feat: add telos static site service with Traefik routing

Reviewed-on: #50

.gitea/workflows/build-hermes.yml

@@ -0,0 +1,31 @@
+name: Build Hermes agent
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'ai/hermes/**'
+      - 'ai/compose.yml'
+  push:
+    branches: [ master ]
+    paths:
+      - 'ai/hermes/**'
+      - 'ai/compose.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        run: |
+          git clone -b "${{ github.head_ref || github.ref_name }}" \
+            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/compose.git .
+          git log --oneline -3
+
+      - name: Build hermes image
+        run: |
+          cd ai
+          docker compose build hermes 2>&1
+
+      - name: Verify image
+        run: |
+          docker run --rm ai-hermes /opt/hermes/.venv/bin/python --version 2>&1

.gitea/workflows/build-ollama.yml

@@ -0,0 +1,31 @@
+name: Build ollama (gfx906)
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'ai/ollama/**'
+      - 'ai/compose.yml'
+  push:
+    branches: [ master ]
+    paths:
+      - 'ai/ollama/**'
+      - 'ai/compose.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        run: |
+          git clone -b "${{ github.head_ref || github.ref_name }}" \
+            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/compose.git .
+          git log --oneline -3
+
+      - name: Build ollama image
+        run: |
+          cd ai
+          docker compose build ollama --no-cache 2>&1
+
+      - name: Verify version
+        run: |
+          docker run --rm ollama/ollama:rocm-gfx906 ollama --version 2>&1

