fix: add TZ=America/Montreal for correct cron scheduling

Merge pull request 'feat(hermes): Piper TTS (local US male, no cloud)' (#17 ) from feat/voice-support-v2 into master
Reviewed-on: #17
2026-05-09 19:49:54 +00:00 · 2026-05-09 19:39:11 +00:00 · 2026-05-09 19:18:16 +00:00 · 2026-05-09 19:03:10 +00:00 · 2026-05-09 17:47:30 +00:00 · 2026-05-09 17:44:55 +00:00
16 changed files with 1314 additions and 40 deletions
--- a/ai/Dockerfile
+++ b/ai/Dockerfile
@@ -0,0 +1,73 @@
+# 1. On récupère la version la plus récente d'UV
+FROM ghcr.io/astral-sh/uv:latest AS uv_source
+
+# 2. Image officielle Hermes Agent de NousResearch
+# Contient déjà: Python, Node.js, npm, Playwright/Chromium, venv, tts_tool.py, etc.
+FROM nousresearch/hermes-agent:latest
+
+# ---------- System dependencies ----------
+# The official hermes-agent image already has: git, curl, ffmpeg, python3,
+# gcc, build-essential, openssh-client, procps, tini, ripgrep, docker-cli,
+# libportaudio2, ca-certificates, etc.
+#
+# These extras we need to add back:
+#   - poppler-utils, imagemagick  (PDF/image processing)
+#   - texlive-*                   (LaTeX typesetting for reports)
+#   - qemu-user-static, binfmt-support (QEMU cross-compilation)
+#   - emacs-nox                   (text editing in container)
+USER root
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        libportaudio2 \
+        ca-certificates \
+        poppler-utils \
+        imagemagick \
+        texlive-latex-base \
+        texlive-latex-extra \
+        texlive-fonts-recommended \
+        texlive-xetex \
+        texlive-science \
+        qemu-user-static \
+        binfmt-support \
+        emacs-nox && \
+    rm -rf /var/lib/apt/lists/*
+
+# ---------- UV (hyperfast pip alternative) ----------
+COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
+
+WORKDIR /opt/hermes
+
+# ---------- Piper TTS dans le venv existant ----------
+# Le venv de l'image de base est root-owned, on doit installer en root aussi
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir piper-tts sounddevice numpy
+
+# ---------- Télécharger la voix Piper Ryan (high quality) ----------
+RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
+    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request
+base = '/opt/hermes/.venv/share/piper/voices'
+url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
+urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
+urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
+PYEOF
+
+# ---------- Patch tts_tool.py: remplacer Edge TTS par Piper ----------
+# Edge TTS appelle les serveurs Microsoft — on ne veut jamais ça.
+# Piper roule localement sur CPU, aucun cloud, aucune donnée qui sort.
+COPY patch_tts_tool.py /tmp/patch_tts_tool.py
+RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py
+
+# ---------- Runtime ----------
+# Retour à l'utilisateur non-root pour la sécurité
+USER hermes
+
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+
+VOLUME [ "/opt/data" ]
+
+# Script de réparation des permissions + patch TTS au démarrage
+COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
+
+ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -0,0 +1,300 @@
+version: "3.8"
+services:
+
+  # webui:
+  #   image: ghcr.io/open-webui/open-webui:main
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+  #   restart: always
+  #   environment:
+  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+  #   networks:
+  #     - ai_net
+  #     - ai_backend
+  #   labels:
+  #     - "traefik.enable=true"
+
+  #     # Router for HTTP + redirection to HTTPS
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-http.entrypoints=web"
+  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+
+  #     # Router for HTTPS with TLS
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+  #     - "traefik.http.routers.webui-https.tls=true"
+  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+
+  hermes:
+    build: ./
+    container_name: hermes
+    restart: always
+    # Gateway run enables the internal API server on port 8642
+    command: gateway run
+    environment:
+      - OLLAMA_HOST=http://ollama:11434
+      - API_SERVER_ENABLED=true
+      - API_SERVER_PORT=8642
+      - API_SERVER_HOST=0.0.0.0
+      - API_SERVER_KEY=hermes_local_key
+      - GATEWAY_ALLOW_ALL_USERS=true
+      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+      # ROCm for GPU-accelerated faster-whisper STT
+      - HSA_OVERRIDE_GFX_VERSION=9.0.6
+      - HCC_AMDGPU_TARGET=gfx906
+      - HIP_VISIBLE_DEVICES=0,1
+      - ROCR_VISIBLE_DEVICES=0,1
+      - HSA_ENABLE_SDMA=0
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+    devices:
+      - /dev/kfd:/dev/kfd
+      - /dev/dri:/dev/dri
+    group_add:
+      - "303"
+      - "26"
+    networks:
+      - ai_backend
+
+  ollama:
+    image: ollama/ollama:latest
+    container_name: ollama
+    privileged: true
+    tty: true
+    restart: always 
+    ports:
+      - "127.0.0.1:11434:11434"
+    networks:
+      - ai_backend
+    volumes:
+      - /mnt/HoardingCow_docker_data/Ollama/ollama:/root/.ollama
+    environment:
+      - OLLAMA_VULKAN=0
+      - HSA_OVERRIDE_GFX_VERSION=9.0.6
+      - HCC_AMDGPU_TARGET=gfx906
+      - HIP_VISIBLE_DEVICES=0,1
+      - ROCR_VISIBLE_DEVICES=0,1
+      - HSA_ENABLE_SDMA=0 
+      - OLLAMA_HOST=0.0.0.0
+      - OLLAMA_DEBUG=1
+      - OLLAMA_FLASH_ATTENTION=0
+      - OLLAMA_NUM_PARALLEL=2
+    devices:
+      # Map the render nodes and KFD for ROCm to work inside the container
+      - /dev/kfd:/dev/kfd
+      - /dev/dri:/dev/dri
+    group_add:
+      - "303"
+      - "26"
+
+networks:
+  ai_net:
+    external: true
+    name: ai_net
+  ai_backend:
+    driver: bridge
+    name: ai_backend
+    
+  # llama_cpp_devstral:
+  #   image: ghcr.io/ggml-org/llama.cpp:server-rocm
+  #   container_name: llama_cpp_devstral
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_backend
+  #   ports:
+  #     - "8300:8080"
+  #   ipc: host
+  #   devices:
+  #     - "/dev/kfd:/dev/kfd"
+  #     - "/dev/dri:/dev/dri"
+  #   group_add:
+  #     - "303" # video
+  #     - "26"  # render
+  #   environment:
+  #     HSA_OVERRIDE_GFX_VERSION: 9.0.6
+  #     HIP_VISIBLE_DEVICES: 0,1
+  #     LLAMA_CACHE: /models
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Llama_cpp/models:/models
+  #     - /mnt/HoardingCow_docker_data/Llama_cpp/devstral-agent.jinja:/template.jinja
+  #   command: >
+  #     -hf unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF:Devstral-Small-2-24B-Instruct-2512-Q8_0.gguf
+  #     -a devstral-2-small-llama_cpp
+  #     --chat-template-file /template.jinja
+  #     --host 0.0.0.0
+  #     --port 8080
+  #     --n-gpu-layers 99
+  #     --ctx-size 163840
+  #     --batch-size 4096
+  #     --ubatch-size 4096
+  #     --cache-type-k f16
