mios-dev
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 0 deletions b/‎.gitignore‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎automation/lib/globals.ps1‎
Lines changed: 17 additions & 0 deletions b/‎automation/lib/globals.ps1‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎automation/lib/globals.sh‎
Lines changed: 24 additions & 2 deletions b/‎automation/lib/globals.sh‎
Lines changed: 24 additions & 2 deletions
diff --git a/‎etc/containers/systemd/ai-net.network‎
Lines changed: 27 additions & 0 deletions b/‎etc/containers/systemd/ai-net.network‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎etc/containers/systemd/mios-ai.container‎
Lines changed: 7 additions & 5 deletions b/‎etc/containers/systemd/mios-ai.container‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎etc/containers/systemd/mios-hermes.container‎
Lines changed: 83 additions & 0 deletions b/‎etc/containers/systemd/mios-hermes.container‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎etc/containers/systemd/mios-searxng.container‎
Lines changed: 5 additions & 0 deletions b/‎etc/containers/systemd/mios-searxng.container‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎etc/containers/systemd/mios-webui.container‎
Lines changed: 70 additions & 0 deletions b/‎etc/containers/systemd/mios-webui.container‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎usr/lib/systemd/system-preset/90-mios.preset‎
Lines changed: 3 additions & 0 deletions b/‎usr/lib/systemd/system-preset/90-mios.preset‎
Lines changed: 3 additions & 0 deletions
@@ -107,6 +107,11 @@ etc/containers/*
 !/etc/containers/systemd/
 etc/containers/systemd/*
 !/etc/containers/systemd/mios*
+# ai-net.network is the AI-stack bridge that mios-hermes / mios-webui /
+# mios-ai / mios-ollama / mios-searxng share. Doesn't match the mios*
+# glob because the deploy-aistack.sh reference flow names it ai-net,
+# and we keep the literal name for cross-deploy interop.
+!/etc/containers/systemd/ai-net.network
 # storage.conf.d/ -- additionalimagestores bridge so rootless distrobox
 # can read images built into rootful podman storage by the system-scope
 # .build Quadlets (Universal Blue / Bazzite pattern).
 
@@ -55,6 +55,14 @@ $script:MIOS_SEARXNG_USER = if ($env:MIOS_SEARXNG_USER) { $env:MIOS_SEARXNG_USER
 $script:MIOS_SEARXNG_UID  = if ($env:MIOS_SEARXNG_UID)  { [int]$env:MIOS_SEARXNG_UID } else { 818 }
 $script:MIOS_SEARXNG_GID  = if ($env:MIOS_SEARXNG_GID)  { [int]$env:MIOS_SEARXNG_GID } else { 818 }
 
+$script:MIOS_HERMES_USER  = if ($env:MIOS_HERMES_USER)  { $env:MIOS_HERMES_USER }  else { 'mios-hermes' }
+$script:MIOS_HERMES_UID   = if ($env:MIOS_HERMES_UID)   { [int]$env:MIOS_HERMES_UID } else { 820 }
+$script:MIOS_HERMES_GID   = if ($env:MIOS_HERMES_GID)   { [int]$env:MIOS_HERMES_GID } else { 820 }
+
+$script:MIOS_WEBUI_USER   = if ($env:MIOS_WEBUI_USER)   { $env:MIOS_WEBUI_USER }   else { 'mios-webui' }
+$script:MIOS_WEBUI_UID    = if ($env:MIOS_WEBUI_UID)    { [int]$env:MIOS_WEBUI_UID } else { 821 }
+$script:MIOS_WEBUI_GID    = if ($env:MIOS_WEBUI_GID)    { [int]$env:MIOS_WEBUI_GID } else { 821 }
+
 $script:MIOS_SUBUID_START = if ($env:MIOS_SUBUID_START) { [int]$env:MIOS_SUBUID_START } else { 100000 }
 $script:MIOS_SUBUID_COUNT = if ($env:MIOS_SUBUID_COUNT) { [int]$env:MIOS_SUBUID_COUNT } else { 65536 }
 
