feat: add plugin URLs pointing to gortium account

Reviewed-on: #50

.env.production

@@ -1,4 +0,0 @@
-# Production environment
-# docker compose --env-file .env.production up -d
-DOMAIN=lazyworkhorse.net
-SITE_URL=https://lazyworkhorse.net

.env.staging

@@ -1,4 +0,0 @@
-# Staging environment
-# docker compose --env-file .env.staging up -d
-DOMAIN=staging.lazyworkhorse.net
-SITE_URL=https://staging.lazyworkhorse.net

Makefile

@@ -1,18 +1,13 @@
 # Base path for docker-compose files
-COMPOSE_PATH?=~/Projects/AltNet/docker-compose
-
-# Environment selection: staging or production (default)
-ENV?=production
-ENV_FILE=.env.$(ENV)
+COMPOSE_PATH=~/Projects/AltNet/docker-compose
 
 # List of services (folder names)
 SERVICES=monitoring ai cloudstorage crm_tp crm_cf mediacenter homeautomation network backup homepage passwordmanager
 
 # Bring up all services
 all_up:
-	@echo "Deploying with $(ENV) environment ($(ENV_FILE))..."
 	@for service in $(SERVICES); do \
-		docker compose --env-file $(ENV_FILE) -f $(COMPOSE_PATH)/$$service/compose.yml up -d; \
+		docker compose -f $(COMPOSE_PATH)/$$service/compose.yml up -d; \
 	done
 
 # Bring down all services
@@ -23,27 +18,15 @@ all_down:
 
 # Generic target to deploy a specific service
 %_up:
-	@echo "Deploying $* with $(ENV) environment ($(ENV_FILE))..."
-	@docker compose --env-file $(ENV_FILE) -f $(COMPOSE_PATH)/$*/compose.yml up -d
+	@docker compose -f $(COMPOSE_PATH)/$*/compose.yml up -d
 
 # Generic target to bring down a specific service
 %_down:
 	@docker compose -f $(COMPOSE_PATH)/$*/compose.yml down
 
-# Deploy staging (all services)
-staging:
-	@$(MAKE) all_up ENV=staging
-
-# Deploy production (all services)
-production:
-	@$(MAKE) all_up ENV=production
-
-# Staging per-service: make openwebui_up ENV=staging
-# Production per-service: make openwebui_up ENV=production
-
 all_stack_up:
 	@for service in $(SERVICES); do \
-		docker stack deploy --env-file $(ENV_FILE) -c $(COMPOSE_PATH)/$$service/compose.yml $$service; \
+		docker stack deploy -c $(COMPOSE_PATH)/$$service/compose.yml $$service; \
 	done
 
 all_stack_down:
@@ -52,7 +35,7 @@ all_stack_down:
 	done
 
 %_stack_up:
-	@docker stack deploy --env-file $(ENV_FILE) -c $(COMPOSE_PATH)/$*/compose.yml $*
+	@docker stack deploy -c $(COMPOSE_PATH)/$*/compose.yml $*
 
 %_stack_down:
 	@docker stack rm $*
@@ -60,9 +43,3 @@ all_stack_down:
 stack_ls:
 	@docker node ps workGoat;
 	docker node ps workHorse
-
-# Show current environment settings
-env:
-	@echo "Active environment: $(ENV)"
-	@echo "Env file: $(ENV_FILE)"
-	@test -f $(ENV_FILE) && cat $(ENV_FILE) || echo "WARNING: $(ENV_FILE) not found!"

ai/compose.yml

@@ -15,12 +15,12 @@ services:
   #     - "traefik.enable=true"
 
