AgentSkillsCN

hermes

与托管 Web 服务的 GCE 虚拟机——Hermes——携手合作。适用于修改 Hermes 配置时使用。

SKILL.md
--- frontmatter
name: hermes
description: Work with hermes, the GCE VM hosting web services. Use when modifying hermes configuration.

Hermes (GCE VM)

Hermes is a GCE VM (e2-micro, europe-west2) running multiple web services.

Services

ServicePortPurpose
Nginx80, 443Reverse proxy, TLS termination (Cloudflare Origin SSL)
Authelia9091Authentication/authorization
ntfy.sh8080Push notifications (GCS-backed)
MongoDB27017Database (localhost only)
Redis6379Session storage for Authelia
fail2ban-Intrusion prevention
CVE Scanner-Security scanning (6-hourly watchlist, weekly packages)

Deployment

Do NOT use bin/activate deploy hermes - hermes doesn't have manageRemotely = true.

bash
# Build and upload image to GCS
build-image hermes

# Build, upload, and deploy via Terraform (recreates instance)
build-image hermes deploy

# Redeploy existing image without rebuilding
build-image hermes deploy --no-build

GCP Secrets Pattern

Secrets are fetched via gcloud and are JSON-wrapped:

nix
gcloud = "${pkgs.google-cloud-sdk}/bin/gcloud";
getSecret = name:
  "${gcloud} secrets versions access latest --secret=${name} --project=modiase-infra | jq -r '.value'";

Key Gotchas

  • Behind Cloudflare - Real IP from CF-Connecting-IP header
  • Hardened SSH - ChaCha20-Poly1305, MaxAuthTries=3, PermitRootLogin=prohibit-password
  • No root sudo - security.sudo.enable = false
  • SSL key from Secret Manager - Fetched at startup by fetch-ssl-key service

Task

$ARGUMENTS