@@ -74,6 +82,8 @@ $script:MIOS_PORT_LOCALAI       = if ($env:MIOS_PORT_LOCALAI)       { [int]$env:
 $script:MIOS_PORT_COCKPIT       = if ($env:MIOS_PORT_COCKPIT)       { [int]$env:MIOS_PORT_COCKPIT }       else { 9090 }
 $script:MIOS_PORT_OLLAMA        = if ($env:MIOS_PORT_OLLAMA)        { [int]$env:MIOS_PORT_OLLAMA }        else { 11434 }
 $script:MIOS_PORT_SEARXNG       = if ($env:MIOS_PORT_SEARXNG)       { [int]$env:MIOS_PORT_SEARXNG }       else { 8888 }
+$script:MIOS_PORT_HERMES        = if ($env:MIOS_PORT_HERMES)        { [int]$env:MIOS_PORT_HERMES }        else { 8642 }
+$script:MIOS_PORT_WEBUI         = if ($env:MIOS_PORT_WEBUI)         { [int]$env:MIOS_PORT_WEBUI }         else { 3030 }
 $script:MIOS_PORT_COCKPIT_LINK  = if ($env:MIOS_PORT_COCKPIT_LINK)  { [int]$env:MIOS_PORT_COCKPIT_LINK }  else { 19090 }
 
 # ── URLS ─────────────────────────────────────────────────────────────
@@ -82,6 +92,8 @@ $script:MIOS_FORGE_URL    = if ($env:MIOS_FORGE_URL)    { $env:MIOS_FORGE_URL }
 $script:MIOS_COCKPIT_URL  = if ($env:MIOS_COCKPIT_URL)  { $env:MIOS_COCKPIT_URL }  else { "https://localhost:$($script:MIOS_PORT_COCKPIT)" }
 $script:MIOS_OLLAMA_URL   = if ($env:MIOS_OLLAMA_URL)   { $env:MIOS_OLLAMA_URL }   else { "http://localhost:$($script:MIOS_PORT_OLLAMA)" }
 $script:MIOS_SEARXNG_URL  = if ($env:MIOS_SEARXNG_URL)  { $env:MIOS_SEARXNG_URL }  else { "http://localhost:$($script:MIOS_PORT_SEARXNG)" }
+$script:MIOS_HERMES_URL   = if ($env:MIOS_HERMES_URL)   { $env:MIOS_HERMES_URL }   else { "http://localhost:$($script:MIOS_PORT_HERMES)/v1" }
+$script:MIOS_WEBUI_URL    = if ($env:MIOS_WEBUI_URL)    { $env:MIOS_WEBUI_URL }    else { "http://localhost:$($script:MIOS_PORT_WEBUI)/" }
 
 # ── REPOS ────────────────────────────────────────────────────────────
 $script:MIOS_REPO_URL           = if ($env:MIOS_REPO_URL)           { $env:MIOS_REPO_URL }           else { 'https://github.com/mios-dev/mios.git' }
@@ -151,6 +163,9 @@ $script:MIOS_UNIT_AICHAT_BUILD      = 'mios-aichat-build.service'
 $script:MIOS_UNIT_AICHAT_IMAGE      = 'mios-aichat-image.service'
 $script:MIOS_UNIT_COCKPIT_LINK      = 'mios-cockpit-link.service'
 $script:MIOS_UNIT_SEARXNG           = 'mios-searxng.service'
+$script:MIOS_UNIT_HERMES            = 'mios-hermes.service'
+$script:MIOS_UNIT_WEBUI             = 'mios-webui.service'
+$script:MIOS_UNIT_HERMES_FIRSTBOOT  = 'mios-hermes-firstboot.service'
 $script:MIOS_UNIT_FIRSTBOOT_TARGET  = 'mios-firstboot.target'
 $script:MIOS_UNIT_OLLAMA_FIRSTBOOT  = 'mios-ollama-firstboot.service'
 $script:MIOS_UNIT_WSL_FIRSTBOOT     = 'mios-wsl-firstboot.service'
@@ -163,6 +178,8 @@ $script:MIOS_CONTAINER_FORGE_IMAGE      = 'codeberg.org/forgejo/forgejo:12'
 $script:MIOS_CONTAINER_LOCALAI_IMAGE    = 'docker.io/localai/localai:latest'
 $script:MIOS_CONTAINER_OLLAMA_IMAGE     = 'docker.io/ollama/ollama:latest'
 $script:MIOS_CONTAINER_SEARXNG_IMAGE    = 'docker.io/searxng/searxng:latest'
+$script:MIOS_CONTAINER_HERMES_IMAGE     = 'docker.io/nousresearch/hermes-agent:latest'
+$script:MIOS_CONTAINER_WEBUI_IMAGE      = 'docker.io/openwebui/open-webui:latest'
 