+  #     --cache-type-v f16
+  #     --cache-reuse 256
+  #     --flash-attn on
+  #     --context-shift
+  #     --split-mode layer
+  #     --no-mmap
+  #     --n-predict -1
+  #     --parallel 2
+
+  # vllm:
+  #   image: nalanzeyu/vllm-gfx906:v0.9.0-rocm6.3
+  #   container_name: vllm
+  #   # Required for multi-GPU communication (NCCL)
+  #   ipc: host 
+  #   init: true
+  #   shm_size: '2g' 
+  #   networks:
+  #     - ai_backend
+  #   ports:
+  #     - "8300:8000"
+  #   devices:
+  #     - "/dev/kfd:/dev/kfd"
+  #     - "/dev/dri:/dev/dri"
+  #   group_add:
+  #     - "303"
+  #     - "26"
+  #   environment:
+  #     HSA_OVERRIDE_GFX_VERSION: 9.0.6
+  #     HSA_ENABLE_SDMA: 0
+  #     HIP_VISIBLE_DEVICES: 0,1
+  #     NCCL_P2P_DISABLE: 1
+  #     VLLM_WORKER_MULTIPROC_METHOD: spawn
+  #     VLLM_USE_TRITON_FLASH_ATTN: 0
+  #     VLLM_USE_ROCM_CUSTOM_PAGED_ATTN: 0
+  #     VLLM_ATTENTION_BACKEND: ROPE_NAIVE
+  #     VLLM_SKIP_WARMUP: 1
+  #     VLLM_USE_V1: 0
+  #     HF_TOKEN: ${HF_TOKEN}
+  #   command: >
+  #     vllm serve "mistralai/Devstral-Small-2-24B-Instruct-2512" 
+  #     --tensor-parallel-size 2
+  #     --max-model-len 8192
+  #     --gpu-memory-utilization 0.90
+  #     --tokenizer_mode mistral
+  #     --config_format auto
+  #     --load-format auto
+  #     --enforce-eager
+  #     --disable-custom-all-reduce
+  #     --trust-remote-code
+  #     --task generate
+  #     --block-size 16
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/vllm/models:/root/.cache/huggingface
+  #   restart: unless-stopped
+
+  # n8n:
+  #   image: n8nio/n8n:latest
+  #   container_name: n8n
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_net
+  #   environment:
+  #     - N8N_HOST=n8n.lazyworkhorse.net
+  #     - N8N_PORT=5678
+  #     - N8N_PROTOCOL=https
+  #     - NODE_ENV=production
+  #     - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
+  #     - WEBHOOK_URL=https://n8n.lazyworkhorse.net/
+  #     - GENERIC_TIMEZONE=America/New_York # Adjust to your timezone
+  #     - N8N_BLOCK_EXTERNAL_STORAGE_ACCESS=false
+  #     - N8N_NODES_PYTHON_CAN_IMPORT_MODULES=true 
+  #     - N8N_NATIVE_PYTHON_RUNNER=true
+  #     - N8N_PYTHON_ALLOW_STDLIB=uuid,re,os,json
+  #     - N8N_PYTHON_ALLOW_EXTERNAL=requests,pandas
+  #     - NODE_FUNCTION_ALLOW_EXTERNAL=uuid,requests
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/n8n:/home/node/.n8n
+  #   labels:
+  #     - "traefik.enable=true"
+
+  #     # Router for HTTP + redirection to HTTPS
+  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.n8n-http.entrypoints=web"
+  #     - "traefik.http.routers.n8n-http.middlewares=redirect-to-https"
+
+  #     # Router for HTTPS with TLS
+  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.n8n-https.entrypoints=websecure"
+  #     - "traefik.http.routers.n8n-https.tls=true"
+  #     - "traefik.http.routers.n8n-https.tls.certresolver=njalla"
+
+  #     # Service Loadbalancer (n8n default port)
+  #     - "traefik.http.services.n8n.loadbalancer.server.port=5678"
+
+  # openclaw:
+  #   image: coollabsio/openclaw:latest
+  #   container_name: openclaw
+  #   restart: unless-stopped
+  #   expose:
+  #     - "8080"  # WebUI
+  #     - "18789" # Gateway/WebSocket
+  #     - "8788"  # Nextcloud Webhook
+  #   networks:
+  #     - ai_net
+  #     - ai_backend
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/openclaw/data:/data
+  #     - /home/gortium/infra:/data/workspace/infra
+  #   environment:
+  #     - TZ=America/Toronto
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
+  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+  #     # Point to the sidecar browser
+  #     - BROWSER_CDP_URL=http://openclaw-browser:9222
+  #     - BROWSER_EVALUATE_ENABLED=true
+  #     - OPENCLAW_GATEWAY_HOST=0.0.0.0
+  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.lazyworkhorse.net
+  #   labels:
+  #     - "traefik.enable=true"
+
+  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.openclaw-http.entrypoints=web"
+  #     - "traefik.http.routers.openclaw-http.middlewares=redirect-to-https"
+
+  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.openclaw-https.priority=50"
+  #     - "traefik.http.routers.openclaw-https.entrypoints=websecure"
+  #     - "traefik.http.routers.openclaw-https.tls=true"
+  #     - "traefik.http.routers.openclaw-https.tls.certresolver=njalla"
+  #     - "traefik.http.services.openclaw.loadbalancer.server.port=8080"
+  #   depends_on:
+  #     - openclaw-browser
+
+  # openclaw-browser:
+  #   image: ghcr.io/browserless/chromium:latest
+  #   restart: always
+  #   expose:
+  #     - "3000"
+  #   environment:
+  #     - MAX_CONCURRENT_SESSIONS=10
+  #     - CONNECTION_TIMEOUT=300000
+  #     - PREBOOT_CHROME=true
+  #     - DEMO_MODE=false
+  #   networks:
+  #     ai_backend:
+  #       aliases:
+  #         - browser
+
+  # openclaw-ssh:
+  #   image: linuxserver/openssh-server:latest
+  #   container_name: openclaw-ssh
+  #   environment:
+  #     - PUID=1000
+  #     - PGID=1000
+  #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
+  #     - SUDO_ACCESS=false
+  #     - PASSWORD_ACCESS=false
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
+  #     - /home/gortium/infra:/data/workspace/infra:ro
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_backend
+  #   labels:
+  #     - "traefik.enable=true"
+  #     - "traefik.tcp.routers.openclaw-ssh.rule=HostSNI(*)"
+  #     - "traefik.tcp.routers.openclaw-ssh.entrypoints=sshnode"
+  #     - "traefik.tcp.routers.openclaw-ssh.tls.passthrough=false"
+  #     - "traefik.tcp.services.openclaw-ssh.loadbalancer.server.port=2222"
--- a/ai/fix-permissions.sh
+++ b/ai/fix-permissions.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Startup permission fix + TTS patch.
+# Runs as root before the entrypoint drops to the hermes user.
+set -e
+
+HERMES_HOME="${HERMES_HOME:-/opt/data}"
+
+# Fix ownership on critical writable directories
+chown -R hermes:hermes \
+  "$HERMES_HOME/sessions" \
+  "$HERMES_HOME/checkpoints" \
+  "$HERMES_HOME/skills" \
+  "$HERMES_HOME/memories" \
+  "$HERMES_HOME/workspace" \
+  "$HERMES_HOME/pastes" \
+  "$HERMES_HOME/logs" \
+  "$HERMES_HOME/cron" \
+  "$HERMES_HOME/plans" \
+  "$HERMES_HOME/hooks" \
+  "$HERMES_HOME/cache" \
+  2>/dev/null || true
+
+# Fix data volume root ownership
+if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
+  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
+fi
+
+# ---------- Patch tts_tool.py: replace Edge TTS with Piper ----------
+# Fallback runtime patch in case the volume's site-packages differ from the image.
+# Idempotent: if already patched, the script does nothing.
+PATCH_SCRIPT="/opt/hermes/patch_tts_tool.py"
+if [ -f "$PATCH_SCRIPT" ]; then
+  echo "Applying TTS patch (Piper only, no Edge fallback)..."
