERMES_API_
+# TOKEN MUST match API_SERVER_KEY in /etc/mios/hermes/api.env -- which
+# mios-hermes-firstboot.service generates on first boot. EnvironmentFile=
+# auto-pulls the matching value via env-var substitution below.
+EnvironmentFile=/etc/mios/hermes/api.env
+EnvironmentFile=/etc/mios/hermes-workspace/workspace.env
+Environment=HERMES_API_URL=http://mios-hermes:${MIOS_PORT_HERMES:-8642}
+Environment=HERMES_API_TOKEN=${API_SERVER_KEY}
+# Bind the workspace on the operator-facing port directly. The upstream
+# image defaults PORT=3000; we override to 3030 (mios.toml [ports].
+# hermes_workspace) to keep the canonical 3030 surface previously
+# occupied by Open WebUI. Containers running with the Network=host
+# drop-in on the dev VM read this same env.
+Environment=PORT=${MIOS_PORT_HERMES_WORKSPACE:-3030}
+# Browsers drop Secure cookies over plain HTTP -- the workspace
+# defaults NODE_ENV=production which sets Secure on session cookies.
+# Disable explicitly so the operator's first-time login works without
+# a reverse proxy / TLS layer in front. Operators fronting the
+# workspace with HTTPS can flip this back to 1 via /etc/mios/hermes-
+# workspace/workspace.env.
+Environment=COOKIE_SECURE=0
+
+Label=org.opencontainers.image.title=mios-hermes-workspace
+Label=org.opencontainers.image.url=http://localhost:${MIOS_PORT_HERMES_WORKSPACE:-3030}/
+Label=org.opencontainers.image.documentation=https://github.com/outsourc-e/hermes-workspace
+Label=io.podman_desktop.openInBrowser=http://localhost:${MIOS_PORT_HERMES_WORKSPACE:-3030}/
+
+[Service]
+Restart=on-failure
+RestartSec=10s
+TimeoutStartSec=600s
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target default.target

usr/lib/systemd/system/mios-hermes-workspace-firstboot.service

@@ -0,0 +1,15 @@
+# /usr/lib/systemd/system/mios-hermes-workspace-firstboot.service
+# Generate the workspace login password on first boot.
+[Unit]
+Description='MiOS' Hermes Workspace first-boot password generation
+ConditionPathExists=!/etc/mios/hermes-workspace/workspace.env
+Before=mios-hermes-workspace.service
+After=mios-hermes-firstboot.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/mios/mios-hermes-workspace-firstboot.sh
+
+[Install]
+WantedBy=multi-user.target

usr/libexec/mios/mios-hermes-workspace-firstboot.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# /usr/libexec/mios/mios-hermes-workspace-firstboot.sh
+#
+# Generate the Hermes Workspace session password on first boot. The
+# upstream image binds 0.0.0.0:3030 (non-loopback), which makes
+# HERMES_PASSWORD REQUIRED -- without it the container exits with a
+# clear "session password missing" error.
+#
+# Sentinel: /etc/mios/hermes-workspace/workspace.env -- delete the
+# file + restart this unit to rotate the password.
+set -euo pipefail
+
+DEST=/etc/mios/hermes-workspace/workspace.env
+install -d -m 0755 /etc/mios/hermes-workspace
+
+if [[ -s "$DEST" ]] && grep -q '^HERMES_PASSWORD=' "$DEST" 2>/dev/null; then
+    echo "[hermes-workspace-firstboot] $DEST already populated; nothing to do"
+    exit 0
+fi
+
+# 24 random bytes -> 48 hex chars. Strong enough for a session
+# password; rotate by deleting the file.
+PW=$(openssl rand -hex 24 2>/dev/null || \
+     head -c 24 /dev/urandom | od -An -tx1 | tr -d ' \n')
+
+cat > "$DEST" <<EOF
+# /etc/mios/hermes-workspace/workspace.env
+# Generated by mios-hermes-workspace-firstboot.service on first boot.
+# Read by both mios-hermes-workspace (login authentication) and any
+# operator tooling that needs the workspace login password.
+# Rotate by deleting this file + restarting mios-hermes-workspace-
+# firstboot.service.
+
+HERMES_PASSWORD=$PW
+EOF
+chmod 0640 "$DEST"
+chown root:root "$DEST"
+
+echo "[hermes-workspace-firstboot] wrote $DEST (rotate: rm + systemctl restart mios-hermes-workspace-firstboot.service)"

usr/share/mios/mios.toml

@@ -1556,7 +1556,8 @@ cockpit_link       = 19090    # mios-cockpit-link Podman Desktop discovery shim
 ollama             = 11434    # alternate local LLM backend
 searxng            = 8888     # local privacy-respecting metasearch
 hermes             = 8642     # Hermes-Agent OpenAI-compatible gateway
-webui              = 3030     # Open WebUI (port 3030 because mios-ai owns 8080)
+hermes_workspace   = 3030     # Hermes Workspace web frontend (default chat UI)
+webui              = 3031     # Open WebUI (legacy; mios-webui Quadlet disabled by default 2026-05-11)
 k3s_api            = 6443     # K3s Kubernetes API
 guacamole_web      = 8090     # mios-guacamole browser desktop
 ceph_dashboard     = 8443     # Ceph dashboard
@@ -1582,6 +1583,8 @@ hermes_version     = "latest"
 hermes             = "docker.io/nousresearch/hermes-agent:latest"
 webui_version      = "latest"
 webui              = "docker.io/openwebui/open-webui:latest"
+hermes_workspace_version = "latest"
+hermes_workspace   = "ghcr.io/outsourc-e/hermes-workspace:latest"
 ollama_version     = "latest"
 ollama             = "docker.io/ollama/ollama:latest"
 guacamole_version  = "latest"
@@ -2167,17 +2170,20 @@ features = ["ai", "virtualization", "k3s"]
 # force-disable a service even when it would otherwise run.
 # ----------------------------------------------------------------------------
 [quadlets.enable]
-mios-ai            = true
-mios-ceph          = true
-mios-k3s           = true
-mios-forge         = true
-mios-cockpit-link  = true   # surfaces host Cockpit (9090) in Podman Desktop UI
-crowdsec-dashboard = true
-ollama             = true
-cloudws-guacamole  = true
-cloudws-pxe-hub    = true
-guacamole-postgres = true
-guacd              = true
+mios-ai               = true
+mios-ceph             = true
+mios-k3s              = true
+mios-forge            = true
+mios-cockpit-link     = true   # surfaces host Cockpit (9090) in Podman Desktop UI
+mios-hermes           = true
+mios-hermes-workspace = true   # default chat frontend (Ollama -> Hermes -> Workspace)
+mios-webui            = false  # disabled 2026-05-11: hermes-workspace is the default chat UI
+crowdsec-dashboard    = true
+ollama                = true
+cloudws-guacamole     = true
+cloudws-pxe-hub       = true
+guacamole-postgres    = true
+guacd                 = true
 
 # ----------------------------------------------------------------------------
 # [env] -- free-form environment-variable additions. Keys must match POSIX