 # ── COLOR PALETTE ────────────────────────────────────────────────────
 # Hokusai + operator-neutrals palette. Vendor defaults; resolved from
 
@@ -74,6 +74,14 @@ export MIOS_VERSION
 : "${MIOS_SEARXNG_UID:=818}"
 : "${MIOS_SEARXNG_GID:=818}"
 
+: "${MIOS_HERMES_USER:=mios-hermes}"
+: "${MIOS_HERMES_UID:=820}"
+: "${MIOS_HERMES_GID:=820}"
+
+: "${MIOS_WEBUI_USER:=mios-webui}"
+: "${MIOS_WEBUI_UID:=821}"
+: "${MIOS_WEBUI_GID:=821}"
+
 # Rootless-container subuid/subgid range. Standard Fedora useradd -m
 # allocates 100000:65536; we keep the same so /etc/subuid + /etc/subgid
 # stay consistent with stock Fedora workflows.
@@ -86,6 +94,8 @@ export MIOS_AI_USER MIOS_AI_UID MIOS_AI_GID
 export MIOS_OLLAMA_USER MIOS_OLLAMA_UID MIOS_OLLAMA_GID
 export MIOS_CEPH_USER MIOS_CEPH_UID MIOS_CEPH_GID
 export MIOS_SEARXNG_USER MIOS_SEARXNG_UID MIOS_SEARXNG_GID
+export MIOS_HERMES_USER MIOS_HERMES_UID MIOS_HERMES_GID
+export MIOS_WEBUI_USER MIOS_WEBUI_UID MIOS_WEBUI_GID
 export MIOS_SUBUID_START MIOS_SUBUID_COUNT
 
 # ── IMAGES ───────────────────────────────────────────────────────────
@@ -106,10 +116,12 @@ export MIOS_LOCAL_IMAGE MIOS_BASE_IMAGE MIOS_BIB_IMAGE
 : "${MIOS_PORT_COCKPIT:=9090}"
 : "${MIOS_PORT_OLLAMA:=11434}"
 : "${MIOS_PORT_SEARXNG:=8888}"
+: "${MIOS_PORT_HERMES:=8642}"
+: "${MIOS_PORT_WEBUI:=3030}"
 : "${MIOS_PORT_COCKPIT_LINK:=19090}"   # podman-desktop discovery shim
 export MIOS_PORT_SSH MIOS_PORT_FORGE_HTTP MIOS_PORT_FORGE_SSH
 export MIOS_PORT_LOCALAI MIOS_PORT_COCKPIT MIOS_PORT_OLLAMA
-export MIOS_PORT_SEARXNG MIOS_PORT_COCKPIT_LINK
+export MIOS_PORT_SEARXNG MIOS_PORT_HERMES MIOS_PORT_WEBUI MIOS_PORT_COCKPIT_LINK
 
