You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add remote access guide and Docker troubleshooting table (#519)
Addresses #514 by documenting the env vars needed for LAN/Tailscale
deployments (HERMES_PASSWORD, COOKIE_SECURE, API_SERVER_KEY,
GATEWAY_ALLOW_ALL_USERS) and providing a docker-compose.override.yml
example for publishing ports without loopback binding.
Added troubleshooting table for common Docker startup errors.
Co-authored-by: Aurora <myaurora.agi@gmail.com>
Copy file name to clipboardExpand all lines: README.md
+51Lines changed: 51 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -451,6 +451,57 @@ Open `http://localhost:3000` and complete the onboarding.
451
451
452
452
> **Verify:** Check the Docker logs for `[gateway] Connected to Hermes Agent` — this confirms the workspace successfully connected to the agent.
453
453
454
+
### Remote Access (LAN / Tailscale / VPN)
455
+
456
+
The default compose file binds ports to `127.0.0.1` (localhost only). To access the workspace from other devices on your network, you need to:
457
+
458
+
**1. Publish ports without the loopback restriction.** Create a `docker-compose.override.yml`:
459
+
460
+
```yaml
461
+
services:
462
+
hermes-agent:
463
+
ports:
464
+
- '8642:8642'
465
+
hermes-workspace:
466
+
ports:
467
+
- '3000:3000'
468
+
```
469
+
470
+
**2. Add these env vars to `.env`:**
471
+
472
+
```env
473
+
# Required: workspace session password (the workspace refuses to start on 0.0.0.0 without it)
474
+
HERMES_PASSWORD=your-strong-secret-here
475
+
476
+
# Required for plain-HTTP LAN access (browsers drop Secure cookies over http://)
477
+
COOKIE_SECURE=0
478
+
479
+
# Recommended: gateway auth token (prevents unauthenticated API access on your LAN)
480
+
API_SERVER_KEY=***
481
+
482
+
# If the gateway refuses to start with "No user allowlists configured":
483
+
GATEWAY_ALLOW_ALL_USERS=true
484
+
```
485
+
486
+
**3. Restart the stack:**
487
+
488
+
```bash
489
+
docker compose down && docker compose up -d
490
+
```
491
+
492
+
> **HTTPS behind a reverse proxy?** If you terminate TLS at a reverse proxy (Traefik, Nginx, Caddy, Tailscale Funnel), set `COOKIE_SECURE=1` instead and add `TRUST_PROXY=1` so IP classification works correctly.
493
+
494
+
### Troubleshooting Docker
495
+
496
+
| Symptom | Fix |
497
+
|---|---|
498
+
| `[workspace] refusing to start — HERMES_PASSWORD is unset` | Add `HERMES_PASSWORD=<secret>` to `.env` |
499
+
| Login silently fails (no error, page reloads) | Add `COOKIE_SECURE=0` for HTTP, or `COOKIE_SECURE=1` + HTTPS |
500
+
| `[Api_Server] Refusing to start: binding to 0.0.0.0 requires API_SERVER_KEY` | Add `API_SERVER_KEY=*** to `.env` |
501
+
| `No user allowlists configured. All unauthorized users will be denied.` | Add `GATEWAY_ALLOW_ALL_USERS=true` to `.env` |
502
+
| `CLAUDE_DASHBOARD_TOKEN is not set` warning | Set `CLAUDE_DASHBOARD_TOKEN` to the same value as `API_SERVER_KEY` |
503
+
| 500 Internal Server Error on login after setting all the above | Clear browser cookies for the workspace domain, then retry |
504
+
454
505
### Building from source
455
506
456
507
Want to hack on the workspace and have local changes hot-built into the
0 commit comments