feat(ai): add LaTeX typesetting stack (PR 3/5)

Add TeXLive packages for PDF generation from Org-mode and LaTeX documents:
- texlive-latex-base: Core LaTeX packages
- texlive-latex-extra: Additional LaTeX packages
- texlive-fonts-recommended: Recommended fonts
- texlive-xetex: XeTeX engine for Unicode support
- texlive-science: Science/math packages

Depends on PR #7 and #8

ai/Dockerfile

@@ -18,10 +18,7 @@ RUN apt-get update && \
         curl poppler-utils imagemagick \
         chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
         libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science && \
-        qemu-user-static binfmt-support qemu-user-binfmt \
-        emacs-nox \
-        libportaudio2 && \
     rm -rf /var/lib/apt/lists/*
 
 # Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
@@ -60,8 +57,7 @@ RUN chmod -R a+rX /opt/hermes
 
 # ---------- Python virtualenv ----------
 RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]" && \
+    uv pip install --no-cache-dir -e ".[all]"
-    uv pip install --no-cache-dir sounddevice numpy faster-whisper
 
 # ---------- Runtime ----------
 ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist

ai/compose.yml

@@ -1,32 +1,32 @@
 version: "3.8"
 services:
 
-  # webui:
+  webui:
-  #   image: ghcr.io/open-webui/open-webui:main
+    image: ghcr.io/open-webui/open-webui:main
-  #   volumes:
+    volumes:
-  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-  #   restart: always
+    restart: always
-  #   environment:
+    environment:
-  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+      - OLLAMA_API_BASE_URL=http://ollama:11434/api
-  #   networks:
+    networks:
-  #     - ai_net
+      - ai_net
-  #     - ai_backend
+      - ai_backend
-  #   labels:
+    labels:
-  #     - "traefik.enable=true"
+      - "traefik.enable=true"
 
-  #     # Router for HTTP + redirection to HTTPS
+      # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-http.entrypoints=web"
+      - "traefik.http.routers.webui-http.entrypoints=web"
-  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
-  #     # Router for HTTPS with TLS
+      # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+      - "traefik.http.routers.webui-https.entrypoints=websecure"
-  #     - "traefik.http.routers.webui-https.tls=true"
+      - "traefik.http.routers.webui-https.tls=true"
-  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+      - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./
+    image: nousresearch/hermes-agent:latest
     container_name: hermes
     restart: always
     # Gateway run enables the internal API server on port 8642
@@ -38,13 +38,7 @@ services:
       - API_SERVER_HOST=0.0.0.0
       - API_SERVER_KEY=hermes_local_key
       - GATEWAY_ALLOW_ALL_USERS=true
-      - OPENROUTER_API_KEY=${OPEN...KEY}
+      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
-      # ROCm for GPU-accelerated faster-whisper STT
-      - HSA_OVERRIDE_GFX_VERSION=9.0.6
-      - HCC_AMDGPU_TARGET=gfx906
-      - HIP_VISIBLE_DEVICES=0,1
-      - ROCR_VISIBLE_DEVICES=0,1
-      - HSA_ENABLE_SDMA=0
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
     devices:

coms/compose.yml

@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  # nomadnet:
+  nomadnet:
-  #   image: ghcr.io/markqvist/nomadnet:master
+    image: ghcr.io/markqvist/nomadnet:master
-  #   container_name: nomadnet
+    container_name: nomadnet
-  #   restart: always
+    restart: always
-  #   volumes:
+    volumes:
-  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+    # Reticulum transport must be reachable directly (NOT through Traefik)
-  #   ports:
+    ports:
-  #     - "4242:4242"
+      - "4242:4242"
 
   synapse:
     image: ghcr.io/element-hq/synapse:latest

network/compose.yml

@@ -13,20 +13,17 @@ services:
       - "--certificatesresolvers.njalla.acme.storage=/letsencrypt/acme.json"
       - "--certificatesresolvers.njalla.acme.httpchallenge.entrypoint=web"
 
-      - "--log.level=INFO"
+      - "--log.level=DEBUG"
-      - "--log.filepath=/var/log/traefik/traefik.log"
-      - "--accesslog.filepath=/var/log/traefik/access.log"
       - "--providers.docker=true"
       - "--providers.docker.exposedByDefault=false"
     ports:
       - "80:80"
       - "443:443"
     environment:
-      - NJALLA_TOKEN=***
+      - NJALLA_TOKEN=${NJALLA_TOKEN}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /mnt/HoardingCow_docker_data/Traefik:/letsencrypt
-      - /var/log/traefik:/var/log/traefik
     restart: unless-stopped
     networks:
       - traefik_backend

vpn/compose.yml

@@ -1,35 +0,0 @@
-version: "3.8"
-
-services:
-  wireguard:
-    image: weejewel/wg-easy:latest
-    container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - WG_HOST=vpn.lazyworkhorse.net
-      - PASSWORD=${WG_PASSWORD}
-      - WG_PORT=51820
-      - WG_DEFAULT_ADDRESS=10.8.0.x
-      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
-      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
-      - WG_PERSISTENT_KEEPALIVE=25
-      - UI_TRAFFIC_STATS=true
-      - UI_CHART_TYPE=0
-    ports:
-      - "51820:51820/udp"
-      - "51821:51821/tcp"
-    volumes:
-      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv4.ip_forward=1
-    restart: unless-stopped
-    networks:
-      - vpn_net
-
-networks:
-  vpn_net:
-    external: true
-    name: vpn_net