+  /opt/hermes/.venv/bin/python3 "$PATCH_SCRIPT" 2>&1 || true
+fi
+
+# Chain to the official Hermes entrypoint
+exec /opt/hermes/docker/entrypoint.sh "$@"
--- a/ai/patch_tts_tool.py
+++ b/ai/patch_tts_tool.py
@@ -0,0 +1,181 @@
+#!/usr/bin/env python3
+"""Patch Hermes TTS tool: add Piper TTS provider, remove Edge TTS as default.
+
+Patches ALL copies of tts_tool.py found (venv site-packages + /opt/hermes/tools/).
+
+Searches multiple paths for tts_tool.py so it works both at build time
+(in the image venv) and at runtime (on the mounted data volume).
+
+Idempotent: if already patched, does nothing.
+"""
+
+import sys
+import os
+
+# ---------------------------------------------------------------------------
+# Search for all copies of tts_tool.py
+# ---------------------------------------------------------------------------
+CANDIDATE_PATHS = [
+    "/opt/hermes/.venv/lib/python3.13/site-packages/tools/tts_tool.py",
+    "/opt/hermes/tools/tts_tool.py",
+]
+
+found_paths = []
+
+for p in CANDIDATE_PATHS:
+    if os.path.exists(p):
+        found_paths.append(p)
+        print(f"Found tts_tool.py at: {p}")
+
+# Also try to find via Python import
+import subprocess
+try:
+    result = subprocess.run(
+        [sys.executable, "-c", "import tools.tts_tool; print(tools.tts_tool.__file__)"],
+        capture_output=True, text=True, timeout=5
+    )
+    if result.returncode == 0:
+        p = result.stdout.strip()
+        if os.path.exists(p) and p not in found_paths:
+            found_paths.append(p)
+            print(f"Found tts_tool.py via import at: {p}")
+except Exception:
+    pass
+
+if not found_paths:
+    print("WARNING: tts_tool.py not found anywhere. Patching deferred to runtime.")
+    print(f"Searched: {CANDIDATE_PATHS}")
+    sys.exit(0)
+
+# ---------------------------------------------------------------------------
+# Old else block: the Edge TTS default fallback to replace
+# ---------------------------------------------------------------------------
+old_else = '''        else:
+            # Default: Edge TTS (free), with NeuTTS as local fallback
+            edge_available = True
+            try:
+                _import_edge_tts()
+            except ImportError:
+                edge_available = False
+
+            if edge_available:
+                logger.info("Generating speech with Edge TTS...")
+                try:
+                    import concurrent.futures
+                    with concurrent.futures.ThreadPoolExecutor(max_workers=1) as pool:
+                        pool.submit(
+                            lambda: asyncio.run(_generate_edge_tts(text, file_str, tts_config))
+                        ).result(timeout=60)
+                except RuntimeError:
+                    asyncio.run(_generate_edge_tts(text, file_str, tts_config))
+            elif _check_neutts_available():
+                logger.info("Edge TTS not available, falling back to NeuTTS (local)...")
+                provider = "neutts"
+                _generate_neutts(text, file_str, tts_config)
+            else:
+                return json.dumps({
+                    "success": False,
+                    "error": "No TTS provider available. Install edge-tts (pip install edge-tts) "
+                             "or set up NeuTTS for local synthesis."
+                }, ensure_ascii=False)'''
+
+# ---------------------------------------------------------------------------
+# New block: elif provider == "piper" + else: fallback with Piper only
+# ---------------------------------------------------------------------------
+new_block = '''        elif provider == "piper":
+            # Piper TTS (local, CPU, no cloud, no Microsoft)
+            piper_binary = "/opt/hermes/.venv/bin/piper"
+            piper_config = tts_config.get("piper", {})
+            voice = piper_config.get("voice", "en_US-lessac-medium")
+            model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
+            model_path = os.path.join(model_dir, f"{voice}.onnx")
+            if not os.path.exists(model_path):
+                return json.dumps({
+                    "success": False,
+                    "error": "Piper TTS voice model not found. "
+                             "Install Piper TTS and download a voice model."
+                }, ensure_ascii=False)
+            logger.info("Generating speech with Piper TTS (local, CPU)...")
+            import subprocess as _sp
+            cmd = [piper_binary, "--model", model_path, "--output-raw"]
+            try:
+                proc = _sp.Popen(cmd, stdin=_sp.PIPE, stdout=_sp.PIPE, stderr=_sp.PIPE)
+                raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
+                if proc.returncode != 0:
+                    raise RuntimeError(f"Piper TTS failed: {stderr.decode()[:200]}")
+                ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
+                _sp.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
+            except Exception as e:
+                return json.dumps({
+                    "success": False,
+                    "error": f"Piper TTS failed: {e}"
+                }, ensure_ascii=False)
+
+        else:
+            # Default: Piper TTS (local, CPU, no cloud, no Microsoft)
+            piper_binary = "/opt/hermes/.venv/bin/piper"
+            piper_config = tts_config.get("piper", {})
+            voice = piper_config.get("voice", "en_US-lessac-medium")
+            model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
+            model_path = os.path.join(model_dir, f"{voice}.onnx")
+            if os.path.exists(model_path) and os.path.exists(piper_binary):
+                logger.info("Generating speech with Piper TTS (local, CPU)...")
+                import subprocess as _sp
+                cmd = [piper_binary, "--model", model_path, "--output-raw"]
+                try:
+                    proc = _sp.Popen(cmd, stdin=_sp.PIPE, stdout=_sp.PIPE, stderr=_sp.PIPE)
+                    raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
+                    if proc.returncode != 0:
+                        raise RuntimeError(stderr.decode()[:200])
+                    ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
+                    _sp.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
+                except Exception:
+                    pass
+            else:
+                return json.dumps({
+                    "success": False,
+                    "error": "Piper TTS not available. Install piper-tts and download a voice model."
+                }, ensure_ascii=False)'''
+
+# ---------------------------------------------------------------------------
+# Apply the patch to all copies found
+# ---------------------------------------------------------------------------
+patched_any = False
+
+for tts_path in found_paths:
+    with open(tts_path) as f:
+        code = f.read()
+
+    if 'provider == "piper"' in code:
+        print(f"ALREADY PATCHED: {tts_path}")
+        continue
+
+    if old_else in code:
+        code = code.replace(old_else, new_block, 1)
+        with open(tts_path, 'w') as f:
+            f.write(code)
+        print(f"PATCHED: {tts_path}")
+        patched_any = True
+    else:
+        print(f"SKIP {tts_path}: Edge fallback pattern not found")
+        import re
+        for m in re.finditer(r'        else:\n            # Default:', code):
+            start = max(0, m.start() - 100)
+            end = min(len(code), m.end() + 300)
+            print(f"  Found 'else:/# Default:' at position {m.start()}:")
+            print(f"  {code[start:end]}")
+            print("  ---")
+        # Don't exit with error — if one copy isn't patchable, try the others
+
+if not patched_any:
+    all_patched = all(
+        'provider == "piper"' in open(p).read()
+        for p in found_paths
+    )
+    if all_patched:
+        print("All copies already patched.")
+        sys.exit(0)
+    print("WARNING: Could not patch any copy of tts_tool.py")
+    sys.exit(1)
+
+print("tts_tool.py patched successfully across all copies.")