 # ── URLS ─────────────────────────────────────────────────────────────
 # Derived from PORTS so a single port change propagates. MIOS_AI_ENDPOINT
@@ -119,7 +131,10 @@ export MIOS_PORT_SEARXNG MIOS_PORT_COCKPIT_LINK
 : "${MIOS_COCKPIT_URL:=https://localhost:${MIOS_PORT_COCKPIT}}"
 : "${MIOS_OLLAMA_URL:=http://localhost:${MIOS_PORT_OLLAMA}}"
 : "${MIOS_SEARXNG_URL:=http://localhost:${MIOS_PORT_SEARXNG}}"
-export MIOS_AI_ENDPOINT MIOS_FORGE_URL MIOS_COCKPIT_URL MIOS_OLLAMA_URL MIOS_SEARXNG_URL
+: "${MIOS_HERMES_URL:=http://localhost:${MIOS_PORT_HERMES}/v1}"
+: "${MIOS_WEBUI_URL:=http://localhost:${MIOS_PORT_WEBUI}/}"
+export MIOS_AI_ENDPOINT MIOS_FORGE_URL MIOS_COCKPIT_URL MIOS_OLLAMA_URL
+export MIOS_SEARXNG_URL MIOS_HERMES_URL MIOS_WEBUI_URL
 
 # ── REPOS ────────────────────────────────────────────────────────────
 : "${MIOS_REPO_URL:=https://github.com/mios-dev/mios.git}"
@@ -212,6 +227,9 @@ export MIOS_AI_SYSTEM_PROMPT MIOS_MCP_REGISTRY MIOS_BUILD_ENV_FILE
 : "${MIOS_UNIT_AICHAT_IMAGE:=mios-aichat-image.service}"
 : "${MIOS_UNIT_COCKPIT_LINK:=mios-cockpit-link.service}"
 : "${MIOS_UNIT_SEARXNG:=mios-searxng.service}"
+: "${MIOS_UNIT_HERMES:=mios-hermes.service}"
+: "${MIOS_UNIT_WEBUI:=mios-webui.service}"
+: "${MIOS_UNIT_HERMES_FIRSTBOOT:=mios-hermes-firstboot.service}"
 
 # Hand-written units
 : "${MIOS_UNIT_FIRSTBOOT_TARGET:=mios-firstboot.target}"
@@ -222,6 +240,7 @@ export MIOS_AI_SYSTEM_PROMPT MIOS_MCP_REGISTRY MIOS_BUILD_ENV_FILE
 export MIOS_UNIT_AI MIOS_UNIT_FORGE MIOS_UNIT_FORGE_RUNNER MIOS_UNIT_OLLAMA
 export MIOS_UNIT_CEPH MIOS_UNIT_K3S MIOS_UNIT_AICHAT_BUILD MIOS_UNIT_AICHAT_IMAGE
 export MIOS_UNIT_COCKPIT_LINK MIOS_UNIT_SEARXNG MIOS_UNIT_FIRSTBOOT_TARGET
+export MIOS_UNIT_HERMES MIOS_UNIT_WEBUI MIOS_UNIT_HERMES_FIRSTBOOT
 export MIOS_UNIT_OLLAMA_FIRSTBOOT MIOS_UNIT_WSL_FIRSTBOOT MIOS_UNIT_USER_SESSION
 
 # ── CONTAINERS / DISTROBOX ───────────────────────────────────────────
@@ -231,10 +250,13 @@ export MIOS_UNIT_OLLAMA_FIRSTBOOT MIOS_UNIT_WSL_FIRSTBOOT MIOS_UNIT_USER_SESSION
 : "${MIOS_CONTAINER_LOCALAI_IMAGE:=docker.io/localai/localai:latest}"
 : "${MIOS_CONTAINER_OLLAMA_IMAGE:=docker.io/ollama/ollama:latest}"
 : "${MIOS_CONTAINER_SEARXNG_IMAGE:=docker.io/searxng/searxng:latest}"
+: "${MIOS_CONTAINER_HERMES_IMAGE:=docker.io/nousresearch/hermes-agent:latest}"
+: "${MIOS_CONTAINER_WEBUI_IMAGE:=docker.io/openwebui/open-webui:latest}"
 
 export MIOS_DISTROBOX_AICHAT MIOS_CONTAINER_AICHAT_IMAGE
 export MIOS_CONTAINER_FORGE_IMAGE MIOS_CONTAINER_LOCALAI_IMAGE
 export MIOS_CONTAINER_OLLAMA_IMAGE MIOS_CONTAINER_SEARXNG_IMAGE
+export MIOS_CONTAINER_HERMES_IMAGE MIOS_CONTAINER_WEBUI_IMAGE
 