   #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.${DOMAIN}`)"
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
   #     - "traefik.http.routers.webui-http.entrypoints=web"
   #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
   #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.${DOMAIN}`)"
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
   #     - "traefik.http.routers.webui-https.entrypoints=websecure"
   #     - "traefik.http.routers.webui-https.tls=true"
   #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
@@ -28,17 +28,22 @@ services:
   hermes:
     build:
       context: ./hermes
-      ssh:
-        - default
+      args:
+        HERMES_PLUGIN_URLS: "git+https://code.lazyworkhorse.net/gortium/hermes-piper-plugin.git;git+https://code.lazyworkhorse.net/gortium/hermes-identity-plugin.git"
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
+      # Multi-profile: comma-separated list of profiles to run as gateways.
+      # The entrypoint reads this and starts one gateway per profile.
+      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
+      - HERMES_PROFILES=ashley,claire,finn,matt,paul
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -66,6 +71,30 @@ services:
       - "26"
     networks:
       - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-http.entrypoints=web"
+      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
+      - "traefik.http.routers.hermes-web-https.tls=true"
+      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Service Loadbalancer (dashboard port 9119)
+      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
 
   syncthing:
     image: syncthing/syncthing:latest
@@ -87,10 +116,10 @@ services:
       - ai_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.${DOMAIN}`)"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
       - "traefik.http.routers.syncthing-http.entrypoints=web"
       - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.${DOMAIN}`)"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
       - "traefik.http.routers.syncthing-https.entrypoints=websecure"
       - "traefik.http.routers.syncthing-https.tls=true"
       - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
@@ -232,12 +261,12 @@ networks:
   #   networks:
   #     - ai_net
   #   environment:
-  #     - N8N_HOST=n8n.${DOMAIN}
+  #     - N8N_HOST=n8n.lazyworkhorse.net
   #     - N8N_PORT=5678
   #     - N8N_PROTOCOL=https
   #     - NODE_ENV=production
   #     - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
-  #     - WEBHOOK_URL=https://n8n.${DOMAIN}/
+  #     - WEBHOOK_URL=https://n8n.lazyworkhorse.net/
   #     - GENERIC_TIMEZONE=America/New_York # Adjust to your timezone
   #     - N8N_BLOCK_EXTERNAL_STORAGE_ACCESS=false
   #     - N8N_NODES_PYTHON_CAN_IMPORT_MODULES=true 
@@ -251,12 +280,12 @@ networks:
   #     - "traefik.enable=true"
 
   #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.${DOMAIN}`)"
+  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.lazyworkhorse.net`)"
   #     - "traefik.http.routers.n8n-http.entrypoints=web"
   #     - "traefik.http.routers.n8n-http.middlewares=redirect-to-https"
 
   #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.${DOMAIN}`)"
+  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.lazyworkhorse.net`)"
   #     - "traefik.http.routers.n8n-https.entrypoints=websecure"
   #     - "traefik.http.routers.n8n-https.tls=true"
   #     - "traefik.http.routers.n8n-https.tls.certresolver=njalla"
@@ -286,15 +315,15 @@ networks:
   #     - BROWSER_CDP_URL=http://openclaw-browser:9222
   #     - BROWSER_EVALUATE_ENABLED=true
   #     - OPENCLAW_GATEWAY_HOST=0.0.0.0
-  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.${DOMAIN}
+  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.lazyworkhorse.net
   #   labels:
   #     - "traefik.enable=true"
 
-  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.${DOMAIN}`)"
+  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.lazyworkhorse.net`)"
   #     - "traefik.http.routers.openclaw-http.entrypoints=web"
   #     - "traefik.http.routers.openclaw-http.middlewares=redirect-to-https"
 
-  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.${DOMAIN}`)"
+  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.lazyworkhorse.net`)"
   #     - "traefik.http.routers.openclaw-https.priority=50"
   #     - "traefik.http.routers.openclaw-https.entrypoints=websecure"
   #     - "traefik.http.routers.openclaw-https.tls=true"

ai/hermes/Dockerfile

@@ -1,45 +1,22 @@
 # syntax=docker/dockerfile:1
-# Hermes Agent -- custom fork build
-# Builds on top of official image + overlays our forked source from Gitea.
-# Requires Docker BuildKit. Pass SSH agent for git clone:
+# Hermes Agent -- official image + custom plugins layered on top.
+# No fork needed — customizations are pip-installable plugins from Gitea.
 #   docker compose build hermes
 # Or manually:
-#   DOCKER_BUILDKIT=1 docker build --ssh default -t hermes-agent:custom .
+#   DOCKER_BUILDKIT=1 docker build --build-arg HERMES_PLUGIN_URLS="url1 url2" -t hermes-agent:custom .
 
 # ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
 FROM nousresearch/hermes-agent:latest
 
-# ---------- Overlay our forked source ----------
-# Uses SSH agent forwarding from the build host (no key baked into image).
-# --exclude node_modules/.venv keeps the base image's pre-built layers intact.
-# Only the Python source, web UI source, and config change.
-RUN --mount=type=ssh \
-    mkdir -p /root/.ssh && \
-    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
-    cd /tmp && \
-    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
-    git clone --depth 1 --branch main \
-    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rsync -a --delete fork/ /opt/hermes/ \
-      --exclude node_modules \
-      --exclude .venv \
-      --exclude .git && \
-    rm -rf /tmp/fork /root/.ssh/
-
-# ---------- Rebuild web UI ----------
-# Source files changed; node_modules (from base image) reused.
-RUN cd /opt/hermes && npm run build
-
-# ---------- Reinstall Python package (editable) ----------
-# Picks up source changes from our fork.
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir --no-deps -e /opt/hermes
+# ---------- Plugin URLs (semicolon-separated, set via compose.yml build args) ----------
+ARG HERMES_PLUGIN_URLS=""
 
 # ---------- Extra system deps ----------
 USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         libportaudio2 ca-certificates poppler-utils imagemagick \
+        libolm-dev \
         texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
         texlive-xetex texlive-science \
         qemu-user-static binfmt-support emacs-nox && \
@@ -48,6 +25,10 @@ RUN apt-get update && \
 # ---------- UV ----------
 COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
 
+# ---------- Matrix bridge + extra pip deps ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
+
 # ---------- Piper TTS ----------
 RUN . /opt/hermes/.venv/bin/activate && \
     uv pip install --no-cache-dir piper-tts sounddevice numpy && \
@@ -75,9 +56,22 @@ os.remove(tgz)
 print('himalaya v1.2.0 installed')
 PYEOF
 
-# ---------- Install himalaya-ro wrapper ----------
-COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+# ---------- Install custom plugins from URLs ----------
+# HERMES_PLUGIN_URLS is a semicolon-separated list of pip-installable
+# package URLs (e.g. git+https:// or direct .tar.gz archives from Gitea).
+# Each plugin is installed into the Hermes venv.
+RUN if [ -n "$HERMES_PLUGIN_URLS" ]; then \
+        . /opt/hermes/.venv/bin/activate && \
+        IFS=';' read -ra URLS <<< "$HERMES_PLUGIN_URLS" && \
+        for url in "${URLS[@]}"; do \
+            echo "Installing plugin: $url" && \
+            uv pip install --no-cache-dir "$url"; \
+        done; \
+    fi
 
+# ---------- Install multi-gateway launcher ----------
+# Launches one gateway process per profile (HERMES_PROFILES env var)
+COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
 
 # ---------- Runtime ----------
 USER hermes
@@ -88,6 +82,7 @@ ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
 
 # Ensure tools directory and toolsets.py are writable by the hermes runtime user
 # so custom tools can be injected from the persistent volume at startup.
+USER root
 RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
 
-VOLUME [ "/opt/data" ]
+VOLUME [ "/opt/data" ]