--- a/authentification/compose.yml
+++ b/authentification/compose.yml
@@ -0,0 +1,36 @@
+version: "3.8"
+
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    volumes:
+      - /mnt/HoardingCow_docker_data/Authelia:/config
+    networks:
+      - auth_net
+    restart: always 
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP router
+      - "traefik.http.routers.authelia-http.rule=Host(`auth.lazyworkhorse.net`)"
+      - "traefik.http.routers.authelia-http.entrypoints=web"
+      - "traefik.http.routers.authelia-http.middlewares=redirect-to-https"
+
+      # HTTPS router
+      - "traefik.http.routers.authelia-https.rule=Host(`auth.lazyworkhorse.net`)"
+      - "traefik.http.routers.authelia-https.entrypoints=websecure"
+      - "traefik.http.routers.authelia-https.tls=true"
+      - "traefik.http.routers.authelia-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+
+      # forward auth middleware definition
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net"
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+
+networks:
+  auth_net:
+    external: true
+    name: auth_net
--- a/backup/compose.yml
+++ b/backup/compose.yml
@@ -0,0 +1,100 @@
+version: "3.8"
+
+services:
+  # kopia:
+  #   image: kopia/kopia:latest
+  #   container_name: kopia
+  #   restart: unless-stopped
+  #   # We explicitly run as root (0:0) to solve the CHDIR issue, 
+  #   # OR we make sure the host folders match UID 1000.
+  #   user: "0:0" 
+  #   command:
+  #     - server
+  #     - start
+  #     - --address=0.0.0.0:51515
+  #     - --server-username=${KOPIA_SERVER_USER}
+  #     - --server-password=${KOPIA_SERVER_PASSWORD}
+  #     - --config-file=/app/config/repository.config
+  #     - --disable-csrf-token-checks
+  #     - --insecure
+  #   environment:
+  #     - TZ=America/Montreal
+  #     - KOPIA_PASSWORD=${KOPIA_PASSWORD}
+  #     - USER=${KOPIA_USER}
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Kopia/config:/app/config
+  #     - /mnt/HoardingCow_docker_data/Kopia/cache:/app/cache
+  #     - /mnt/HoardingCow_docker_data/Kopia/repository:/repository
+  #     # Required if you want to use the 'Mount' feature later
+  #     - /tmp:/tmp:shared
+  #     # Required for mounting backups as drives
+  #   cap_add:
+  #     - SYS_ADMIN
+  #   devices:
+  #     - /dev/fuse:/dev/fuse
+  #   networks:
+  #     - traefik-net
+  #   labels:
+  #     - "traefik.enable=true"
+  #     # 1. HTTP to HTTPS Redirect
+  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.kopia-http.entrypoints=web"
+  #     - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
+  #     
+  #     # 2. HTTPS Configuration
+  #     - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.kopia.entrypoints=websecure"
+  #     - "traefik.http.routers.kopia.tls=true"
+  #     - "traefik.http.routers.kopia.tls.certresolver=njalla"
+  #     
+  #     # 3. Backend Service Config
+  #     - "traefik.http.services.kopia.loadbalancer.server.port=51515"
+
+  restic-server:
+    image: restic/restic:latest
+    container_name: restic-server
+    restart: always 
+    user: "0:0"
+    command: ["server", "--listen", ":8080", "--repo", "/data", "--tls-cert", "", "--tls-key", ""]
+    environment:
+      - TZ=America/Montreal
+      - RESTIC_PASSWORD=${RESTIC_PASSWORD}
+    volumes:
+      - /mnt/HoardingCow_docker_data/Restic/data:/data
+      # Mount paths to backup (adjust as needed)
+      - /mnt/HoardingCow_docker_data:/source:ro
+    networks:
+      - backup_net
+    labels:
+      - "traefik.enable=false" # Internal only, accessed by restic-browser
+
+  restic-browser:
+    image: embergarage/restic-browser:latest
+    container_name: restic-browser
+    restart: always 
+    environment:
+      - TZ=America/Montreal
+      - RESTIC_REPOSITORY=http://restic-server:8080
+      - RESTIC_PASSWORD=${RESTIC_PASSWORD}
+    networks:
+      - backup_net
+    labels:
+      - "traefik.enable=true"
+      # 1. HTTP to HTTPS Redirect
+      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.lazyworkhorse.net`)"
+      - "traefik.http.routers.restic-browser-http.entrypoints=web"
+      - "traefik.http.routers.restic-browser-http.middlewares=redirect-to-https@docker"
+      
+      # 2. HTTPS Configuration
+      - "traefik.http.routers.restic-browser.rule=Host(`backup.lazyworkhorse.net`)"
+      - "traefik.http.routers.restic-browser.entrypoints=websecure"
+      - "traefik.http.routers.restic-browser.tls=true"
+      - "traefik.http.routers.restic-browser.tls.certresolver=njalla"
+      
+      # 3. Backend Service Config
+      - "traefik.http.services.restic-browser.loadbalancer.server.port=8000"
+
+networks:
+  backup_net:
+    external: true
+    name: backup_net
--- a/cloudstorage/compose.yml
+++ b/cloudstorage/compose.yml
@@ -0,0 +1,82 @@
+version: "3.9"
+services:
+  nextcloud:
+    image: nextcloud:latest
+    container_name: nextcloud
+    restart: always
+    networks:
+      - cloud_net
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Toronto
+      # Database connection
+      - MYSQL_HOST=nextcloud_mariadb
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
+      # Reverse Proxy Overrides (Crucial for HTTPS behind Traefik)
+      - OVERWRITEPROTOCOL=https
+      - OVERWRITECLIURL=https://cloud.lazyworkhorse.net
+      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.lazyworkhorse.net
+    volumes:
+      - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
+    depends_on:
+      - nextcloud_mariadb
+    labels:
+      - "traefik.enable=true"
+
+      # Router for HTTP -> HTTPS Redirection (Matching your Gitea style)
+      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.lazyworkhorse.net`)"
+      - "traefik.http.routers.nextcloud-http.entrypoints=web"
+      - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS
+      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.lazyworkhorse.net`)"
+      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud-https.tls=true"
+      - "traefik.http.routers.nextcloud-https.tls.certresolver=njalla"
+
+      # Middlewares: Redirection + Nextcloud DAV fixes
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.nextcloud-dav.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-dav.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=https://$$1/remote.php/dav/"
+      
+      # Apply both redirection and DAV fixes
+      - "traefik.http.routers.nextcloud-https.middlewares=nextcloud-dav"
+
+  nextcloud_cron:
+    image: nextcloud:latest
+    container_name: nextcloud_cron
+    restart: always 
+    networks:
+      - cloud_net
+    entrypoint: /cron.sh
+    volumes:
+      - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
+    depends_on:
+      - nextcloud
+
+  nextcloud_mariadb:
+    image: mariadb:latest
+    container_name: nextcloud_mariadb
+    restart: unless-stopped
+    networks:
+      - cloud_internal
+    environment:
+      - MYSQL_RANDOM_ROOT_PASSWORD=yes
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
+      - MYSQL_DATABASE=nextcloud
+    volumes:
+      - /mnt/HoardingCow_docker_data/NextCloud/database:/var/lib/mysql:rw
+    # command: ["--innodb-force-recovery=6"]
+
+networks:
+  cloud_net:
+    external: true
+    name: cloud_net
+  cloud_internal:
+    driver: bridge
+    name: cloud_internal
--- a/coms/compose.yml
+++ b/coms/compose.yml
@@ -0,0 +1,110 @@
+version: "3.9"
+services:
+  # nomadnet:
+  #   image: ghcr.io/markqvist/nomadnet:master
+  #   container_name: nomadnet
+  #   restart: always
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+  #   ports:
+  #     - "4242:4242"
+
+  synapse:
+    image: ghcr.io/element-hq/synapse:latest
+    container_name: synapse
+    restart: always
+    volumes:
+      - /mnt/HoardingCow_docker_data/Matrix/data:/data
+    networks:
+      - coms_net
+      - coms_backend
+    depends_on:
+      synapse-db:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.matrix-http.rule=Host(`matrix.lazyworkhorse.net`)"
+      - "traefik.http.routers.matrix-http.entrypoints=web"
+      - "traefik.http.routers.matrix-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.matrix-https.rule=Host(`matrix.lazyworkhorse.net`)"
+      - "traefik.http.routers.matrix-https.entrypoints=websecure"
+      - "traefik.http.routers.matrix-https.tls=true"
+      - "traefik.http.routers.matrix-https.tls.certresolver=njalla"
+      - "traefik.http.services.matrix-https.loadbalancer.server.port=8008"
+      - "traefik.docker.network=coms_net"
+
+  synapse-db:
+    image: postgres:17-alpine
+    container_name: synapse-db
+    restart: always
+    environment:
+      - POSTGRES_USER=synapse
+      - POSTGRES_PASSWORD=${SYNAPSE_DB_PASSWORD}
+      - POSTGRES_DB=synapse
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - /mnt/HoardingCow_docker_data/Matrix/db:/var/lib/postgresql/data
+    networks:
+      - coms_backend
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U synapse"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      
+  synapse-admin:
+    image: awesometechnologies/synapse-admin:latest
+    container_name: synapse-admin
+    restart: always
+    networks:
+      - coms_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.lazyworkhorse.net`)"
+      - "traefik.http.routers.synapse-admin-http.entrypoints=web"
+      - "traefik.http.routers.synapse-admin-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.lazyworkhorse.net`)"
+      - "traefik.http.routers.synapse-admin-https.entrypoints=websecure"
+      - "traefik.http.routers.synapse-admin-https.tls=true"
+      - "traefik.http.routers.synapse-admin-https.tls.certresolver=njalla"
+      - "traefik.http.services.synapse-admin.loadbalancer.server.port=80"
+
+  # rbrowser:
+  #   build: 
+  #     context: https://github.com/fr33n0w/rBrowser.git#main
+  #   container_name: rbrowser
+  #   restart: unless-stopped
+  #   user: "1000:1000"
+  #   depends_on:
+  #     - nomadnet
+  #   volumes:
+  #     # share Reticulum identity + network state
+  #     - /mnt/HoardingCow_docker_data/Reticulum:/home/appuser/.reticulum
+  #   networks:
+  #     - traefik-net
+  #   labels:
+  #     - "traefik.enable=true"
+  #
+  #     # HTTP → HTTPS
+  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.rns-http.entrypoints=web"
+  #     - "traefik.http.routers.rns-http.middlewares=redirect-to-https"
+  #
+  #     # HTTPS protected by Authelia
+  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.rns-https.entrypoints=websecure"
+  #     - "traefik.http.routers.rns-https.tls=true"
+  #     - "traefik.http.routers.rns-https.tls.certresolver=njalla"
+  #     - "traefik.http.routers.rns-https.middlewares=authelia-auth"
+  #
+  #     - "traefik.http.services.rns.loadbalancer.server.port=5000"
+
+networks:
+  coms_net:
+    external: true
+    name: coms_net
+  coms_backend:
+    driver: bridge
+    name: coms_backend
--- a/finance/compose.yml
+++ b/finance/compose.yml
@@ -0,0 +1,40 @@
+version: "3.9"
+
+services:
+  fava:
+    image: yegle/fava
+    container_name: fava
+    environment:
+      - BEANCOUNT_FILE=/data/beancount_finance_vault/ledger/main/tpouplier.beancount
+    volumes:
+      - /mnt/HoardingCow_docker_data/Fava:/data
+    networks:
+      - finance_net
+    restart: always
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP → HTTPS redirect
+      - "traefik.http.routers.fava-http.rule=Host(`money.lazyworkhorse.net`)"
+      - "traefik.http.routers.fava-http.entrypoints=web"
+      - "traefik.http.routers.fava-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # HTTPS router protected by Authelia
+      - "traefik.http.routers.fava-https.rule=Host(`money.lazyworkhorse.net`)"
+      - "traefik.http.routers.fava-https.entrypoints=websecure"
+      - "traefik.http.routers.fava-https.tls=true"
+      - "traefik.http.routers.fava-https.tls.certresolver=njalla"
+      - "traefik.http.routers.fava-https.middlewares=fava-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.fava-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.fava-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Internal port
+      - "traefik.http.services.fava.loadbalancer.server.port=5000"
+
+networks:
+  finance_net:
+    external: true
--- a/homeautomation/compose.yml
+++ b/homeautomation/compose.yml
@@ -0,0 +1,95 @@
+services:
+
+  homeassistant:
+    image: ghcr.io/home-assistant/home-assistant:stable
+    container_name: homeassistant
+    restart: always
+    privileged: true
+    # Was needed for someting.. but dont remember. Deactivated for now.
+    # network_mode: host  # Discovery (mDNS/Bluetooth) requires this
+    environment:
+      - TZ=America/Toronto
+    volumes:
+      - /mnt/HoardingCow_docker_data/Home_Assistant:/config:rw
+    networks:
+      - home_auto_net
+      - home_auto_backend
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.hass-http.rule=Host(`home.lazyworkhorse.net`)"
+      - "traefik.http.routers.hass-http.entrypoints=web"
+      - "traefik.http.routers.hass-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.hass-https.rule=Host(`home.lazyworkhorse.net`)"
+      - "traefik.http.routers.hass-https.entrypoints=websecure"
+      - "traefik.http.routers.hass-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.hass.loadbalancer.server.port=8123"
+      - "traefik.http.services.hass.loadbalancer.server.scheme=http"
+      # Trusted proxy defined in configuration.yml
+
+  mosquitto:
+    image: eclipse-mosquitto
+    volumes:
+      - /mnt/HoardingCow_docker_data/Mosquitto:/mosquitto
+    networks:
+      - home_auto_backend
+    # ports:
+    #   - 1883:1883
+    #   - 9001:9001
+
+  hydroqc2mqtt:
+    image: registry.gitlab.com/hydroqc/hydroqc2mqtt:1.3.0
+    restart: always
+    networks:
+      - home_auto_backend
+    environment:
+      MQTT_USERNAME: hass
+      MQTT_PASSWORD: ${MQTT_PASSWORD}
+      MQTT_HOST: 192.168.1.3
+      MQTT_PORT: 1883
+      HQ2M_CONTRACTS_0_NAME: maison
+      HQ2M_CONTRACTS_0_USERNAME: thierrypouplier@gmail.com
+      HQ2M_CONTRACTS_0_PASSWORD: ${HQ2M_CONTRACTS_0_PASSWORD}
+      HQ2M_CONTRACTS_0_CUSTOMER: ${HQ2M_CONTRACTS_0_CUSTOMER}
+      HQ2M_CONTRACTS_0_ACCOUNT: ${HQ2M_CONTRACTS_0_ACCOUNT}
+      HQ2M_CONTRACTS_0_CONTRACT: ${HQ2M_CONTRACTS_0_CONTRACT} 
+      HQ2M_CONTRACTS_0_RATE: 'D'
+      HQ2M_CONTRACTS_0_RATE_OPTION: 'NONE'
+      HQ2M_CONTRACTS_0_SYNC_HOURLY_CONSUMPTION_ENABLED: "true"