 # ── COLOR PALETTE ────────────────────────────────────────────────────
 # Hokusai + operator-neutrals palette. Resolved from mios.toml [colors]
 
@@ -0,0 +1,27 @@
+# /etc/containers/systemd/ai-net.network
+# 'MiOS' AI stack network (Hermes-Agent <-> Open WebUI <-> Ollama).
+#
+# Topology mirrors the upstream deploy-aistack.sh reference flow:
+#
+#   browser -> mios-webui (3030) -> mios-hermes (8642) -> mios-ollama (11434) -> GPU
+#
+# but extended so the existing MiOS AI containers (mios-ai / LocalAI on 8080,
+# mios-searxng on 8888, mios-ollama on 11434) ALSO live on this bridge in
+# addition to mios.network. That way:
+#
+#   * The agent (mios-hermes) reaches mios-ollama by container name without
+#     leaving the bridge.
+#   * Open WebUI can target either mios-hermes (default) or mios-ai
+#     (LocalAI) as alternate /v1 backends, both via container DNS.
+#   * SearXNG is reachable from the agent's `web_search` tool surface as
+#     mios-searxng:8080 without going through host loopback.
+#
+# Subnet 10.90.0.0/24 is one octet beyond mios.network's 10.89.0.0/24 to
+# stay clear of any podman default ranges, the WSL2 eth0 prefixes
+# (10.88.x typical), and the rootful podman default (10.88.0.0/16).
+# Quadlet generates the actual podman network as 'systemd-ai-net'.
+
+[Network]
+Subnet=10.90.0.0/24
+Gateway=10.90.0.1
+Label=io.mios.network=ai-stack
@@ -14,12 +14,14 @@ ConditionPathIsDirectory=/etc/mios/ai
 [Container]
 Image=docker.io/localai/localai:latest@sha256:a6af99e17a73a92caa134e70ae84492cc47b67645c1676268a7522ad14f4c09d
 ContainerName=mios-ai
-# Single MiOS internal network so sibling Quadlets (mios-forge,
-# mios-aichat, mios-mcp, ollama, etc.) reach LocalAI by container name
-# at http://mios-ai:8080/v1 without going through host loopback. Keeps
-# the network surface KISS: one bridge, all services on it. PublishPort
-# below still maps to the host so external clients can reach :8080.
+# MiOS internal networks: mios.network is the historical core bridge
+# (mios-forge / mios-cockpit-link / mios-mcp etc.); ai-net.network is
+# the dedicated AI-stack bridge that mios-hermes / mios-webui /
+# mios-ollama / mios-searxng all share so the gateway can address
+# them by container name without leaving the bridge. Multi-network
+# membership keeps mios-ai reachable from BOTH worlds.
 Network=mios.network
+Network=ai-net.network
 PublishPort=8080:8080
 # LocalAI v4 layout: /build/models is canonical (matches MODELS_PATH /
 # upstream Containerfile WORKDIR), but /data/{outputs,collections} is
 
