feat: add Paperclip env example file with placeholder secrets

Add env/.env.example.paperclip documenting the two required environment variables for the Paperclip agent orchestrator services: - PAPERCLIP_DB_PASSWORD -- PostgreSQL password for paperclip-db - PAPERCLIP_AUTH_SECRET -- Better Auth secret key for token signing Users copy this to .env and fill in the secrets before deploying.
feat(ai): add Dockerfile with curl, poppler-utils, imagemagick
2026-05-20 14:28:31 -04:00 · 2026-04-29 21:32:20 +00:00
5 changed files with 60 additions and 76 deletions
--- a/ai/Dockerfile
+++ b/ai/Dockerfile
@@ -15,13 +15,7 @@ ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick \
-        chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
-        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        qemu-user-static binfmt-support qemu-user-binfmt \
-        emacs-nox \
-        libportaudio2 && \
+        curl poppler-utils imagemagick && \
    rm -rf /var/lib/apt/lists/*

 # Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
@@ -60,8 +54,7 @@ RUN chmod -R a+rX /opt/hermes

 # ---------- Python virtualenv ----------
 RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]" && \
-    uv pip install --no-cache-dir sounddevice numpy faster-whisper
+    uv pip install --no-cache-dir -e ".[all]"

 # ---------- Runtime ----------
 ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -1,32 +1,32 @@
 version: "3.8"
 services:

-  # webui:
-  #   image: ghcr.io/open-webui/open-webui:main
-  #   volumes:
-  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-  #   restart: always
-  #   environment:
-  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
-  #   networks:
-  #     - ai_net
-  #     - ai_backend
-  #   labels:
-  #     - "traefik.enable=true"
+  webui:
+    image: ghcr.io/open-webui/open-webui:main
+    volumes:
+      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+    restart: always
+    environment:
+      - OLLAMA_API_BASE_URL=http://ollama:11434/api
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"

-  #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-http.entrypoints=web"
-  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-http.entrypoints=web"
+      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"

-  #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
-  #     - "traefik.http.routers.webui-https.tls=true"
-  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+      # Router for HTTPS with TLS
+      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-https.entrypoints=websecure"
+      - "traefik.http.routers.webui-https.tls=true"
+      - "traefik.http.routers.webui-https.tls.certresolver=njalla"

  hermes:
-    build: ./
+    image: nousresearch/hermes-agent:latest
    container_name: hermes
    restart: always
    # Gateway run enables the internal API server on port 8642
--- a/coms/compose.yml
+++ b/coms/compose.yml
@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  # nomadnet:
-  #   image: ghcr.io/markqvist/nomadnet:master
-  #   container_name: nomadnet
-  #   restart: always
-  #   volumes:
-  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-  #   # Reticulum transport must be reachable directly (NOT through Traefik)
-  #   ports:
-  #     - "4242:4242"
+  nomadnet:
+    image: ghcr.io/markqvist/nomadnet:master
+    container_name: nomadnet
+    restart: always
+    volumes:
+      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+    # Reticulum transport must be reachable directly (NOT through Traefik)
+    ports:
+      - "4242:4242"

  synapse:
    image: ghcr.io/element-hq/synapse:latest
--- a/env/.env.example.paperclip
+++ b/env/.env.example.paperclip
@@ -0,0 +1,26 @@
+# Paperclip Environment Variables
+# Copy this file to your .env (at the compose root or docker-compose working directory)
+# and fill in the secrets.
+#
+#   cp env/.env.example.paperclip .env
+#
+# Then reference it from compose.yml:
+#   env_file:
+#     - path: .env
+#       required: true
+
+# ---------------------------------------------------------------------------
+# Database
+# ---------------------------------------------------------------------------
+# PostgreSQL password for the paperclip-db service.
+# Generate a strong random password:
+#   openssl rand -base64 32
+PAPERCLIP_DB_PASSWORD=change_me_to_a_strong_random_password
+
+# ---------------------------------------------------------------------------
+# Authentication
+# ---------------------------------------------------------------------------
+# Secret key used by Better Auth for signing and verifying tokens.
+# Generate a strong random secret:
+#   openssl rand -base64 32
+PAPERCLIP_AUTH_SECRET=change_me_to_a_strong_random_secret
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -1,35 +0,0 @@
-version: "3.8"
-
-services:
-  wireguard:
-    image: weejewel/wg-easy:latest
-    container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - WG_HOST=vpn.lazyworkhorse.net
-      - PASSWORD=${WG_PASSWORD}
-      - WG_PORT=51820
-      - WG_DEFAULT_ADDRESS=10.8.0.x
-      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
-      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
-      - WG_PERSISTENT_KEEPALIVE=25
-      - UI_TRAFFIC_STATS=true
-      - UI_CHART_TYPE=0
-    ports:
-      - "51820:51820/udp"
-      - "51821:51821/tcp"
-    volumes:
-      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv4.ip_forward=1
-    restart: unless-stopped
-    networks:
-      - vpn_net
-
-networks:
-  vpn_net:
-    external: true
-    name: vpn_net