+      HQ2M_CONTRACTS_0_HOME_ASSISTANT_WEBSOCKET_URL: http://homeassistant:8123/api/websocket
+      HQ2M_CONTRACTS_0_HOME_ASSISTANT_TOKEN: ${HQ2M_CONTRACTS_0_HOME_ASSISTANT_TOKEN}
+
+  # grocy:
+  #   entrypoint:
+  #     - /init
+  #   environment:
+  #     - PUID=1000
+  #     - PGID=1000
+  #     - TZ=America/Toronto
+  #   image: lscr.io/linuxserver/grocy
+  #   ports:
+  #     - 9283:80/tcp
+  #   restart: unless-stopped
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Grocy/config:/config:rw
+
+  # node-red:
+  #   image: nodered/node-red:latest
+  #   environment:
+  #     - NODE_RED_UID=1000
+  #     - NODE_RED_GID=1000
+  #     - TZ=UTC
+  #   ports:
+  #     - "1880:1880"
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Node-Red/data:/data
+  #   restart: unless-stopped
+
+networks:
+  home_auto_net:
+    external: true
+  home_auto_backend:
+    driver: bridge
+    name: home_auto_backend
--- a/homepage/compose.yml
+++ b/homepage/compose.yml
@@ -0,0 +1,41 @@
+services:
+  homer:
+    image: b4bz/homer
+    container_name: homer
+    environment:
+      - UID=1000
+      - GID=1000
+      - TZ=America/Toronto
+      - PORT=8080
+    volumes:
+      - /mnt/HoardingCow_docker_data/Homer/assets:/www/assets:rw
+    restart: always
+    networks:
+      - homepage_net
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP → HTTPS redirect
+      - "traefik.http.routers.homer-http.rule=Host(`lazyworkhorse.net`)"
+      - "traefik.http.routers.homer-http.entrypoints=web"
+      - "traefik.http.routers.homer-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # HTTPS router protected by Authelia
+      - "traefik.http.routers.homer-https.rule=Host(`lazyworkhorse.net`)"
+      - "traefik.http.routers.homer-https.entrypoints=websecure"
+      - "traefik.http.routers.homer-https.tls=true"
+      - "traefik.http.routers.homer-https.tls.certresolver=njalla"
+      - "traefik.http.routers.homer-https.middlewares=homer-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.homer-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.homer-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Internal port
+      - "traefik.http.services.homer.loadbalancer.server.port=8080"
+
+networks:
+  homepage_net:
+    external: true
--- a/network/compose.yml
+++ b/network/compose.yml
@@ -7,31 +7,46 @@ services:
    command:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.sshnode.address=:2425"

      - "--certificatesresolvers.njalla.acme.email=thierrypouplier@gmail.com"
      - "--certificatesresolvers.njalla.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.njalla.acme.httpchallenge.entrypoint=web"

-      - "--log.level=DEBUG"
+      - "--log.level=INFO"
+      - "--log.filepath=/var/log/traefik/traefik.log"
+      - "--accesslog.filepath=/var/log/traefik/access.log"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
    ports:
      - "80:80"
      - "443:443"
    environment:
-      - NJALLA_TOKEN=${NJALLA_TOKEN}
+      - NJALLA_TOKEN=***
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/HoardingCow_docker_data/Traefik:/letsencrypt
+      - /var/log/traefik:/var/log/traefik
    restart: unless-stopped
    networks:
-      - traefik-net
+      - traefik_backend
+      - ai_net
+      - auth_net
+      - backup_net
+      - cloud_net
+      - coms_net
+      - finance_net
+      - home_auto_net
+      - homepage_net
+      - passman_net
+      - tak_net
+      - vc_net

  ddns-updater:
    image: qmcgaw/ddns-updater
    container_name: ddns-updater
    networks:
-      - traefik-net
+      - traefik_backend
    ports:
      - 8000:8000/tcp
    volumes:
@@ -63,9 +78,42 @@ services:
    restart: unless-stopped

 networks:
-  traefik-net:
+  traefik_backend:
    driver: bridge
-    name: traefik-net
+    name: traefik_backend
+  ai_net:
+    external: true
+    name: ai_net
+  auth_net:
+    external: true
+    name: auth_net
+  backup_net:
+    external: true
+    name: backup_net
+  cloud_net:
+    external: true
+    name: cloud_net
+  coms_net:
+    external: true
+    name: coms_net
+  finance_net:
+    external: true
+    name: finance_net
+  home_auto_net:
+    external: true
+    name: home_auto_net
+  homepage_net:
+    external: true
+    name: homepage_net
+  passman_net:
+    external: true
+    name: passman_net
+  tak_net:
+    external: true
+    name: tak_net
+  vc_net:
+    external: true
+    name: vc_net

  # duckdns:
  #   environment:
@@ -73,7 +121,7 @@ networks:
  #     - PGID=1000
  #     - TZ=America/Toronto
  #     - SUBDOMAINS=aziworkhorse
-  #     - TOKEN=$[DUCKDNS_TOKEN]
+  #     - TOKEN=${DUCKDNS_TOKEN}
  #   image: lscr.io/linuxserver/duckdns
  #   labels:
  #     - "traefik.enable=false"
--- a/passwordmanager/compose.yml
+++ b/passwordmanager/compose.yml
@@ -13,32 +13,24 @@ services:
    volumes:
      - /mnt/HoardingCow_docker_data/BitWarden/data:/data:rw
    networks:
-      - traefik-net
-    restart: unless-stopped
+      - passman_net
+    restart: always
    labels:
      - "traefik.enable=true"

-      # Router for HTTP + redirection to HTTPS
-      - "traefik.http.routers.bitwarden-http.rule=Host(`pass.lazyworkhorse.net`)"
-      - "traefik.http.routers.bitwarden-http.entrypoints=web"
-      - "traefik.http.routers.bitwarden-http.middlewares=redirect-to-https"
+      # HTTP → HTTPS
+      - "traefik.http.routers.pass-http.rule=Host(`pass.lazyworkhorse.net`)"
+      - "traefik.http.routers.pass-http.entrypoints=web"
+      - "traefik.http.routers.pass-http.middlewares=redirect-to-https"

-      # Router for HTTPS with TLS
-      - "traefik.http.routers.bitwarden-https.rule=Host(`pass.lazyworkhorse.net`)"
-      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
-      - "traefik.http.routers.bitwarden-https.tls=true"
-      - "traefik.http.routers.bitwarden-https.tls.certresolver=njalla"
-
-      # Wildcard
-      # - "traefik.http.routers.bitwarden-https.tls.domains[0].main=lazyworkhorse.net"
-      # - "traefik.http.routers.bitwarden-https.tls.domains[0].sans=*.lazyworkhorse.net"
-
-      # Middleware for redirect HTTP -> HTTPS
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
-      # Websocket support (port 80 du container)
-      - "traefik.http.services.bitwarden.loadbalancer.server.port=80"
+      # HTTPS
+      - "traefik.http.routers.pass-https.rule=Host(`pass.lazyworkhorse.net`)"
+      - "traefik.http.routers.pass-https.entrypoints=websecure"
+      - "traefik.http.routers.pass-https.tls=true"
+      - "traefik.http.routers.pass-https.tls.certresolver=njalla"

+      # Internal service
+      - "traefik.http.services.pass.loadbalancer.server.port=80"
 networks:
-  traefik-net:
+  passman_net:
    external: true
--- a/tak/compose.yml
+++ b/tak/compose.yml
@@ -0,0 +1,98 @@
+services:
+  freetakserver:
+    image: ghcr.io/freetakteam/freetakserver:master
+    container_name: freetakserver
+    hostname: freetakserver
+    restart: always
+    networks:
+      - tak_backend
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_data:/opt/fts:z,rw
+    ports:
+      - 8087:8087
+      - 8089:8089
+      - 8443:8443
+      - 9000:9000
+      - 19023:19023
+    environment:
+      FTS_FED_PASSWORD: "${FTS_FED_PASSWORD}"