ai/hermes/himalaya-ro.sh

@@ -1,73 +0,0 @@
-#!/usr/bin/env bash
-# ─────────────────────────────────────────────────────────────
-# himalaya-ro — Read-only wrapper for himalaya
-#
-# Blocks destructive commands and logs audit trail.
-# Pass-through for read-only commands (list, read, search).
-#
-# Usage:  himalaya-ro [options] <command> [args...]
-#
-# Install: place in PATH before the real himalaya, or use
-#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
-# ─────────────────────────────────────────────────────────────
-set -o pipefail
-
-# ── Configuration ───────────────────────────────────────────
-HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
-AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
-
-# ── Destructive commands we block ──────────────────────────
-BLOCKED_CMDS=(
-  "message move"
-  "message delete"
-  "message copy"
-  "flag add"
-  "flag remove"
-  "folder create"
-  "folder delete"
-  "folder rename"
-  "template send"
-  "account configure"
-  "account delete"
-)
-
-# ── Determine the subcommand being invoked ─────────────────
-# Strip leading options (--account, --output, etc.) to find the verb
-ARGS=()
-SKIP_NEXT=false
-for arg in "$@"; do
-  if $SKIP_NEXT; then
-    SKIP_NEXT=false
-    continue
-  fi
-  if [[ "$arg" == --* ]]; then
-    case "$arg" in
-      --account|--output|--page|--page-size|--folder|--color|--format)
-        SKIP_NEXT=true ;;
-    esac
-    continue
-  fi
-  ARGS+=("$arg")
-done
-
-# Build subcommand string and check against blocklist
-CMD_STR=""
-for ((i=0; i<${#ARGS[@]}; i++)); do
-  if [ -z "$CMD_STR" ]; then
-    CMD_STR="${ARGS[$i]}"
-  else
-    CMD_STR="$CMD_STR ${ARGS[$i]}"
-  fi
-  for blocked in "${BLOCKED_CMDS[@]}"; do
-    if [[ "$CMD_STR" == "$blocked" ]]; then
-      TS=$(date '+%Y-%m-%d %H:%M:%S')
-      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
-      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
-      echo "       Audit log: $AUDIT_LOG" >&2
-      exit 100
-    fi
-  done
-done
-
-# ── Allow pass-through ─────────────────────────────────────
-exec "$HIMALAYA_BIN" "$@"

ai/hermes/run-multi-gateways.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Multi-gateway launcher for HERMES_PROFILES env var.
+# Reads comma-separated profile names, spawns one gateway per profile.
+# Designed to run before the main entrypoint — gateways run in background.
+set -e
+
+if [ -z "${HERMES_PROFILES}" ]; then
+  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
+  exit 0
+fi
+
+# Source venv to make 'hermes' available (entrypoint.sh sources it later,
+# but we need it NOW for the background gateways)
+HERMES_BIN="/opt/hermes/.venv/bin/hermes"
+if [ ! -x "$HERMES_BIN" ]; then
+  echo "ERROR: hermes binary not found at $HERMES_BIN"
+  exit 1
+fi
+
+mkdir -p /opt/data/logs
+
+IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
+for profile in "${PROFILES[@]}"; do
+  profile="$(echo "${profile}" | xargs)"  # trim whitespace
+  [ -z "${profile}" ] && continue
+
+  echo "Starting gateway for profile: ${profile}"
+  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
+      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
+done
+
+echo "All gateways launched: ${HERMES_PROFILES}"

authentification/compose.yml

@@ -13,12 +13,12 @@ services:
       - "traefik.enable=true"
 
       # HTTP router
-      - "traefik.http.routers.authelia-http.rule=Host(`auth.${DOMAIN}`)"
+      - "traefik.http.routers.authelia-http.rule=Host(`auth.lazyworkhorse.net`)"
       - "traefik.http.routers.authelia-http.entrypoints=web"
       - "traefik.http.routers.authelia-http.middlewares=redirect-to-https"
 
       # HTTPS router
-      - "traefik.http.routers.authelia-https.rule=Host(`auth.${DOMAIN}`)"
+      - "traefik.http.routers.authelia-https.rule=Host(`auth.lazyworkhorse.net`)"
       - "traefik.http.routers.authelia-https.entrypoints=websecure"
       - "traefik.http.routers.authelia-https.tls=true"
       - "traefik.http.routers.authelia-https.tls.certresolver=njalla"
@@ -26,7 +26,7 @@ services:
       - "traefik.http.services.authelia.loadbalancer.server.port=9091"
 
