# tentaflake.dev — AI context file

## About
tentaflake is a NixOS flake template for running multiple isolated Hermes AI agents on one machine. Each agent gets its own Linux user, state directory, Docker container, and API keys. Real OS-level isolation declared in three lines of Nix.

## Key facts
- Type: NixOS flake template (not a SaaS, not a hosted service)
- License: MIT
- Author: github.com/timfewi
- Language: Nix (flake.nix), Go (hermes-auditd)
- Agents: unlimited per host (each isolated by Linux user + Docker container)
- Secrets: agenix (.age files, encrypted in-repo, decrypted at build time)
- State: /var/lib/hermes-<name>, chmod 0700
- Networking: Tailscale mesh VPN (optional), nftables firewall
- Audio: Piper TTS server, OpenAI-compatible /v1/audio/speech on :5001
- Audit: hermes-auditd Go daemon — fsnotify watcher, SQLite (WAL)
- Install: bootable USB ISO with dialog TUI wizard
- Deploy: nixos-rebuild switch --flake .#agent-host

## Pages
- Home: https://tentaflake.dev/ — full landing page, features, architecture, comparison, modules, roadmap
- 404: https://tentaflake.dev/404 — branded error page

## Repositories
- Main repo: https://github.com/timfewi/tentaflake
- Website: https://github.com/timfewi/tentaflake-website

## Quick start (3 steps)
1. git clone https://github.com/timfewi/tentaflake
2. nix build .#installer-iso
3. sudo nixos-rebuild switch --flake .#agent-host

## Core primitives
1. AGENTS — mkHermesAgent function, define any number of isolated agents
2. AGENIX — encrypted secrets per agent, committed safely
3. DOCKER — ephemeral stateless containers, state on mounted volumes
4. NIXOS — fully declarative, atomic rollback
5. LOCKFILE — flake.lock pins every input, reproducible fleet
6. TTS — built-in Piper TTS server
7. ISO — bootable installer with TUI wizard
8. AUDITD — filesystem audit daemon
9. TAILSCALE — mesh VPN, agents reachable on tailnet, exposed to nothing else

## Architecture
NixOS Flake → shared services bus → agent tentacles (one per role) → shared services (Piper TTS, Tailscale, Docker, agenix). Each tentacle = { Linux user, state dir, Docker container, agenix key }.