+      FTS_CLIENT_CERT_PASSWORD: "${FTS_CLIENT_CERT_PASSWORD}"
+      FTS_WEBSOCKET_KEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_SECRET_KEY: "${FTS_SECRET_KEY}"
+      FTS_CONNECTION_MESSAGE: "Welcome to FreeTAKServer. The Parrot is not dead. It's just resting"
+      FTS_COT_PORT: 8087
+      FTS_SSLCOT_PORT: 8089
+      FTS_API_PORT: 19023
+      FTS_FED_PORT: 9000
+      FTS_DP_ADDRESS: 'freetakserver'
+      FTS_USER_ADDRESS: 'freetakserver'
+      FTS_API_ADDRESS: 'freetakserver'
+      FTS_ROUTING_PROXY_SUBSCRIBE_PORT: 19030
+      FTS_ROUTING_PROXY_SUBSCRIBE_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_PUBLISHER_PORT: 19032
+      FTS_ROUTING_PROXY_PUBLISHER_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_SERVER_PORT: 19031
+      FTS_ROUTING_PROXY_SERVER_IP: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PULLER_PORT: 19033
+      FTS_INTEGRATION_MANAGER_PULLER_ADDRESS: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PUBLISHER_PORT: 19034
+      FTS_INTEGRATION_MANAGER_PUBLISHER_ADDRESS: 'freetakserver'
+      FTS_OPTIMIZE_API: "True"
+      FTS_DATA_RECEPTION_BUFFER: 1024
+      FTS_MAX_RECEPTION_TIME: 4
+      FTS_NUM_ROUTING_WORKERS: 3
+      FTS_COT_TO_DB: "True"
+      FTS_MAINLOOP_DELAY: 100
+      FTS_EMERGENCY_RADIUS: 0
+      FTS_LOG_LEVEL: "info"
+
+  freetakserver-ui:
+    image: ghcr.io/freetakteam/ui:latest
+    container_name: freetakserver-ui
+    hostname: freetakserver-ui
+    restart: always
+    networks:
+      - tak_net
+    ports:
+      - 5000:5000
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_ui_data:/home/freetak/data:z,rw
+    environment:
+      FTS_IP: "freetakserver" 
+      FTS_API_PORT: 19023
+      FTS_API_PROTO: 'http'
+      FTS_UI_EXPOSED_IP: 'freetakserver-ui'
+      FTS_MAP_EXPOSED_IP: '127.0.0.1'
+      FTS_MAP_PORT: 8000
+      FTS_MAP_PROTO: 'http'
+      FTS_UI_PORT: 5000
+      FTS_UI_WSKEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_API_KEY: 'Bearer token'
+      FTS_UI_SQLALCHEMY_DATABASE_URI: 'sqlite:////home/freetak/data/FTSServer-UI.db'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+
+      # HTTP -> HTTPS Redirect
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-http.entrypoints=web"
+      - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
+
+      # HTTPS Router
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
+      - "traefik.http.routers.fts-ui-https.tls=true"
+      - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
+      
+      # Service & Port
+      - "traefik.http.services.fts-ui.loadbalancer.server.port=5000"
+
+      # Reuse your existing redirect middleware
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+networks:
+  tak_net:
+    external: true
+  tak_backend:
+    driver: bridge
+    name: tak_backend
--- a/versioncontrol/compose.yml
+++ b/versioncontrol/compose.yml
@@ -7,34 +7,39 @@ services:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
+      - SSH_PORT=2222
+      - SSH_LISTEN_PORT=2222
    volumes:
      - /mnt/HoardingCow_docker_data/Gitea:/data
    networks:
-      - traefik-net
-    restart: unless-stopped
+      - vc_net
+    restart: always
+    ports:
+      - "2222:2222"
    labels:
      - "traefik.enable=true"

-      # Router for HTTP + redirection to HTTPS
+      # HTTP -> HTTPS Redirect
      - "traefik.http.routers.gitea-http.rule=Host(`code.lazyworkhorse.net`)"
      - "traefik.http.routers.gitea-http.entrypoints=web"
      - "traefik.http.routers.gitea-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

-      # Router for HTTPS with TLS
+      # HTTPS Router
      - "traefik.http.routers.gitea-https.rule=Host(`code.lazyworkhorse.net`)"
      - "traefik.http.routers.gitea-https.entrypoints=websecure"
      - "traefik.http.routers.gitea-https.tls=true"
      - "traefik.http.routers.gitea-https.tls.certresolver=njalla"
+      - "traefik.http.routers.gitea-https.middlewares=gitea-home-redirect"

-      # Wildcard
-      # - "traefik.http.routers.gitea-https.tls.domains[0].main=lazyworkhorse.net"
-      # - "traefik.http.routers.gitea-https.tls.domains[0].sans=*.lazyworkhorse.net"
-
-      # Middleware for redirect HTTP -> HTTPS
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # The Redirect Logic - Using single quotes to allow backslashes
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.lazyworkhorse\.net/?$$'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.lazyworkhorse.net/gortium'
+      - "traefik.http.middlewares.gitea-home-redirect.redirectregex.permanent=true"

+      # Internal Routing
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"

 networks:
-  traefik-net:
+  vc_net:
    external: true
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -0,0 +1,35 @@
+version: "3.8"
+
+services:
+  wireguard:
+    image: weejewel/wg-easy:latest
+    container_name: wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - WG_HOST=vpn.lazyworkhorse.net
+      - PASSWORD=${WG_PASSWORD}
+      - WG_PORT=51820
+      - WG_DEFAULT_ADDRESS=10.8.0.x
+      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
+      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
+      - WG_PERSISTENT_KEEPALIVE=25
+      - UI_TRAFFIC_STATS=true
+      - UI_CHART_TYPE=0
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    volumes:
+      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    restart: unless-stopped
+    networks:
+      - vpn_net
+
+networks:
+  vpn_net:
+    external: true
+    name: vpn_net
Author	SHA1	Message	Date
Hermes	93c01fa314	fix: add TZ=America/Montreal for correct cron scheduling	2026-05-09 19:49:54 +00:00
Thierry Pouplier	6e540635bf	Merge pull request 'feat(hermes): Piper TTS (local US male, no cloud)' (#17 ) from feat/voice-support-v2 into master Reviewed-on: #17	2026-05-09 19:39:11 +00:00
Thierry Pouplier	b89be7b8f4	chore: restore system packages lost in base image migration The migration from debian:stable-slim to nousresearch/hermes-agent:latest dropped several packages that were previously installed. This restores: - poppler-utils, imagemagick (PDF/image processing) - texlive-latex-base, latex-extra, fonts-recommended, xetex, science - qemu-user-static, binfmt-support (cross-compilation) - emacs-nox (text editing) These were added in PRs 3/5, 4/5, 5/5 and earlier commits of the compose repo. The official image already has git, curl, ffmpeg, python3, gcc, openssh, ripgrep, tini, docker-cli, etc.	2026-05-09 19:18:16 +00:00
Thierry Pouplier	748b5037b9	fix: update TTS patch for latest hermes-agent tts_tool.py - Patch now matches the current tts_tool.py (newer version ships in nousresearch/hermes-agent:latest with different Edge fallback text) - Adds dedicated elif provider == 'piper' block before else: - Replaces else: fallback to use Piper instead of Edge - Patches ALL copies (venv site-packages + /opt/hermes/tools/) - Removes Edge TTS entirely as default/provider	2026-05-09 19:03:10 +00:00
Thierry Pouplier	3f80744ebd	fix: install piper-tts as root (venv is root-owned in base image) The nousresearch/hermes-agent:latest image creates its venv as root. Running 'uv pip install' as USER hermes fails with Permission denied on the site-packages directory. Fix: keep USER root while modifying the venv, then switch back to USER hermes for runtime.	2026-05-09 17:47:30 +00:00