ai/compose.yml

@@ -0,0 +1,370 @@
+version: "3.8"
+services:
+
+  # webui:
+  #   image: ghcr.io/open-webui/open-webui:main
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+  #   restart: always
+  #   environment:
+  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+  #   networks:
+  #     - ai_net
+  #     - ai_backend
+  #   labels:
+  #     - "traefik.enable=true"
+
+  #     # Router for HTTP + redirection to HTTPS
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-http.entrypoints=web"
+  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+
+  #     # Router for HTTPS with TLS
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+  #     - "traefik.http.routers.webui-https.tls=true"
+  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+
+  hermes:
+    build:
+      context: ./hermes
+      args:
+        HERMES_PLUGIN_URLS: "git+https://code.lazyworkhorse.net/gortium/hermes-piper-plugin.git;git+https://code.lazyworkhorse.net/gortium/hermes-identity-plugin.git"
+    container_name: hermes
+    entrypoint: ["/bin/bash", "-c",
+      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "hermes-entrypoint"]
+    restart: always
+    # Gateway run enables the internal API server on port 8642
+    command: gateway run
+    environment:
+      - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
+      # Multi-profile: comma-separated list of profiles to run as gateways.
+      # The entrypoint reads this and starts one gateway per profile.
+      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
+      - HERMES_PROFILES=ashley,claire,finn,matt,paul
+      - API_SERVER_ENABLED=true
+      - API_SERVER_PORT=8642
+      - API_SERVER_HOST=0.0.0.0
+      - API_SERVER_KEY=hermes_local_key
+      - GATEWAY_ALLOW_ALL_USERS=true
+      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+      # ROCm for GPU-accelerated faster-whisper STT
+      - HSA_OVERRIDE_GFX_VERSION=9.0.6
+      - HCC_AMDGPU_TARGET=gfx906
+      - HIP_VISIBLE_DEVICES=0,1
+      - ROCR_VISIBLE_DEVICES=0,1
+      - HSA_ENABLE_SDMA=0
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+      # Syncthing-shared org files — read-only view of user's agenda
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
+      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
+    devices:
+      - /dev/kfd:/dev/kfd
+      - /dev/dri:/dev/dri
+    group_add:
+      - "303"
+      - "26"
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-http.entrypoints=web"
+      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
+      - "traefik.http.routers.hermes-web-https.tls=true"
+      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Service Loadbalancer (dashboard port 9119)
+      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
+
+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: syncthing
+    restart: always
+    ports:
+      - "8384:8384"
+      - "22000:22000"
+      - "21027:21027/udp"
+    environment:
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.tls=true"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
+      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
+
+  ollama:
+    build:
+      context: ./ollama
+      dockerfile: Dockerfile
+    image: ollama/ollama:rocm-gfx906
+    container_name: ollama
+    tty: true
+    restart: always 
+    ports:
+      - "127.0.0.1:11434:11434"
+    networks:
+      - ai_backend
+    volumes:
+      - /mnt/HoardingCow_docker_data/Ollama/ollama:/root/.ollama
+    environment:
+      - OLLAMA_VULKAN=0
+      - HSA_OVERRIDE_GFX_VERSION=9.0.6
+      - HCC_AMDGPU_TARGET=gfx906
+      - HIP_VISIBLE_DEVICES=0,1
+      - ROCR_VISIBLE_DEVICES=0,1
+      - HSA_ENABLE_SDMA=0 
+      - OLLAMA_HOST=0.0.0.0
+      - OLLAMA_DEBUG=1
+      - OLLAMA_FLASH_ATTENTION=1
+      - OLLAMA_NUM_PARALLEL=2
+    devices:
+      # Map the render nodes and KFD for ROCm to work inside the container
+      - /dev/kfd:/dev/kfd
+      - /dev/dri:/dev/dri
+    group_add:
+      - "303"
+      - "26"
+
+networks:
+  ai_net:
+    external: true
+    name: ai_net
+  ai_backend:
+    driver: bridge
+    name: ai_backend
+    
+  # llama_cpp_devstral:
+  #   image: ghcr.io/ggml-org/llama.cpp:server-rocm
+  #   container_name: llama_cpp_devstral
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_backend
+  #   ports:
+  #     - "8300:8080"
+  #   ipc: host
+  #   devices:
+  #     - "/dev/kfd:/dev/kfd"
+  #     - "/dev/dri:/dev/dri"
+  #   group_add:
+  #     - "303" # video
+  #     - "26"  # render
+  #   environment:
+  #     HSA_OVERRIDE_GFX_VERSION: 9.0.6
+  #     HIP_VISIBLE_DEVICES: 0,1
+  #     LLAMA_CACHE: /models
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Llama_cpp/models:/models
+  #     - /mnt/HoardingCow_docker_data/Llama_cpp/devstral-agent.jinja:/template.jinja
+  #   command: >
+  #     -hf unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF:Devstral-Small-2-24B-Instruct-2512-Q8_0.gguf
+  #     -a devstral-2-small-llama_cpp
+  #     --chat-template-file /template.jinja
+  #     --host 0.0.0.0
+  #     --port 8080
+  #     --n-gpu-layers 99
+  #     --ctx-size 163840
+  #     --batch-size 4096
+  #     --ubatch-size 4096
+  #     --cache-type-k f16
+  #     --cache-type-v f16
+  #     --cache-reuse 256
+  #     --flash-attn on
+  #     --context-shift
+  #     --split-mode layer
+  #     --no-mmap
+  #     --n-predict -1
+  #     --parallel 2
+
+  # vllm:
+  #   image: nalanzeyu/vllm-gfx906:v0.9.0-rocm6.3
+  #   container_name: vllm
+  #   # Required for multi-GPU communication (NCCL)
+  #   ipc: host 
+  #   init: true
+  #   shm_size: '2g' 
+  #   networks:
+  #     - ai_backend
+  #   ports:
+  #     - "8300:8000"
+  #   devices:
+  #     - "/dev/kfd:/dev/kfd"
+  #     - "/dev/dri:/dev/dri"
+  #   group_add:
+  #     - "303"
+  #     - "26"
+  #   environment:
+  #     HSA_OVERRIDE_GFX_VERSION: 9.0.6
+  #     HSA_ENABLE_SDMA: 0
+  #     HIP_VISIBLE_DEVICES: 0,1
+  #     NCCL_P2P_DISABLE: 1
+  #     VLLM_WORKER_MULTIPROC_METHOD: spawn
+  #     VLLM_USE_TRITON_FLASH_ATTN: 0
+  #     VLLM_USE_ROCM_CUSTOM_PAGED_ATTN: 0
+  #     VLLM_ATTENTION_BACKEND: ROPE_NAIVE
+  #     VLLM_SKIP_WARMUP: 1
+  #     VLLM_USE_V1: 0
+  #     HF_TOKEN: ${HF_TOKEN}
+  #   command: >
+  #     vllm serve "mistralai/Devstral-Small-2-24B-Instruct-2512" 
+  #     --tensor-parallel-size 2
+  #     --max-model-len 8192
+  #     --gpu-memory-utilization 0.90
+  #     --tokenizer_mode mistral
+  #     --config_format auto
+  #     --load-format auto
+  #     --enforce-eager
+  #     --disable-custom-all-reduce
+  #     --trust-remote-code
+  #     --task generate
+  #     --block-size 16
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/vllm/models:/root/.cache/huggingface
+  #   restart: unless-stopped
+
+  # n8n:
+  #   image: n8nio/n8n:latest
+  #   container_name: n8n
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_net
+  #   environment:
+  #     - N8N_HOST=n8n.lazyworkhorse.net
+  #     - N8N_PORT=5678
+  #     - N8N_PROTOCOL=https
+  #     - NODE_ENV=production
+  #     - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
+  #     - WEBHOOK_URL=https://n8n.lazyworkhorse.net/
+  #     - GENERIC_TIMEZONE=America/New_York # Adjust to your timezone
+  #     - N8N_BLOCK_EXTERNAL_STORAGE_ACCESS=false
+  #     - N8N_NODES_PYTHON_CAN_IMPORT_MODULES=true 
+  #     - N8N_NATIVE_PYTHON_RUNNER=true
+  #     - N8N_PYTHON_ALLOW_STDLIB=uuid,re,os,json
+  #     - N8N_PYTHON_ALLOW_EXTERNAL=requests,pandas
+  #     - NODE_FUNCTION_ALLOW_EXTERNAL=uuid,requests
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/n8n:/home/node/.n8n
+  #   labels:
+  #     - "traefik.enable=true"
+
+  #     # Router for HTTP + redirection to HTTPS
+  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.n8n-http.entrypoints=web"
+  #     - "traefik.http.routers.n8n-http.middlewares=redirect-to-https"
+
+  #     # Router for HTTPS with TLS
+  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.n8n-https.entrypoints=websecure"
+  #     - "traefik.http.routers.n8n-https.tls=true"
+  #     - "traefik.http.routers.n8n-https.tls.certresolver=njalla"
+
+  #     # Service Loadbalancer (n8n default port)
+  #     - "traefik.http.services.n8n.loadbalancer.server.port=5678"
+
+  # openclaw:
+  #   image: coollabsio/openclaw:latest
+  #   container_name: openclaw
+  #   restart: unless-stopped
+  #   expose:
+  #     - "8080"  # WebUI
+  #     - "18789" # Gateway/WebSocket
+  #     - "8788"  # Nextcloud Webhook
+  #   networks:
+  #     - ai_net
+  #     - ai_backend
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/openclaw/data:/data
+  #     - /home/gortium/infra:/data/workspace/infra
+  #   environment:
+  #     - TZ=America/Toronto
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
+  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+  #     # Point to the sidecar browser
+  #     - BROWSER_CDP_URL=http://openclaw-browser:9222
+  #     - BROWSER_EVALUATE_ENABLED=true
+  #     - OPENCLAW_GATEWAY_HOST=0.0.0.0
+  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.lazyworkhorse.net
+  #   labels:
+  #     - "traefik.enable=true"
+
+  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.openclaw-http.entrypoints=web"
+  #     - "traefik.http.routers.openclaw-http.middlewares=redirect-to-https"
+
+  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.openclaw-https.priority=50"
+  #     - "traefik.http.routers.openclaw-https.entrypoints=websecure"
+  #     - "traefik.http.routers.openclaw-https.tls=true"
+  #     - "traefik.http.routers.openclaw-https.tls.certresolver=njalla"
+  #     - "traefik.http.services.openclaw.loadbalancer.server.port=8080"
+  #   depends_on:
+  #     - openclaw-browser
+
+  # openclaw-browser:
+  #   image: ghcr.io/browserless/chromium:latest
+  #   restart: always
+  #   expose:
+  #     - "3000"
+  #   environment:
+  #     - MAX_CONCURRENT_SESSIONS=10
+  #     - CONNECTION_TIMEOUT=300000
+  #     - PREBOOT_CHROME=true
+  #     - DEMO_MODE=false
+  #   networks:
+  #     ai_backend:
+  #       aliases:
+  #         - browser
+
+  # openclaw-ssh:
+  #   image: linuxserver/openssh-server:latest
+  #   container_name: openclaw-ssh
+  #   environment:
+  #     - PUID=1000
+  #     - PGID=1000
+  #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
+  #     - SUDO_ACCESS=false
+  #     - PASSWORD_ACCESS=false
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
+  #     - /home/gortium/infra:/data/workspace/infra:ro
+  #   restart: unless-stopped
+  #   networks:
+  #     - ai_backend
+  #   labels:
+  #     - "traefik.enable=true"
+  #     - "traefik.tcp.routers.openclaw-ssh.rule=HostSNI(*)"
+  #     - "traefik.tcp.routers.openclaw-ssh.entrypoints=sshnode"
+  #     - "traefik.tcp.routers.openclaw-ssh.tls.passthrough=false"
+  #     - "traefik.tcp.services.openclaw-ssh.loadbalancer.server.port=2222"

ai/hermes/Dockerfile

@@ -0,0 +1,88 @@
+# syntax=docker/dockerfile:1
+# Hermes Agent -- official image + custom plugins layered on top.
+# No fork needed — customizations are pip-installable plugins from Gitea.
+#   docker compose build hermes
+# Or manually:
+#   DOCKER_BUILDKIT=1 docker build --build-arg HERMES_PLUGIN_URLS="url1 url2" -t hermes-agent:custom .
+
+# ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
+FROM nousresearch/hermes-agent:latest
+
+# ---------- Plugin URLs (semicolon-separated, set via compose.yml build args) ----------
+ARG HERMES_PLUGIN_URLS=""
+
+# ---------- Extra system deps ----------
+USER root
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        libportaudio2 ca-certificates poppler-utils imagemagick \
+        libolm-dev \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
+        texlive-xetex texlive-science \
+        qemu-user-static binfmt-support emacs-nox && \
+    rm -rf /var/lib/apt/lists/*
+
+# ---------- UV ----------
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
+
+# ---------- Matrix bridge + extra pip deps ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
+
+# ---------- Piper TTS ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
+    mkdir -p /opt/hermes/.venv/share/piper/voices
+
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request
+base = '/opt/hermes/.venv/share/piper/voices'
+url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
+urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
+urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
+PYEOF
+
+# ---------- Install Himalaya email CLI ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil
+url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
+tgz = '/tmp/himalaya.tgz'
+urllib.request.urlretrieve(url, tgz)
+with tarfile.open(tgz) as t:
+    t.extractall('/tmp')
+shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
+os.chmod('/usr/local/bin/himalaya', 0o755)
+os.remove(tgz)
+print('himalaya v1.2.0 installed')
+PYEOF
+
+# ---------- Install custom plugins from URLs ----------
+# HERMES_PLUGIN_URLS is a semicolon-separated list of pip-installable
+# package URLs (e.g. git+https:// or direct .tar.gz archives from Gitea).
+# Each plugin is installed into the Hermes venv.
+RUN if [ -n "$HERMES_PLUGIN_URLS" ]; then \
+        . /opt/hermes/.venv/bin/activate && \
+        IFS=';' read -ra URLS <<< "$HERMES_PLUGIN_URLS" && \
+        for url in "${URLS[@]}"; do \
+            echo "Installing plugin: $url" && \
+            uv pip install --no-cache-dir "$url"; \
+        done; \
+    fi
+
+# ---------- Install multi-gateway launcher ----------
+# Launches one gateway process per profile (HERMES_PROFILES env var)
+COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
+
+# ---------- Runtime ----------
+USER hermes
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+# Point browser tool to Playwright's Chromium (already in base image)
+ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
+
+# Ensure tools directory and toolsets.py are writable by the hermes runtime user
+# so custom tools can be injected from the persistent volume at startup.
+USER root
+RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
+
+VOLUME [ "/opt/data" ]

ai/hermes/patch_tts_tool.py

@@ -0,0 +1,181 @@
+#!/usr/bin/env python3
+"""Patch Hermes TTS tool: add Piper TTS provider, remove Edge TTS as default.
+
+Patches ALL copies of tts_tool.py found (venv site-packages + /opt/hermes/tools/).
+
+Searches multiple paths for tts_tool.py so it works both at build time
+(in the image venv) and at runtime (on the mounted data volume).
+
+Idempotent: if already patched, does nothing.
+"""
+
+import sys
+import os
+
+# ---------------------------------------------------------------------------
+# Search for all copies of tts_tool.py
+# ---------------------------------------------------------------------------
+CANDIDATE_PATHS = [
+    "/opt/hermes/.venv/lib/python3.13/site-packages/tools/tts_tool.py",
+    "/opt/hermes/tools/tts_tool.py",
+]
+
+found_paths = []
+
+for p in CANDIDATE_PATHS:
+    if os.path.exists(p):
+        found_paths.append(p)
+        print(f"Found tts_tool.py at: {p}")
+
+# Also try to find via Python import
+import subprocess
+try:
+    result = subprocess.run(
+        [sys.executable, "-c", "import tools.tts_tool; print(tools.tts_tool.__file__)"],
+        capture_output=True, text=True, timeout=5
+    )
+    if result.returncode == 0:
+        p = result.stdout.strip()
+        if os.path.exists(p) and p not in found_paths:
+            found_paths.append(p)
+            print(f"Found tts_tool.py via import at: {p}")
+except Exception:
+    pass
+
+if not found_paths:
+    print("WARNING: tts_tool.py not found anywhere. Patching deferred to runtime.")
+    print(f"Searched: {CANDIDATE_PATHS}")
+    sys.exit(0)
+
+# ---------------------------------------------------------------------------
+# Old else block: the Edge TTS default fallback to replace
+# ---------------------------------------------------------------------------
+old_else = '''        else:
+            # Default: Edge TTS (free), with NeuTTS as local fallback
+            edge_available = True
+            try:
+                _import_edge_tts()
+            except ImportError:
+                edge_available = False
+
+            if edge_available:
+                logger.info("Generating speech with Edge TTS...")
+                try:
+                    import concurrent.futures
+                    with concurrent.futures.ThreadPoolExecutor(max_workers=1) as pool:
+                        pool.submit(
+                            lambda: asyncio.run(_generate_edge_tts(text, file_str, tts_config))
+                        ).result(timeout=60)
+                except RuntimeError:
+                    asyncio.run(_generate_edge_tts(text, file_str, tts_config))
+            elif _check_neutts_available():
+                logger.info("Edge TTS not available, falling back to NeuTTS (local)...")
+                provider = "neutts"
+                _generate_neutts(text, file_str, tts_config)
+            else:
+                return json.dumps({
+                    "success": False,
+                    "error": "No TTS provider available. Install edge-tts (pip install edge-tts) "
+                             "or set up NeuTTS for local synthesis."
+                }, ensure_ascii=False)'''
+
+# ---------------------------------------------------------------------------
+# New block: elif provider == "piper" + else: fallback with Piper only
+# ---------------------------------------------------------------------------
+new_block = '''        elif provider == "piper":
+            # Piper TTS (local, CPU, no cloud, no Microsoft)
+            piper_binary = "/opt/hermes/.venv/bin/piper"
+            piper_config = tts_config.get("piper", {})
+            voice = piper_config.get("voice", "en_US-lessac-medium")
+            model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
+            model_path = os.path.join(model_dir, f"{voice}.onnx")
+            if not os.path.exists(model_path):
+                return json.dumps({
+                    "success": False,
+                    "error": "Piper TTS voice model not found. "
+                             "Install Piper TTS and download a voice model."
+                }, ensure_ascii=False)
+            logger.info("Generating speech with Piper TTS (local, CPU)...")
+            import subprocess as _sp
+            cmd = [piper_binary, "--model", model_path, "--output-raw"]
+            try:
+                proc = _sp.Popen(cmd, stdin=_sp.PIPE, stdout=_sp.PIPE, stderr=_sp.PIPE)
+                raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
+                if proc.returncode != 0:
+                    raise RuntimeError(f"Piper TTS failed: {stderr.decode()[:200]}")
+                ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
+                _sp.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
+            except Exception as e:
+                return json.dumps({
+                    "success": False,
+                    "error": f"Piper TTS failed: {e}"
+                }, ensure_ascii=False)
+
+        else:
+            # Default: Piper TTS (local, CPU, no cloud, no Microsoft)
+            piper_binary = "/opt/hermes/.venv/bin/piper"
+            piper_config = tts_config.get("piper", {})
+            voice = piper_config.get("voice", "en_US-lessac-medium")
+            model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
+            model_path = os.path.join(model_dir, f"{voice}.onnx")
+            if os.path.exists(model_path) and os.path.exists(piper_binary):
+                logger.info("Generating speech with Piper TTS (local, CPU)...")
+                import subprocess as _sp
+                cmd = [piper_binary, "--model", model_path, "--output-raw"]
+                try:
+                    proc = _sp.Popen(cmd, stdin=_sp.PIPE, stdout=_sp.PIPE, stderr=_sp.PIPE)
+                    raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
+                    if proc.returncode != 0:
+                        raise RuntimeError(stderr.decode()[:200])
+                    ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
+                    _sp.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
+                except Exception:
+                    pass
+            else:
+                return json.dumps({
+                    "success": False,
+                    "error": "Piper TTS not available. Install piper-tts and download a voice model."
+                }, ensure_ascii=False)'''
+
+# ---------------------------------------------------------------------------
+# Apply the patch to all copies found
+# ---------------------------------------------------------------------------
+patched_any = False
+
+for tts_path in found_paths:
+    with open(tts_path) as f:
+        code = f.read()
+
+    if 'provider == "piper"' in code:
+        print(f"ALREADY PATCHED: {tts_path}")
+        continue
+
+    if old_else in code:
+        code = code.replace(old_else, new_block, 1)
+        with open(tts_path, 'w') as f:
+            f.write(code)
+        print(f"PATCHED: {tts_path}")
+        patched_any = True
+    else:
+        print(f"SKIP {tts_path}: Edge fallback pattern not found")
+        import re
+        for m in re.finditer(r'        else:\n            # Default:', code):
+            start = max(0, m.start() - 100)
+            end = min(len(code), m.end() + 300)
+            print(f"  Found 'else:/# Default:' at position {m.start()}:")
+            print(f"  {code[start:end]}")
+            print("  ---")
+        # Don't exit with error — if one copy isn't patchable, try the others
+
+if not patched_any:
+    all_patched = all(
+        'provider == "piper"' in open(p).read()
+        for p in found_paths
+    )
+    if all_patched:
+        print("All copies already patched.")
+        sys.exit(0)
+    print("WARNING: Could not patch any copy of tts_tool.py")
+    sys.exit(1)
+
+print("tts_tool.py patched successfully across all copies.")

ai/hermes/run-multi-gateways.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Multi-gateway launcher for HERMES_PROFILES env var.
+# Reads comma-separated profile names, spawns one gateway per profile.
+# Designed to run before the main entrypoint — gateways run in background.
+set -e
+
+if [ -z "${HERMES_PROFILES}" ]; then
+  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
+  exit 0
+fi
+
+# Source venv to make 'hermes' available (entrypoint.sh sources it later,
+# but we need it NOW for the background gateways)
+HERMES_BIN="/opt/hermes/.venv/bin/hermes"
+if [ ! -x "$HERMES_BIN" ]; then
+  echo "ERROR: hermes binary not found at $HERMES_BIN"
+  exit 1
+fi
+
+mkdir -p /opt/data/logs
+
+IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
+for profile in "${PROFILES[@]}"; do
+  profile="$(echo "${profile}" | xargs)"  # trim whitespace
+  [ -z "${profile}" ] && continue
+
+  echo "Starting gateway for profile: ${profile}"
+  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
+      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
+done
+
+echo "All gateways launched: ${HERMES_PROFILES}"

ai/ollama/Dockerfile

@@ -0,0 +1,106 @@
+# ollama-gfx906/Dockerfile
+#
+# Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
+# The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
+# This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
+#
+# Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
+
+FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
+
+# Build dependencies (CMake, Ninja, Go)
+ARG CMAKEVERSION=3.31.2
+ARG NINJAVERSION=1.12.1
+ARG GOLANG_VERSION=1.22.0
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    curl git ccache build-essential pkg-config unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install CMake from official binaries
+RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
+    | tar xz -C /usr/local --strip-components 1
+
+# Install Ninja
+RUN curl -fsSL -o /tmp/ninja.zip \
+    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
+    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
+
+# Install Go
+RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
+    | tar xz -C /usr/local
+ENV PATH=/usr/local/go/bin:$PATH
+
+ARG OLLAMA_VERSION=v0.23.2
+RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
+WORKDIR /build
+
+# ROCm paths
+ENV HIP_PATH=/opt/rocm
+ENV ROCM_PATH=/opt/rocm
+ENV CMAKE_GENERATOR=Ninja
+ENV LDFLAGS=-s
+
+# Step 1: Build CPU backends with GCC (no ROCm preset)
+# Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
+# finding a HIP compiler (it searches /opt/rocm even without PATH).
+# Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
+RUN mkdir -p build-cpu && \
+    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
+      -DCMAKE_HIP_COMPILER="" \
+      -DCMAKE_INSTALL_PREFIX=/build/dist && \
+    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
+    cmake --install build-cpu --component CPU --strip && \
+    echo "=== CPU install ===" && \
+    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
+
+# Step 2: Build HIP backend with ROCm preset + gfx906 target only
+# The ROCm 6 preset enables HIP language detection (enable_language(HIP))
+# which ensures GPU kernels are properly compiled for gfx906.
+# OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
+# Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
+# at /opt/rocm/lib/cmake/hip/hip-config.cmake.
+RUN mkdir -p build-hip && \
+    cmake -B build-hip \
+      --preset 'ROCm 6' \
+      -DAMDGPU_TARGETS="gfx906:xnack-" \
+      -DCMAKE_BUILD_TYPE=Release \
+      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
+    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
+    cmake --install build-hip --component HIP --strip && \
+    echo "=== HIP install ===" && \
+    find /build/dist/lib/ollama -type f -o -type l | head -20
+
+# Step 3: Build Go binary (GCC for CGo linking)
+ENV CGO_ENABLED=1
+RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
+
+# ---------- Runtime image ----------
+FROM ubuntu:24.04
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy ROCm 6.1 runtime libraries
+# These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
+COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
+COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
+
+# Copy ollama binary + all backends (CPU + HIP)
+# CPU install:  /build/dist/lib/ollama/libggml-*.so
+# HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
+COPY --from=builder /build/dist/ollama /usr/bin/ollama
+COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
+
+RUN ldconfig
+
+ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
+ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
+ENV HCC_AMDGPU_TARGET=gfx906
+ENV HSA_ENABLE_SDMA=0
+
+EXPOSE 11434
+ENTRYPOINT ["/bin/ollama"]
+CMD ["serve"]

authentification/compose.yml

@@ -0,0 +1,36 @@
+version: "3.8"
+
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    volumes:
+      - /mnt/HoardingCow_docker_data/Authelia:/config
+    networks:
+      - auth_net
+    restart: always 
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP router
+      - "traefik.http.routers.authelia-http.rule=Host(`auth.lazyworkhorse.net`)"
+      - "traefik.http.routers.authelia-http.entrypoints=web"
+      - "traefik.http.routers.authelia-http.middlewares=redirect-to-https"
+
+      # HTTPS router
+      - "traefik.http.routers.authelia-https.rule=Host(`auth.lazyworkhorse.net`)"
+      - "traefik.http.routers.authelia-https.entrypoints=websecure"
+      - "traefik.http.routers.authelia-https.tls=true"
+      - "traefik.http.routers.authelia-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+
+      # forward auth middleware definition
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net"
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+
+networks:
+  auth_net:
+    external: true
+    name: auth_net