       # forward auth middleware definition
-      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net"
       - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
 

backup/compose.yml

@@ -37,12 +37,12 @@ services:
   #   labels:
   #     - "traefik.enable=true"
   #     # 1. HTTP to HTTPS Redirect
-  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.${DOMAIN}`)"
+  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
   #     - "traefik.http.routers.kopia-http.entrypoints=web"
   #     - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
   #     
   #     # 2. HTTPS Configuration
-  #     - "traefik.http.routers.kopia.rule=Host(`backup.${DOMAIN}`)"
+  #     - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
   #     - "traefik.http.routers.kopia.entrypoints=websecure"
   #     - "traefik.http.routers.kopia.tls=true"
   #     - "traefik.http.routers.kopia.tls.certresolver=njalla"
@@ -81,12 +81,12 @@ services:
     labels:
       - "traefik.enable=true"
       # 1. HTTP to HTTPS Redirect
-      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.${DOMAIN}`)"
+      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.lazyworkhorse.net`)"
       - "traefik.http.routers.restic-browser-http.entrypoints=web"
       - "traefik.http.routers.restic-browser-http.middlewares=redirect-to-https@docker"
       
       # 2. HTTPS Configuration
-      - "traefik.http.routers.restic-browser.rule=Host(`backup.${DOMAIN}`)"
+      - "traefik.http.routers.restic-browser.rule=Host(`backup.lazyworkhorse.net`)"
       - "traefik.http.routers.restic-browser.entrypoints=websecure"
       - "traefik.http.routers.restic-browser.tls=true"
       - "traefik.http.routers.restic-browser.tls.certresolver=njalla"

cloudstorage/compose.yml

@@ -17,8 +17,8 @@ services:
       - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
       # Reverse Proxy Overrides (Crucial for HTTPS behind Traefik)
       - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://cloud.${DOMAIN}
-      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.${DOMAIN}
+      - OVERWRITECLIURL=https://cloud.lazyworkhorse.net
+      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.lazyworkhorse.net
     volumes:
       - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
     depends_on:
@@ -27,12 +27,12 @@ services:
       - "traefik.enable=true"
 
       # Router for HTTP -> HTTPS Redirection (Matching your Gitea style)
-      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.${DOMAIN}`)"
+      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.lazyworkhorse.net`)"
       - "traefik.http.routers.nextcloud-http.entrypoints=web"
       - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https"
 
       # Router for HTTPS
-      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.${DOMAIN}`)"
+      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.lazyworkhorse.net`)"
       - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
       - "traefik.http.routers.nextcloud-https.tls=true"
       - "traefik.http.routers.nextcloud-https.tls.certresolver=njalla"

coms/compose.yml

@@ -25,10 +25,10 @@ services:
         condition: service_healthy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.matrix-http.rule=Host(`matrix.${DOMAIN}`)"
+      - "traefik.http.routers.matrix-http.rule=Host(`matrix.lazyworkhorse.net`)"
       - "traefik.http.routers.matrix-http.entrypoints=web"
       - "traefik.http.routers.matrix-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.matrix-https.rule=Host(`matrix.${DOMAIN}`)"
+      - "traefik.http.routers.matrix-https.rule=Host(`matrix.lazyworkhorse.net`)"
       - "traefik.http.routers.matrix-https.entrypoints=websecure"
       - "traefik.http.routers.matrix-https.tls=true"
       - "traefik.http.routers.matrix-https.tls.certresolver=njalla"
@@ -62,10 +62,10 @@ services:
       - coms_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.${DOMAIN}`)"
+      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.lazyworkhorse.net`)"
       - "traefik.http.routers.synapse-admin-http.entrypoints=web"
       - "traefik.http.routers.synapse-admin-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.${DOMAIN}`)"
+      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.lazyworkhorse.net`)"
       - "traefik.http.routers.synapse-admin-https.entrypoints=websecure"
       - "traefik.http.routers.synapse-admin-https.tls=true"
       - "traefik.http.routers.synapse-admin-https.tls.certresolver=njalla"
@@ -88,12 +88,12 @@ services:
   #     - "traefik.enable=true"
   #
   #     # HTTP → HTTPS
-  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.${DOMAIN}`)"
+  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.lazyworkhorse.net`)"
   #     - "traefik.http.routers.rns-http.entrypoints=web"
   #     - "traefik.http.routers.rns-http.middlewares=redirect-to-https"
   #
   #     # HTTPS protected by Authelia
-  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.${DOMAIN}`)"
+  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.lazyworkhorse.net`)"
   #     - "traefik.http.routers.rns-https.entrypoints=websecure"
   #     - "traefik.http.routers.rns-https.tls=true"
   #     - "traefik.http.routers.rns-https.tls.certresolver=njalla"