Thierry Pouplier	6f17743667	fix: install into existing venv instead of recreating it The nousresearch/hermes-agent:latest base image already has a venv with hermes-agent installed at /opt/hermes/.venv/. Running 'uv venv' on top of it either fails or wipes the existing install. Fix: activate the existing venv first, then pip install into it.	2026-05-09 17:44:55 +00:00
Thierry Pouplier	98216d2872	refactor: use official Hermes Agent image as base, not debian:stable-slim Starting from debian:stable-slim required re-installing everything (Hermes source, Node.js, Playwright, etc.) which was redundant and fragile. The official nousresearch/hermes-agent image already has all that. Now the Dockerfile: - FROM nousresearch/hermes-agent:latest (has tts_tool.py, Playwright, etc.) - Install Piper + voice model on top - Patch tts_tool.py at build time (Edge fallback -> Piper) - Runtime fallback in fix-permissions.sh for volume resilience Cleaner, smaller Dockerfile, and the build-time patch can find tts_tool.py because it's in the base image's venv.	2026-05-09 17:39:23 +00:00
Thierry Pouplier	a40e347dfa	fix: install hermes-agent from pip so build-time TTS patch works The Dockerfile starts from debian:stable-slim, not from the official Hermes image. Without installing hermes-agent from pip, there is no tools/tts_tool.py in the image at build time, so the patch script crashes with FileNotFoundError. Adding hermes-agent to uv pip install gives us tts_tool.py in the venv site-packages, so the COPY+RUN patch step works cleanly. Also keep the runtime fallback in fix-permissions.sh for cases where the volume's site-packages differ from the image.	2026-05-09 17:37:32 +00:00
Thierry Pouplier	cfa2a898c3	fix: move TTS patch from build-time to runtime The build-time COPY+RUN of patch_tts_tool.py failed because the Dockerfile starts from debian:stable-slim and only copies the ai/ build context — there's no tools/tts_tool.py in the image at build time (Hermes is on the mounted data volume). Move patching to fix-permissions.sh which runs at container startup when the data volume is mounted, so tts_tool.py is available via the venv site-packages. Also make patch_tts_tool.py robust: searches multiple paths for tts_tool.py, accepts path as argument, exits 0 instead of 1 when file/pattern not found (build must not fail).	2026-05-09 17:36:26 +00:00
Thierry Pouplier	0609720b33	fix: reinstate tts_tool.py patch step in Dockerfile Commit `8e9a75f` removed the COPY+RUN of patch_tts_tool.py because the build context was thought to be insufficient. The build context is ai/ which contains both the Dockerfile and patch_tts_tool.py, so COPY works fine. Without this step the tts_tool.py silently falls through to Edge TTS as its default provider even when config.yaml says provider: piper, because 'piper' is not a recognized provider in the unpatched code. This caused the female Edge TTS voice (AriaNeural) instead of the configured Ryan High male voice.	2026-05-09 17:13:01 +00:00
Thierry Pouplier	d97f1cb1e5	fix: add startup permission fix for data volume (chown critical dirs on boot)	2026-05-09 16:04:32 +00:00
Thierry Pouplier	1a1cfec80a	fix: add atomic write permission fix (preserves file mode on os.replace)	2026-05-09 15:50:29 +00:00
Thierry Pouplier	90e227bc4e	feat: switch back to Ryan high quality voice	2026-05-09 15:21:49 +00:00
Thierry Pouplier	8e9a75fe5c	fix: remove patch step from Dockerfile (build context is just ai/)	2026-05-09 14:28:35 +00:00
Thierry Pouplier	3016d0da2c	fix: patch source tts_tool.py path, not site-packages	2026-05-09 14:27:07 +00:00
Thierry Pouplier	b750d26d80	feat: switch to Norman voice (US male, medium)	2026-05-09 14:20:46 +00:00
Thierry Pouplier	0a9507de65	fix: add ca-certificates for HuggingFace download	2026-05-09 14:14:52 +00:00
Thierry Pouplier	b3fa424661	fix: correct COPY path for patch_tts_tool.py (build context is ai/)	2026-05-09 14:12:06 +00:00
Thierry Pouplier	77fe8133ae	fix: Dockerfile heredoc for voice download instead of multi-line -c	2026-05-09 14:09:50 +00:00
Thierry Pouplier	3f080da35e	fix: clean patch script - only target Edge, no Coqui references	2026-05-09 13:59:09 +00:00
Thierry Pouplier	78f499bde8	fix: use full OPENROUTER_API_KEY variable name	2026-05-09 13:55:38 +00:00
Thierry Pouplier	e779818e73	chore: remove pycache	2026-05-09 13:41:54 +00:00
Thierry Pouplier	25d7611043	fix: clean Dockerfile with Piper TTS, external patch script	2026-05-09 13:41:37 +00:00
Thierry Pouplier	28213eec5c	fix: replace Coqui/ROCm with Piper TTS (simpler, local, CPU)	2026-05-09 13:24:08 +00:00
Thierry Pouplier	c2471818b2	feat: add ROCm + Coqui TTS with GPU support to Dockerfile	2026-05-09 04:09:57 +00:00
Thierry Pouplier	f5171a7d6e	fix: replace Dockerfile with simplified stable-slim version	2026-05-09 02:38:30 +00:00
Thierry Pouplier	5c504501d3	feat: add ROCm GPU env vars to hermes service for faster-whisper STT	2026-05-09 00:20:57 +00:00
Thierry Pouplier	2fa481909f	Merge pull request 'feat: add WireGuard VPN stack (wg-easy)' (#16 ) from feat/wireguard-vpn into master Reviewed-on: #16	2026-05-09 00:11:56 +00:00
Thierry Pouplier	434b2835ff	Merge remote-tracking branch 'origin/feat/wireguard-vpn' into HEAD	2026-05-04 23:05:09 -04:00
Thierry Pouplier	51cf83c420	Commeneted nomadnet for now. not usingit.	2026-05-04 23:01:58 -04:00
Thierry Pouplier	d9f62652cb	Commented webui for now. now using it	2026-05-04 22:56:07 -04:00
Thierry Pouplier	bc49391b4f	chore: clean up WireGuard from Hermes Dockerfile, keep custom build	2026-05-05 02:11:37 +00:00
Thierry Pouplier	acf45acdd9	feat: enable NET_ADMIN for Hermes container to support WireGuard	2026-05-05 01:48:21 +00:00
Thierry Pouplier	b021d0dba7	feat: add custom Hermes Dockerfile with WireGuard tools	2026-05-05 01:42:55 +00:00
Thierry Pouplier	eea6db3ceb	feat: add WireGuard VPN stack (wg-easy, named wireguard)	2026-05-05 01:21:31 +00:00
Thierry Pouplier	4a57ca69b2	fix: switch to linuxserver/wireguard instead of wg-easy	2026-05-05 01:17:57 +00:00
Thierry Pouplier	293429a124	feat: add WireGuard VPN stack with wg-easy	2026-05-04 22:46:50 +00:00
Thierry Pouplier	1b0dbed52e	Merge pull request 'feat: enable traefik access logs for fail2ban http jails' (#15 ) from feat/traefik-access-logs-for-fail2ban into master - Reviewed-on: #15 - Tested on the host	2026-05-01 12:18:22 +00:00
Thierry Pouplier	a79fe9dffa	feat: enable traefik access logs for fail2ban http jails	2026-05-01 03:06:14 +00:00
Thierry Pouplier	fb0f2cbe84	Network reorganization, multiple updates	2026-04-27 05:47:46 -04:00
Thierry Pouplier	c76d0fda6b	Progress dump before ai agent	2026-04-04 04:48:49 -04:00
Thierry Pouplier	1e64f8e321	Big progress dump	2026-02-22 18:35:22 -05:00
Thierry Pouplier	5def86e278	Forgot to open the port of the container	2025-08-08 19:52:59 -04:00
Thierry Pouplier	b358818c1a	Fix the port throught webui.. You can really get stuck if the flake need the service that is down because the flake is badly configured because you cannot change it because the flake wont build because................	2025-08-08 23:32:47 +00:00