backup/compose.yml

@@ -0,0 +1,100 @@
+version: "3.8"
+
+services:
+  # kopia:
+  #   image: kopia/kopia:latest
+  #   container_name: kopia
+  #   restart: unless-stopped
+  #   # We explicitly run as root (0:0) to solve the CHDIR issue, 
+  #   # OR we make sure the host folders match UID 1000.
+  #   user: "0:0" 
+  #   command:
+  #     - server
+  #     - start
+  #     - --address=0.0.0.0:51515
+  #     - --server-username=${KOPIA_SERVER_USER}
+  #     - --server-password=${KOPIA_SERVER_PASSWORD}
+  #     - --config-file=/app/config/repository.config
+  #     - --disable-csrf-token-checks
+  #     - --insecure
+  #   environment:
+  #     - TZ=America/Montreal
+  #     - KOPIA_PASSWORD=${KOPIA_PASSWORD}
+  #     - USER=${KOPIA_USER}
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Kopia/config:/app/config
+  #     - /mnt/HoardingCow_docker_data/Kopia/cache:/app/cache
+  #     - /mnt/HoardingCow_docker_data/Kopia/repository:/repository
+  #     # Required if you want to use the 'Mount' feature later
+  #     - /tmp:/tmp:shared
+  #     # Required for mounting backups as drives
+  #   cap_add:
+  #     - SYS_ADMIN
+  #   devices:
+  #     - /dev/fuse:/dev/fuse
+  #   networks:
+  #     - traefik-net
+  #   labels:
+  #     - "traefik.enable=true"
+  #     # 1. HTTP to HTTPS Redirect
+  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.kopia-http.entrypoints=web"
+  #     - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
+  #     
+  #     # 2. HTTPS Configuration
+  #     - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.kopia.entrypoints=websecure"
+  #     - "traefik.http.routers.kopia.tls=true"
+  #     - "traefik.http.routers.kopia.tls.certresolver=njalla"
+  #     
+  #     # 3. Backend Service Config
+  #     - "traefik.http.services.kopia.loadbalancer.server.port=51515"
+
+  restic-server:
+    image: restic/restic:latest
+    container_name: restic-server
+    restart: always 
+    user: "0:0"
+    command: ["server", "--listen", ":8080", "--repo", "/data", "--tls-cert", "", "--tls-key", ""]
+    environment:
+      - TZ=America/Montreal
+      - RESTIC_PASSWORD=${RESTIC_PASSWORD}
+    volumes:
+      - /mnt/HoardingCow_docker_data/Restic/data:/data
+      # Mount paths to backup (adjust as needed)
+      - /mnt/HoardingCow_docker_data:/source:ro
+    networks:
+      - backup_net
+    labels:
+      - "traefik.enable=false" # Internal only, accessed by restic-browser
+
+  restic-browser:
+    image: embergarage/restic-browser:latest
+    container_name: restic-browser
+    restart: always 
+    environment:
+      - TZ=America/Montreal
+      - RESTIC_REPOSITORY=http://restic-server:8080
+      - RESTIC_PASSWORD=${RESTIC_PASSWORD}
+    networks:
+      - backup_net
+    labels:
+      - "traefik.enable=true"
+      # 1. HTTP to HTTPS Redirect
+      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.lazyworkhorse.net`)"
+      - "traefik.http.routers.restic-browser-http.entrypoints=web"
+      - "traefik.http.routers.restic-browser-http.middlewares=redirect-to-https@docker"
+      
+      # 2. HTTPS Configuration
+      - "traefik.http.routers.restic-browser.rule=Host(`backup.lazyworkhorse.net`)"
+      - "traefik.http.routers.restic-browser.entrypoints=websecure"
+      - "traefik.http.routers.restic-browser.tls=true"
+      - "traefik.http.routers.restic-browser.tls.certresolver=njalla"
+      
+      # 3. Backend Service Config
+      - "traefik.http.services.restic-browser.loadbalancer.server.port=8000"
+
+networks:
+  backup_net:
+    external: true
+    name: backup_net

cloudstorage/compose.yml

@@ -0,0 +1,82 @@
+version: "3.9"
+services:
+  nextcloud:
+    image: nextcloud:latest
+    container_name: nextcloud
+    restart: always
+    networks:
+      - cloud_net
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Toronto
+      # Database connection
+      - MYSQL_HOST=nextcloud_mariadb
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
+      # Reverse Proxy Overrides (Crucial for HTTPS behind Traefik)
+      - OVERWRITEPROTOCOL=https
+      - OVERWRITECLIURL=https://cloud.lazyworkhorse.net
+      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.lazyworkhorse.net
+    volumes:
+      - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
+    depends_on:
+      - nextcloud_mariadb
+    labels:
+      - "traefik.enable=true"
+
+      # Router for HTTP -> HTTPS Redirection (Matching your Gitea style)
+      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.lazyworkhorse.net`)"
+      - "traefik.http.routers.nextcloud-http.entrypoints=web"
+      - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS
+      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.lazyworkhorse.net`)"
+      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud-https.tls=true"
+      - "traefik.http.routers.nextcloud-https.tls.certresolver=njalla"
+
+      # Middlewares: Redirection + Nextcloud DAV fixes
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.nextcloud-dav.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-dav.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-dav.redirectregex.replacement=https://$$1/remote.php/dav/"
+      
+      # Apply both redirection and DAV fixes
+      - "traefik.http.routers.nextcloud-https.middlewares=nextcloud-dav"
+
+  nextcloud_cron:
+    image: nextcloud:latest
+    container_name: nextcloud_cron
+    restart: always 
+    networks:
+      - cloud_net
+    entrypoint: /cron.sh
+    volumes:
+      - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
+    depends_on:
+      - nextcloud
+
+  nextcloud_mariadb:
+    image: mariadb:latest
+    container_name: nextcloud_mariadb
+    restart: unless-stopped
+    networks:
+      - cloud_internal
+    environment:
+      - MYSQL_RANDOM_ROOT_PASSWORD=yes
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
+      - MYSQL_DATABASE=nextcloud
+    volumes:
+      - /mnt/HoardingCow_docker_data/NextCloud/database:/var/lib/mysql:rw
+    # command: ["--innodb-force-recovery=6"]
+
+networks:
+  cloud_net:
+    external: true
+    name: cloud_net
+  cloud_internal:
+    driver: bridge
+    name: cloud_internal

coms/compose.yml

@@ -0,0 +1,110 @@
+version: "3.9"
+services:
+  # nomadnet:
+  #   image: ghcr.io/markqvist/nomadnet:master
+  #   container_name: nomadnet
+  #   restart: always
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+  #   ports:
+  #     - "4242:4242"
+
+  synapse:
+    image: ghcr.io/element-hq/synapse:latest
+    container_name: synapse
+    restart: always
+    volumes:
+      - /mnt/HoardingCow_docker_data/Matrix/data:/data
+    networks:
+      - coms_net
+      - coms_backend
+    depends_on:
+      synapse-db:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.matrix-http.rule=Host(`matrix.lazyworkhorse.net`)"
+      - "traefik.http.routers.matrix-http.entrypoints=web"
+      - "traefik.http.routers.matrix-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.matrix-https.rule=Host(`matrix.lazyworkhorse.net`)"
+      - "traefik.http.routers.matrix-https.entrypoints=websecure"
+      - "traefik.http.routers.matrix-https.tls=true"
+      - "traefik.http.routers.matrix-https.tls.certresolver=njalla"
+      - "traefik.http.services.matrix-https.loadbalancer.server.port=8008"
+      - "traefik.docker.network=coms_net"
+
+  synapse-db:
+    image: postgres:17-alpine
+    container_name: synapse-db
+    restart: always
+    environment:
+      - POSTGRES_USER=synapse
+      - POSTGRES_PASSWORD=${SYNAPSE_DB_PASSWORD}
+      - POSTGRES_DB=synapse
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - /mnt/HoardingCow_docker_data/Matrix/db:/var/lib/postgresql/data
+    networks:
+      - coms_backend
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U synapse"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      
+  synapse-admin:
+    image: awesometechnologies/synapse-admin:latest
+    container_name: synapse-admin
+    restart: always
+    networks:
+      - coms_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.lazyworkhorse.net`)"
+      - "traefik.http.routers.synapse-admin-http.entrypoints=web"
+      - "traefik.http.routers.synapse-admin-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.lazyworkhorse.net`)"
+      - "traefik.http.routers.synapse-admin-https.entrypoints=websecure"
+      - "traefik.http.routers.synapse-admin-https.tls=true"
+      - "traefik.http.routers.synapse-admin-https.tls.certresolver=njalla"
+      - "traefik.http.services.synapse-admin.loadbalancer.server.port=80"
+
+  # rbrowser:
+  #   build: 
+  #     context: https://github.com/fr33n0w/rBrowser.git#main
+  #   container_name: rbrowser
+  #   restart: unless-stopped
+  #   user: "1000:1000"
+  #   depends_on:
+  #     - nomadnet
+  #   volumes:
+  #     # share Reticulum identity + network state
+  #     - /mnt/HoardingCow_docker_data/Reticulum:/home/appuser/.reticulum
+  #   networks:
+  #     - traefik-net
+  #   labels:
+  #     - "traefik.enable=true"
+  #
+  #     # HTTP → HTTPS
+  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.rns-http.entrypoints=web"
+  #     - "traefik.http.routers.rns-http.middlewares=redirect-to-https"
+  #
+  #     # HTTPS protected by Authelia
+  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.rns-https.entrypoints=websecure"
+  #     - "traefik.http.routers.rns-https.tls=true"
+  #     - "traefik.http.routers.rns-https.tls.certresolver=njalla"
+  #     - "traefik.http.routers.rns-https.middlewares=authelia-auth"
+  #
+  #     - "traefik.http.services.rns.loadbalancer.server.port=5000"
+
+networks:
+  coms_net:
+    external: true
+    name: coms_net
+  coms_backend:
+    driver: bridge
+    name: coms_backend

finance/compose.yml

@@ -0,0 +1,40 @@
+version: "3.9"
+
+services:
+  fava:
+    image: yegle/fava
+    container_name: fava
+    environment:
+      - BEANCOUNT_FILE=/data/beancount_finance_vault/ledger/main/tpouplier.beancount
+    volumes:
+      - /mnt/HoardingCow_docker_data/Fava:/data
+    networks:
+      - finance_net
+    restart: always
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP → HTTPS redirect
+      - "traefik.http.routers.fava-http.rule=Host(`money.lazyworkhorse.net`)"
+      - "traefik.http.routers.fava-http.entrypoints=web"
+      - "traefik.http.routers.fava-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # HTTPS router protected by Authelia
+      - "traefik.http.routers.fava-https.rule=Host(`money.lazyworkhorse.net`)"
+      - "traefik.http.routers.fava-https.entrypoints=websecure"
+      - "traefik.http.routers.fava-https.tls=true"
+      - "traefik.http.routers.fava-https.tls.certresolver=njalla"
+      - "traefik.http.routers.fava-https.middlewares=fava-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.fava-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.fava-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Internal port
+      - "traefik.http.services.fava.loadbalancer.server.port=5000"
+
+networks:
+  finance_net:
+    external: true

homeautomation/compose.yml

@@ -0,0 +1,95 @@
+services:
+
+  homeassistant:
+    image: ghcr.io/home-assistant/home-assistant:stable
+    container_name: homeassistant
+    restart: always
+    privileged: true
+    # Was needed for someting.. but dont remember. Deactivated for now.
+    # network_mode: host  # Discovery (mDNS/Bluetooth) requires this
+    environment:
+      - TZ=America/Toronto
+    volumes:
+      - /mnt/HoardingCow_docker_data/Home_Assistant:/config:rw
+    networks:
+      - home_auto_net
+      - home_auto_backend
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.hass-http.rule=Host(`home.lazyworkhorse.net`)"
+      - "traefik.http.routers.hass-http.entrypoints=web"
+      - "traefik.http.routers.hass-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.hass-https.rule=Host(`home.lazyworkhorse.net`)"
+      - "traefik.http.routers.hass-https.entrypoints=websecure"
+      - "traefik.http.routers.hass-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.hass.loadbalancer.server.port=8123"
+      - "traefik.http.services.hass.loadbalancer.server.scheme=http"
+      # Trusted proxy defined in configuration.yml
+
+  mosquitto:
+    image: eclipse-mosquitto
+    volumes:
+      - /mnt/HoardingCow_docker_data/Mosquitto:/mosquitto
+    networks:
+      - home_auto_backend
+    # ports:
+    #   - 1883:1883
+    #   - 9001:9001
+
+  hydroqc2mqtt:
+    image: registry.gitlab.com/hydroqc/hydroqc2mqtt:1.3.0
+    restart: always
+    networks:
+      - home_auto_backend
+    environment:
+      MQTT_USERNAME: hass
+      MQTT_PASSWORD: ${MQTT_PASSWORD}
+      MQTT_HOST: 192.168.1.3
+      MQTT_PORT: 1883
+      HQ2M_CONTRACTS_0_NAME: maison
+      HQ2M_CONTRACTS_0_USERNAME: thierrypouplier@gmail.com
+      HQ2M_CONTRACTS_0_PASSWORD: ${HQ2M_CONTRACTS_0_PASSWORD}
+      HQ2M_CONTRACTS_0_CUSTOMER: ${HQ2M_CONTRACTS_0_CUSTOMER}
+      HQ2M_CONTRACTS_0_ACCOUNT: ${HQ2M_CONTRACTS_0_ACCOUNT}
+      HQ2M_CONTRACTS_0_CONTRACT: ${HQ2M_CONTRACTS_0_CONTRACT} 
+      HQ2M_CONTRACTS_0_RATE: 'D'
+      HQ2M_CONTRACTS_0_RATE_OPTION: 'NONE'
+      HQ2M_CONTRACTS_0_SYNC_HOURLY_CONSUMPTION_ENABLED: "true"
+      HQ2M_CONTRACTS_0_HOME_ASSISTANT_WEBSOCKET_URL: http://homeassistant:8123/api/websocket
+      HQ2M_CONTRACTS_0_HOME_ASSISTANT_TOKEN: ${HQ2M_CONTRACTS_0_HOME_ASSISTANT_TOKEN}
+
+  # grocy:
+  #   entrypoint:
+  #     - /init
+  #   environment:
+  #     - PUID=1000
+  #     - PGID=1000
+  #     - TZ=America/Toronto
+  #   image: lscr.io/linuxserver/grocy
+  #   ports:
+  #     - 9283:80/tcp
+  #   restart: unless-stopped
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Grocy/config:/config:rw
+
+  # node-red:
+  #   image: nodered/node-red:latest
+  #   environment:
+  #     - NODE_RED_UID=1000
+  #     - NODE_RED_GID=1000
+  #     - TZ=UTC
+  #   ports:
+  #     - "1880:1880"
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Node-Red/data:/data
+  #   restart: unless-stopped
+
+networks:
+  home_auto_net:
+    external: true
+  home_auto_backend:
+    driver: bridge
+    name: home_auto_backend

homepage/compose.yml

@@ -0,0 +1,67 @@
+services:
+  homer:
+    image: b4bz/homer
+    container_name: homer
+    environment:
+      - UID=1000
+      - GID=1000
+      - TZ=America/Toronto
+      - PORT=8080
+    volumes:
+      - /mnt/HoardingCow_docker_data/Homer/assets:/www/assets:rw
+    restart: always
+    networks:
+      - homepage_net
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP → HTTPS redirect
+      - "traefik.http.routers.homer-http.rule=Host(`lazyworkhorse.net`)"
+      - "traefik.http.routers.homer-http.entrypoints=web"
+      - "traefik.http.routers.homer-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # HTTPS router protected by Authelia
+      - "traefik.http.routers.homer-https.rule=Host(`lazyworkhorse.net`)"
+      - "traefik.http.routers.homer-https.entrypoints=websecure"
+      - "traefik.http.routers.homer-https.tls=true"
+      - "traefik.http.routers.homer-https.tls.certresolver=njalla"
+      - "traefik.http.routers.homer-https.middlewares=homer-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.homer-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.homer-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Internal port
+      - "traefik.http.services.homer.loadbalancer.server.port=8080"
+
+  telos:
+    image: nginx:alpine
+    container_name: telos
+    volumes:
+      - /mnt/HoardingCow_docker_data/Telos/site:/usr/share/nginx/html:ro
+    restart: always
+    networks:
+      - homepage_net
+    labels:
+      - "traefik.enable=true"
+
+      # HTTP → HTTPS redirect
+      - "traefik.http.routers.telos-http.rule=Host(`telos.lazyworkhorse.net`)"
+      - "traefik.http.routers.telos-http.entrypoints=web"
+      - "traefik.http.routers.telos-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # HTTPS router
+      - "traefik.http.routers.telos-https.rule=Host(`telos.lazyworkhorse.net`)"
+      - "traefik.http.routers.telos-https.entrypoints=websecure"
+      - "traefik.http.routers.telos-https.tls=true"
+      - "traefik.http.routers.telos-https.tls.certresolver=njalla"
+
+      # Internal port
+      - "traefik.http.services.telos.loadbalancer.server.port=80"
+
+networks:
+  homepage_net:
+    external: true

network/compose.yml

@@ -7,31 +7,46 @@ services:
     command:
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.sshnode.address=:2425"
 
       - "--certificatesresolvers.njalla.acme.email=thierrypouplier@gmail.com"
       - "--certificatesresolvers.njalla.acme.storage=/letsencrypt/acme.json"
       - "--certificatesresolvers.njalla.acme.httpchallenge.entrypoint=web"
 
-      - "--log.level=DEBUG"
+      - "--log.level=INFO"
+      - "--log.filepath=/var/log/traefik/traefik.log"
+      - "--accesslog.filepath=/var/log/traefik/access.log"
       - "--providers.docker=true"
       - "--providers.docker.exposedByDefault=false"
     ports:
       - "80:80"
       - "443:443"
     environment:
-      - NJALLA_TOKEN=${NJALLA_TOKEN}
+      - NJALLA_TOKEN=***
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /mnt/HoardingCow_docker_data/Traefik:/letsencrypt
+      - /var/log/traefik:/var/log/traefik
     restart: unless-stopped
     networks:
-      - traefik-net
+      - traefik_backend
+      - ai_net
+      - auth_net
+      - backup_net
+      - cloud_net
+      - coms_net
+      - finance_net
+      - home_auto_net
+      - homepage_net
+      - passman_net
+      - tak_net
+      - vc_net
 
   ddns-updater:
     image: qmcgaw/ddns-updater
     container_name: ddns-updater
     networks:
-      - traefik-net
+      - traefik_backend
     ports:
       - 8000:8000/tcp
     volumes:
@@ -63,9 +78,42 @@ services:
     restart: unless-stopped
 
 networks:
-  traefik-net:
+  traefik_backend:
     driver: bridge
-    name: traefik-net
+    name: traefik_backend
+  ai_net:
+    external: true
+    name: ai_net
+  auth_net:
+    external: true
+    name: auth_net
+  backup_net:
+    external: true
+    name: backup_net
+  cloud_net:
+    external: true
+    name: cloud_net
+  coms_net:
+    external: true
+    name: coms_net
+  finance_net:
+    external: true
+    name: finance_net
+  home_auto_net:
+    external: true
+    name: home_auto_net
+  homepage_net:
+    external: true
+    name: homepage_net
+  passman_net:
+    external: true
+    name: passman_net
+  tak_net:
+    external: true
+    name: tak_net
+  vc_net:
+    external: true
+    name: vc_net
 
   # duckdns:
   #   environment:
@@ -73,7 +121,7 @@ networks:
   #     - PGID=1000
   #     - TZ=America/Toronto
   #     - SUBDOMAINS=aziworkhorse
-  #     - TOKEN=$[DUCKDNS_TOKEN]
+  #     - TOKEN=${DUCKDNS_TOKEN}
   #   image: lscr.io/linuxserver/duckdns
   #   labels:
   #     - "traefik.enable=false"

passwordmanager/compose.yml

@@ -13,32 +13,24 @@ services:
     volumes:
       - /mnt/HoardingCow_docker_data/BitWarden/data:/data:rw
     networks:
-      - traefik-net
+      - passman_net
-    restart: unless-stopped
+    restart: always
     labels:
       - "traefik.enable=true"
 
-      # Router for HTTP + redirection to HTTPS
+      # HTTP → HTTPS
-      - "traefik.http.routers.bitwarden-http.rule=Host(`pass.lazyworkhorse.net`)"
+      - "traefik.http.routers.pass-http.rule=Host(`pass.lazyworkhorse.net`)"
-      - "traefik.http.routers.bitwarden-http.entrypoints=web"
+      - "traefik.http.routers.pass-http.entrypoints=web"
-      - "traefik.http.routers.bitwarden-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.pass-http.middlewares=redirect-to-https"
 
-      # Router for HTTPS with TLS
+      # HTTPS
-      - "traefik.http.routers.bitwarden-https.rule=Host(`pass.lazyworkhorse.net`)"
+      - "traefik.http.routers.pass-https.rule=Host(`pass.lazyworkhorse.net`)"
-      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
+      - "traefik.http.routers.pass-https.entrypoints=websecure"
-      - "traefik.http.routers.bitwarden-https.tls=true"
+      - "traefik.http.routers.pass-https.tls=true"
-      - "traefik.http.routers.bitwarden-https.tls.certresolver=njalla"
+      - "traefik.http.routers.pass-https.tls.certresolver=njalla"
-
-      # Wildcard
-      # - "traefik.http.routers.bitwarden-https.tls.domains[0].main=lazyworkhorse.net"
-      # - "traefik.http.routers.bitwarden-https.tls.domains[0].sans=*.lazyworkhorse.net"
-
-      # Middleware for redirect HTTP -> HTTPS
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
-      # Websocket support (port 80 du container)
-      - "traefik.http.services.bitwarden.loadbalancer.server.port=80"
 
