fix: add iptables-nft to wg-easy for nftables-only kernels

wg-easy's Alpine wg-quick uses legacy iptables which requires the
iptable_nat kernel module. On NixOS kernels compiled without legacy
netfilter modules, the container crashes in a restart loop:

  iptables v1.8.3 (legacy): can't initialize iptables table 'nat'
  Table does not exist (do you need to insmod?)

Fix: build a custom image that installs Alpine's iptables-nft package
and symlinks iptables -> iptables-nft (nftables backend).

ai/Dockerfile

@@ -108,5 +108,9 @@ ENV PATH="/opt/data/.local/bin:${PATH}"
 
 VOLUME [ "/opt/data" ]
 
+# Copie du script de réparation des permissions (lancement au démarrage)
+COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
+
 # Le conteneur tourne de manière ultra-sécurisée sous l'utilisateur hermes dès le départ
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]
+# fix-permissions.sh chown les répertoires critiques avant de chaîner vers entrypoint.sh
+ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]

ai/fix-permissions.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Startup permission fix for the Hermes data volume.
+# Runs as root before the entrypoint drops to the hermes user.
+# Fixes files that were created by root (host agent, cron jobs, etc.)
+# becoming inaccessible to the hermes runtime user.
+set -e
+
+HERMES_HOME="${HERMES_HOME:-/opt/data}"
+
+# Fix ownership on critical writable directories so hermes user can access them
+chown -R hermes:hermes \
+  "$HERMES_HOME/sessions" \
+  "$HERMES_HOME/checkpoints" \
+  "$HERMES_HOME/skills" \
+  "$HERMES_HOME/memories" \
+  "$HERMES_HOME/workspace" \
+  "$HERMES_HOME/pastes" \
+  "$HERMES_HOME/logs" \
+  "$HERMES_HOME/cron" \
+  "$HERMES_HOME/plans" \
+  "$HERMES_HOME/hooks" \
+  "$HERMES_HOME/cache" \
+  2>/dev/null || true
+
+# Also fix the data volume root if it's wrong
+if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
+  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
+fi
+
+# Now chain to the real entrypoint
+exec /opt/hermes/docker/entrypoint.sh "$@"

vpn/Dockerfile

@@ -0,0 +1,16 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM weejewel/wg-easy:latest
+
+# Alpine's iptables-nft provides iptables that uses nftables kernel API
+# instead of the legacy iptable_nat module. This works on kernels
+# where only nftables netfilter modules are available.
+RUN apk add --no-cache iptables-nft
+
+# Ensure iptables-nft takes priority over legacy iptables
+RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
+    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
+    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
+    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
+    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
+    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore

vpn/compose.yml

@@ -2,7 +2,10 @@ version: "3.8"
 
 services:
   wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: ./vpn
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
     container_name: wireguard
     cap_add:
       - NET_ADMIN