@@ -0,0 +1,83 @@
+# /etc/containers/systemd/mios-hermes.container
+# 'MiOS' Hermes-Agent OpenAI-compatible gateway.
+#
+# Hermes-Agent (Nous Research) sits between an Open WebUI / aichat /
+# Claude Code-style frontend and the underlying LLM backend (mios-ollama
+# by default). It exposes /v1 OpenAI-shaped endpoints with first-class
+# agent / tool-use semantics on top of any backend that lacks them, so
+# operators can drive non-Hermes models (qwen2.5-coder, granite, llama)
+# through the same agent surface.
+#
+# Defaults policy: enabled by default. ConditionPathIsDirectory guards
+# the config dir; if /etc/mios/hermes/ doesn't exist (incomplete
+# bootstrap), the unit no-ops at pre-boot rather than crash-looping.
+# mios-hermes-firstboot.service generates a fresh API_SERVER_KEY into
+# /etc/mios/hermes/api.env on first boot if missing -- that key is what
+# Open WebUI uses as its OPENAI_API_KEY when calling mios-hermes.
+
+[Unit]
+Description='MiOS' Hermes-Agent OpenAI-compatible gateway
+After=network-online.target mios-hermes-firstboot.service ollama.service
+Wants=network-online.target mios-hermes-firstboot.service
+ConditionPathIsDirectory=/etc/mios/hermes
+ConditionPathExists=/etc/mios/hermes/api.env
+
+[Container]
+Image=docker.io/nousresearch/hermes-agent:latest
+ContainerName=mios-hermes
+# Dual-network: ai-net is the canonical subnet for the AI stack
+# (Open WebUI <-> Hermes <-> Ollama), mios.network keeps the unit
+# reachable from the rest of MiOS by container name.
+Network=ai-net.network
+Network=mios.network
+PublishPort=8642:8642
+AutoUpdate=registry
+
+# Persistent state. /opt/data inside the container is where Hermes
+# stores its config.yaml, prompt history, and tool registry. Bind-mount
+# the host's /var/lib/mios/hermes there so state survives image rebuilds.
+Volume=/var/lib/mios/hermes:/opt/data:Z
+# /etc/mios/hermes/config.yaml is a vendor-shipped declarative config
+# that wires Hermes at mios-ollama:11434 by default; operators can
+# override via /etc/mios/hermes/config.local.yaml (see config.yaml's
+# trailing include directive).
+Volume=/etc/mios/hermes:/etc/hermes:Z,ro
+
+# API key + server settings come from /etc/mios/hermes/api.env, which
+# mios-hermes-firstboot.service generates on first boot via
+# `openssl rand -hex 32` if not already present. Open WebUI reads the
+# same file so the key flows through declaratively.
+EnvironmentFile=/etc/mios/hermes/api.env
+
+# Force the agent to point at MiOS's mios-ollama by container name on
+# ai-net. The deploy-aistack.sh first-run wizard prompts for these
+# interactively; we bake them in so the unit is fully declarative.
+Environment=HERMES_BACKEND_PROVIDER=ollama
+Environment=HERMES_BACKEND_BASE_URL=http://mios-ollama:11434
+Environment=HERMES_BACKEND_MODEL=qwen2.5-coder:7b
+Environment=HERMES_CONFIG_PATH=/etc/hermes/config.yaml
+
+# Identity. UID 820 is pinned in usr/lib/sysusers.d/50-mios-services.conf.
+User=820
+Group=820
+
+Label=org.opencontainers.image.title=mios-hermes
+Label=org.opencontainers.image.url=http://localhost:8642/v1/models
+Label=org.opencontainers.image.documentation=https://nousresearch.com/
+Label=io.podman_desktop.openInBrowser=http://localhost:8642/v1/models
+
+# `gateway run` is the long-lived Hermes API-server mode. The
+# alternative `setup` interactive wizard (used by deploy-aistack.sh on
+# first run) is bypassed here -- /etc/mios/hermes/config.yaml is
+# pre-shipped at build time so the gateway can start without an
+# operator-driven setup pass.
+Exec=gateway run
+
+[Service]
+Restart=on-failure
+RestartSec=10s
+TimeoutStartSec=300s
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target default.target
@@ -26,7 +26,12 @@ ConditionPathIsDirectory=/etc/mios/searxng
 # every host shape MiOS targets.
 Image=docker.io/searxng/searxng:latest@sha256:885f1cd1bb86d759aa4724a1986a61c000292823ff8eeb17d34de1a8acb74477
 ContainerName=mios-searxng
+# Dual-network: mios.network keeps the unit reachable for the rest of
+# MiOS; ai-net.network puts SearXNG on the same bridge as mios-hermes
+# so the agent's `web_search` tool can call mios-searxng:8080 by
+# container name without leaving the network.
 Network=mios.network
+Network=ai-net.network
 # 8888 host -> 8080 container. 8080 is taken by mios-ai (LocalAI's
 # OpenAI-compatible endpoint), so SearXNG goes on the next conventional
 # search-proxy port. Sibling Quadlets on mios.network reach it as
 
@@ -0,0 +1,70 @@
+# /etc/containers/systemd/mios-webui.container
+# 'MiOS' Open WebUI browser frontend.
+#
+# Open WebUI (https://github.com/open-webui/open-webui) is the
+# browser-side companion to mios-hermes / mios-ai. By default it points
+# at mios-hermes:8642/v1 (the Hermes-Agent gateway), which then proxies
+# to mios-ollama:11434 inside the ai-net bridge. Operators can also add
+# mios-ai (LocalAI on :8080) as a second OpenAI-compatible backend
+# inside the WebUI's settings panel -- both are reachable by container
+# name on the ai-net bridge.
+#
+# Port choice (3030, NOT 8080):
+#   The upstream deploy-aistack.sh maps Open WebUI to host :8080. MiOS
+#   already publishes mios-ai (LocalAI's OpenAI-compatible /v1 endpoint)
+#   on :8080 -- that port is the canonical Architectural-Law-5 surface
+#   that aichat / system prompts / agent SDKs all reference. Moving
+#   LocalAI off 8080 would break every existing client. So WebUI gets
+#   a different host port (3030) instead. Internal port stays 8080 to
+#   match upstream defaults.
+#
+# Defaults policy: enabled by default. After= mios-hermes so the
+# OPENAI_API_BASE_URL target is reachable when the frontend starts.
+
+[Unit]
+Description='MiOS' Open WebUI browser frontend
+After=network-online.target mios-hermes.service
+Wants=network-online.target
+Requires=mios-hermes.service
+
+[Container]
+Image=docker.io/openwebui/open-webui:latest
+ContainerName=mios-webui
+Network=ai-net.network
+Network=mios.network
+PublishPort=3030:8080
+AutoUpdate=registry
+
+Volume=/var/lib/mios/webui:/app/backend/data:Z
+
+# Disable the built-in Ollama API path so Open WebUI ALWAYS goes
+# through the Hermes-Agent gateway. That keeps tool-use, prompt
+# history, and rate-limiting decisions in one place rather than
+# bypassing them when the user picks a non-Hermes-aware model.
+Environment=ENABLE_OLLAMA_API=false
+Environment=OPENAI_API_BASE_URL=http://mios-hermes:8642/v1
+
+# OPENAI_API_KEY is sourced from the same /etc/mios/hermes/api.env
+# that mios-hermes itself reads, so the WebUI <-> Hermes auth pair
+# stays in sync without operator copy-paste. The key is generated on
+# first boot by mios-hermes-firstboot.service.
+EnvironmentFile=/etc/mios/hermes/api.env
+Environment=WEBUI_AUTH=true
+Environment=WEBUI_NAME=MiOS
+
+User=821
+Group=821
+
+Label=org.opencontainers.image.title=mios-webui
+Label=org.opencontainers.image.url=http://localhost:3030/
+Label=org.opencontainers.image.documentation=https://docs.openwebui.com/
+Label=io.podman_desktop.openInBrowser=http://localhost:3030/
+
+[Service]
+Restart=on-failure
+RestartSec=10s
+TimeoutStartSec=300s
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target default.target
@@ -47,6 +47,9 @@ enable greenboot-status.service
 enable redboot-auto-reboot.service
 enable cockpit.socket
 enable mios-searxng.service
+enable mios-hermes-firstboot.service
+enable mios-hermes.service
+enable mios-webui.service
 # user@1000.service starts the per-user systemd manager + user D-Bus
 # session bus for the 'mios' user (uid 1000, pinned in
 # /usr/lib/sysusers.d/10-mios.conf). Normally systemd-logind reads