+      # Internal service
+      - "traefik.http.services.pass.loadbalancer.server.port=80"
 networks:
-  traefik-net:
+  passman_net:
     external: true

tak/compose.yml

@@ -0,0 +1,98 @@
+services:
+  freetakserver:
+    image: ghcr.io/freetakteam/freetakserver:master
+    container_name: freetakserver
+    hostname: freetakserver
+    restart: always
+    networks:
+      - tak_backend
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_data:/opt/fts:z,rw
+    ports:
+      - 8087:8087
+      - 8089:8089
+      - 8443:8443
+      - 9000:9000
+      - 19023:19023
+    environment:
+      FTS_FED_PASSWORD: "${FTS_FED_PASSWORD}"
+      FTS_CLIENT_CERT_PASSWORD: "${FTS_CLIENT_CERT_PASSWORD}"
+      FTS_WEBSOCKET_KEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_SECRET_KEY: "${FTS_SECRET_KEY}"
+      FTS_CONNECTION_MESSAGE: "Welcome to FreeTAKServer. The Parrot is not dead. It's just resting"
+      FTS_COT_PORT: 8087
+      FTS_SSLCOT_PORT: 8089
+      FTS_API_PORT: 19023
+      FTS_FED_PORT: 9000
+      FTS_DP_ADDRESS: 'freetakserver'
+      FTS_USER_ADDRESS: 'freetakserver'
+      FTS_API_ADDRESS: 'freetakserver'
+      FTS_ROUTING_PROXY_SUBSCRIBE_PORT: 19030
+      FTS_ROUTING_PROXY_SUBSCRIBE_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_PUBLISHER_PORT: 19032
+      FTS_ROUTING_PROXY_PUBLISHER_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_SERVER_PORT: 19031
+      FTS_ROUTING_PROXY_SERVER_IP: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PULLER_PORT: 19033
+      FTS_INTEGRATION_MANAGER_PULLER_ADDRESS: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PUBLISHER_PORT: 19034
+      FTS_INTEGRATION_MANAGER_PUBLISHER_ADDRESS: 'freetakserver'
+      FTS_OPTIMIZE_API: "True"
+      FTS_DATA_RECEPTION_BUFFER: 1024
+      FTS_MAX_RECEPTION_TIME: 4
+      FTS_NUM_ROUTING_WORKERS: 3
+      FTS_COT_TO_DB: "True"
+      FTS_MAINLOOP_DELAY: 100
+      FTS_EMERGENCY_RADIUS: 0
+      FTS_LOG_LEVEL: "info"
+
+  freetakserver-ui:
+    image: ghcr.io/freetakteam/ui:latest
+    container_name: freetakserver-ui
+    hostname: freetakserver-ui
+    restart: always
+    networks:
+      - tak_net
+    ports:
+      - 5000:5000
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_ui_data:/home/freetak/data:z,rw
+    environment:
+      FTS_IP: "freetakserver" 
+      FTS_API_PORT: 19023
+      FTS_API_PROTO: 'http'
+      FTS_UI_EXPOSED_IP: 'freetakserver-ui'
+      FTS_MAP_EXPOSED_IP: '127.0.0.1'
+      FTS_MAP_PORT: 8000
+      FTS_MAP_PROTO: 'http'
+      FTS_UI_PORT: 5000
+      FTS_UI_WSKEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_API_KEY: 'Bearer token'
+      FTS_UI_SQLALCHEMY_DATABASE_URI: 'sqlite:////home/freetak/data/FTSServer-UI.db'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+
+      # HTTP -> HTTPS Redirect
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-http.entrypoints=web"
+      - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
+
+      # HTTPS Router
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
+      - "traefik.http.routers.fts-ui-https.tls=true"
+      - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
+      
+      # Service & Port
+      - "traefik.http.services.fts-ui.loadbalancer.server.port=5000"
+
+      # Reuse your existing redirect middleware
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+networks:
+  tak_net:
+    external: true
+  tak_backend:
+    driver: bridge
+    name: tak_backend

versioncontrol/compose.yml

@@ -7,34 +7,58 @@ services:
       - USER_UID=1000
       - USER_GID=1000
       - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
+      - GITEA__actions__ENABLED=true
+      - SSH_PORT=2222
+      - SSH_LISTEN_PORT=2222
+      # Enable Gitea Actions (act_runner required on host)
+      - GITEA__actions__ENABLED=true
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks:
-      - traefik-net
+      - vc_net
-    restart: unless-stopped
+    restart: always
+    ports:
+      - "2222:2222"
     labels:
       - "traefik.enable=true"
 
-      # Router for HTTP + redirection to HTTPS
+      # HTTP -> HTTPS Redirect
       - "traefik.http.routers.gitea-http.rule=Host(`code.lazyworkhorse.net`)"
       - "traefik.http.routers.gitea-http.entrypoints=web"
       - "traefik.http.routers.gitea-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
-      # Router for HTTPS with TLS
+      # HTTPS Router
       - "traefik.http.routers.gitea-https.rule=Host(`code.lazyworkhorse.net`)"
       - "traefik.http.routers.gitea-https.entrypoints=websecure"
       - "traefik.http.routers.gitea-https.tls=true"
       - "traefik.http.routers.gitea-https.tls.certresolver=njalla"
+      - "traefik.http.routers.gitea-https.middlewares=gitea-home-redirect"
 
-      # Wildcard
+      # The Redirect Logic - Using single quotes to allow backslashes
-      # - "traefik.http.routers.gitea-https.tls.domains[0].main=lazyworkhorse.net"
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.lazyworkhorse\.net/?$$'
-      # - "traefik.http.routers.gitea-https.tls.domains[0].sans=*.lazyworkhorse.net"
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.lazyworkhorse.net/gortium'
-
+      - "traefik.http.middlewares.gitea-home-redirect.redirectregex.permanent=true"
-      # Middleware for redirect HTTP -> HTTPS
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
+      # Internal Routing
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"
 
+  act_runner:
+    image: gitea/act_runner:latest
+    container_name: act_runner
+    environment:
+      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
+      - GITEA_RUNNER_NAME=ai-host-runner
+      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - vc_net
+    restart: always
+    depends_on:
+      - gitea
+
 networks:
-  traefik-net:
+  vc_net:
     external: true

vpn/Dockerfile

@@ -0,0 +1,9 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM ghcr.io/wg-easy/wg-easy:latest
+
+# The upstream image registers only iptables-legacy with update-alternatives.
+# iptables-nft binary exists but isn't registered as an alternative key.
+# Override the alternatives-managed symlinks directly.
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables

vpn/compose.yml

@@ -0,0 +1,38 @@
+version: "3.8"
+
+services:
+  wireguard:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
+    container_name: wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - WG_HOST=vpn.lazyworkhorse.net
+      - PASSWORD=${WG_PASSWORD}
+      - WG_PORT=51820
+      - WG_DEFAULT_ADDRESS=10.8.0.x
+      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
+      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
+      - WG_PERSISTENT_KEEPALIVE=25
+      - UI_TRAFFIC_STATS=true
+      - UI_CHART_TYPE=0
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    volumes:
+      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    restart: unless-stopped
+    networks:
+      - vpn_net
+
+networks:
+  vpn_net:
+    external: true
+    name: vpn_net