finance/compose.yml

@@ -15,20 +15,20 @@ services:
       - "traefik.enable=true"
 
       # HTTP → HTTPS redirect
-      - "traefik.http.routers.fava-http.rule=Host(`money.${DOMAIN}`)"
+      - "traefik.http.routers.fava-http.rule=Host(`money.lazyworkhorse.net`)"
       - "traefik.http.routers.fava-http.entrypoints=web"
       - "traefik.http.routers.fava-http.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
       # HTTPS router protected by Authelia
-      - "traefik.http.routers.fava-https.rule=Host(`money.${DOMAIN}`)"
+      - "traefik.http.routers.fava-https.rule=Host(`money.lazyworkhorse.net`)"
       - "traefik.http.routers.fava-https.entrypoints=websecure"
       - "traefik.http.routers.fava-https.tls=true"
       - "traefik.http.routers.fava-https.tls.certresolver=njalla"
       - "traefik.http.routers.fava-https.middlewares=fava-auth"
 
       # Authelia forwardAuth
-      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
       - "traefik.http.middlewares.fava-auth.forwardauth.trustforwardheader=true"
       - "traefik.http.middlewares.fava-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 

homeautomation/compose.yml

@@ -17,11 +17,11 @@ services:
     labels:
       - "traefik.enable=true"
 
-      - "traefik.http.routers.hass-http.rule=Host(`home.${DOMAIN}`)"
+      - "traefik.http.routers.hass-http.rule=Host(`home.lazyworkhorse.net`)"
       - "traefik.http.routers.hass-http.entrypoints=web"
       - "traefik.http.routers.hass-http.middlewares=redirect-to-https"
 
-      - "traefik.http.routers.hass-https.rule=Host(`home.${DOMAIN}`)"
+      - "traefik.http.routers.hass-https.rule=Host(`home.lazyworkhorse.net`)"
       - "traefik.http.routers.hass-https.entrypoints=websecure"
       - "traefik.http.routers.hass-https.tls.certresolver=njalla"
 

homepage/compose.yml

@@ -16,20 +16,20 @@ services:
       - "traefik.enable=true"
 
       # HTTP → HTTPS redirect
-      - "traefik.http.routers.homer-http.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.homer-http.rule=Host(`lazyworkhorse.net`)"
       - "traefik.http.routers.homer-http.entrypoints=web"
       - "traefik.http.routers.homer-http.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
       # HTTPS router protected by Authelia
-      - "traefik.http.routers.homer-https.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.homer-https.rule=Host(`lazyworkhorse.net`)"
       - "traefik.http.routers.homer-https.entrypoints=websecure"
       - "traefik.http.routers.homer-https.tls=true"
       - "traefik.http.routers.homer-https.tls.certresolver=njalla"
       - "traefik.http.routers.homer-https.middlewares=homer-auth"
 
       # Authelia forwardAuth
-      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
       - "traefik.http.middlewares.homer-auth.forwardauth.trustforwardheader=true"
       - "traefik.http.middlewares.homer-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 

passwordmanager/compose.yml

@@ -9,10 +9,7 @@ services:
       - TZ=America/Montreal
       - WEBSOCKET_ENABLED=true
       - SIGNUPS_ALLOWED=false
-      # Vaultwarden env var DOMAIN — the ${DOMAIN} on the RHS is expanded
-      # by docker compose before the env var is set, so this resolves to
-      # DOMAIN=https://pass.lazyworkhorse.net in production.
-      - DOMAIN=https://pass.${DOMAIN}
+      - DOMAIN=https://pass.lazyworkhorse.net
     volumes:
       - /mnt/HoardingCow_docker_data/BitWarden/data:/data:rw
     networks:
@@ -22,12 +19,12 @@ services:
       - "traefik.enable=true"
 
       # HTTP → HTTPS
-      - "traefik.http.routers.pass-http.rule=Host(`pass.${DOMAIN}`)"
+      - "traefik.http.routers.pass-http.rule=Host(`pass.lazyworkhorse.net`)"
       - "traefik.http.routers.pass-http.entrypoints=web"
       - "traefik.http.routers.pass-http.middlewares=redirect-to-https"
 
       # HTTPS
-      - "traefik.http.routers.pass-https.rule=Host(`pass.${DOMAIN}`)"
+      - "traefik.http.routers.pass-https.rule=Host(`pass.lazyworkhorse.net`)"
       - "traefik.http.routers.pass-https.entrypoints=websecure"
       - "traefik.http.routers.pass-https.tls=true"
       - "traefik.http.routers.pass-https.tls.certresolver=njalla"

tak/compose.yml

@@ -74,12 +74,12 @@ services:
       - "traefik.docker.network=traefik-net"
 
       # HTTP -> HTTPS Redirect
-      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.${DOMAIN}`)"
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
       - "traefik.http.routers.fts-ui-http.entrypoints=web"
       - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
 
       # HTTPS Router
-      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.${DOMAIN}`)"
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
       - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
       - "traefik.http.routers.fts-ui-https.tls=true"
       - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"

versioncontrol/compose.yml

@@ -6,7 +6,7 @@ services:
     environment:
       - USER_UID=1000
       - USER_GID=1000
-      - GITEA__server__ROOT_URL=https://code.${DOMAIN}
+      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
       - GITEA__actions__ENABLED=true
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
@@ -23,21 +23,21 @@ services:
       - "traefik.enable=true"
 
       # HTTP -> HTTPS Redirect
-      - "traefik.http.routers.gitea-http.rule=Host(`code.${DOMAIN}`)"
+      - "traefik.http.routers.gitea-http.rule=Host(`code.lazyworkhorse.net`)"
       - "traefik.http.routers.gitea-http.entrypoints=web"
       - "traefik.http.routers.gitea-http.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
       # HTTPS Router
-      - "traefik.http.routers.gitea-https.rule=Host(`code.${DOMAIN}`)"
+      - "traefik.http.routers.gitea-https.rule=Host(`code.lazyworkhorse.net`)"
       - "traefik.http.routers.gitea-https.entrypoints=websecure"
       - "traefik.http.routers.gitea-https.tls=true"
       - "traefik.http.routers.gitea-https.tls.certresolver=njalla"
       - "traefik.http.routers.gitea-https.middlewares=gitea-home-redirect"
 
       # The Redirect Logic - Using single quotes to allow backslashes
-      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.${DOMAIN}/?$$'
-      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.${DOMAIN}/gortium'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.lazyworkhorse\.net/?$$'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.lazyworkhorse.net/gortium'
       - "traefik.http.middlewares.gitea-home-redirect.redirectregex.permanent=true"
 
       # Internal Routing
@@ -47,7 +47,7 @@ services:
     image: gitea/act_runner:latest
     container_name: act_runner
     environment:
-      - GITEA_INSTANCE_URL=https://code.${DOMAIN}
+      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
       - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
       - GITEA_RUNNER_NAME=ai-host-runner
       - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix

vpn/compose.yml

@@ -11,7 +11,7 @@ services:
       - NET_ADMIN
       - SYS_MODULE
     environment:
-      - WG_HOST=vpn.${DOMAIN}
+      - WG_HOST=vpn.lazyworkhorse.net
       - PASSWORD=${WG_PASSWORD}
       - WG_PORT=51820
       - WG_DEFAULT_ADDRESS=10.8.0.x