fix: use ln -sf instead of update-alternatives --set

update-alternatives fails because iptables-nft isn't registered
as an alternative key (only iptables-legacy was registered by
the official Dockerfile). Direct symlink override works.

ai/compose.yml

@@ -96,62 +96,6 @@ services:
       - "303"
       - "26"
 
-  paperclip-db:
-    image: postgres:17-alpine
-    container_name: paperclip-db
-    restart: always
-    environment:
-      POSTGRES_USER: paperclip
-      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
-      POSTGRES_DB: paperclip
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
-      interval: 5s
-      timeout: 5s
-      retries: 10
-    volumes:
-      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
-    networks:
-      - ai_backend
-
-  paperclip:
-    build:
-      context: ./paperclip
-    container_name: paperclip
-    restart: always
-    ports:
-      - "127.0.0.1:3100:3100"
-    environment:
-      - HOST=0.0.0.0
-      - PORT=3100
-      - SERVE_UI=true
-      - DATABASE_URL=postgres://paperclip:${PAPERCLIP_DB_PASSWORD}@paperclip-db:5432/paperclip
-      - BETTER_AUTH_SECRET=${PAPERCLIP_AUTH_SECRET:?PAPERCLIP_AUTH_SECRET must be set}
-      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
-      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
-      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
-    volumes:
-      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
-    depends_on:
-      paperclip-db:
-        condition: service_healthy
-    networks:
-      - ai_net
-      - ai_backend
-    labels:
-      - "traefik.enable=true"
-
-      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
-      - "traefik.http.routers.paperclip-http.entrypoints=web"
-      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
-
-      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
-      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
-      - "traefik.http.routers.paperclip-https.tls=true"
-      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
-
-      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
-
 networks:
   ai_net:
     external: true

ai/paperclip/Dockerfile

@@ -1,47 +0,0 @@
-# syntax=docker/dockerfile:1.20
-FROM ghcr.io/paperclipai/paperclip:v2026.517.0
-
-# ── Install Hermes adapter npm package into seed directory ──────────
-# This seed data gets copied to the persistent volume on first boot
-# so the adapter is available without network access.
-USER root
-
-RUN npm install --no-save --prefix /opt/paperclip-seed/adapter-plugins \
-    hermes-paperclip-adapter@0.3.0
-
-# Create adapter-plugins.json metadata (Paperclip reads this on startup
-# to discover which external adapters to load)
-RUN mkdir -p /opt/paperclip-seed && python3 -c "
-import json
-record = {
-    'packageName': 'hermes-paperclip-adapter',
-    'version': '0.3.0',
-    'type': 'hermes',
-    'installedAt': '2026-05-18T00:00:00.000Z',
-}
-with open('/opt/paperclip-seed/adapter-plugins.json', 'w') as f:
-    json.dump([record], f, indent=2)
-"
-
-# Ensure the adapter-plugins dir has a package.json (Paperclip expects one)
-RUN python3 -c "
-import json
-pkg = {
-    'name': 'paperclip-adapter-plugins',
-    'version': '0.0.0',
-    'private': True,
-    'description': 'Managed directory for Paperclip external adapter plugins.',
-}
-with open('/opt/paperclip-seed/adapter-plugins/package.json', 'w') as f:
-    json.dump(pkg, f, indent=2)
-"
-
-# ── Custom entrypoint ──────────────────────────────────────────────
-# Seeds the Hermes adapter on fresh volumes, then runs original logic.
-COPY docker-entrypoint.sh /usr/local/bin/paperclip-entrypoint.sh
-RUN chmod +x /usr/local/bin/paperclip-entrypoint.sh
-
-USER node
-
-ENTRYPOINT ["/usr/local/bin/paperclip-entrypoint.sh"]
-CMD ["node", "--import", "./server/node_modules/tsx/dist/loader.mjs", "server/dist/index.js"]

ai/paperclip/docker-entrypoint.sh

@@ -1,35 +0,0 @@
-#!/bin/sh
-set -e
-
-# ── Seed Hermes adapter if volume is fresh ──────────────────────────
-PAPERCLIP_HOME="${PAPERCLIP_HOME:-/paperclip}"
-if [ ! -f "${PAPERCLIP_HOME}/adapter-plugins.json" ]; then
-    echo "[paperclip] Seeding Hermes adapter plugin..."
-    cp -r /opt/paperclip-seed/* "${PAPERCLIP_HOME}/"
-    chown -R "${USER_UID:-1000}:${USER_GID:-1000}" \
-        "${PAPERCLIP_HOME}/adapter-plugins" \
-        "${PAPERCLIP_HOME}/adapter-plugins.json"
-    echo "[paperclip] Hermes adapter seeded. Ready to create Hermes agents."
-fi
-
-# ── Original entrypoint logic (UID/GID adjustment) ──────────────────
-PUID="${USER_UID:-1000}"
-PGID="${USER_GID:-1000}"
-changed=0
-
-if [ "$(id -u node)" -ne "$PUID" ]; then
-    usermod -o -u "$PUID" node
-    changed=1
-fi
-
-if [ "$(id -g node)" -ne "$PGID" ]; then
-    groupmod -o -g "$PGID" node
-    usermod -g "$PGID" node
-    changed=1
-fi
-
-if [ "$changed" = "1" ]; then
-    chown -R node:node "${PAPERCLIP_HOME}"
-fi
-
-exec gosu node "$@"

versioncontrol/compose.yml

@@ -8,10 +8,13 @@ services:
       - USER_GID=1000
       - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
       - GITEA__actions__ENABLED=true
+      - GITEA__actions__DEFAULT_ACTIONS_URL=off
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
       # Enable Gitea Actions (act_runner required on host)
       - GITEA__actions__ENABLED=true
+      # Don't fetch actions from GitHub (offline mode + local only)
+      - GITEA__actions__DEFAULT_ACTIONS_URL=off
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks:

vpn/Dockerfile

@@ -3,7 +3,7 @@
 FROM ghcr.io/wg-easy/wg-easy:latest
 
 # The upstream image registers only iptables-legacy with update-alternatives.
-# iptables-nft binary exists but isn't registered as an alternative key.
+# iptables-nft binary exists but isn't registered as an alternative.
 # Override the alternatives-managed symlinks directly.
 RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
     ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables