feat: add Honcho memory provider with PostgreSQL + pgvector stack

Add Honcho (https://github.com/plastic-labs/honcho) as a self-hosted memory infrastructure for stateful AI agents. Changes: - ai/honcho/Dockerfile: multi-stage build from Honcho GitHub source - ai/honcho/init.sql: CREATE EXTENSION vector for pgvector - ai/compose.yml: add honcho-db (pgvector/pgvector:pg17-trixie) and honcho services with ai_backend/ai_net networking and Traefik labels - build/honcho/config.toml: pre-configured for Ollama embeddings (nomic-embed-text via http://ollama:11434/v1), deriver/summary/dream disabled by default - env/.env.example.honcho: sample env vars (HONCHO_DB_PASSWORD, LLM_OPENAI_API_KEY) Usage: cp env/.env.example.honcho .env # edit secrets mkdir -p /mnt/HoardingCow_docker_data/Honcho cp build/honcho/config.toml /mnt/HoardingCow_docker_data/Honcho/config.toml docker compose -f ai/compose.yml up honcho
fix: add WORKDIR and httpx dependency to Hermes Dockerfile
2026-05-20 14:19:58 -04:00 · 2026-05-20 14:18:24 -04:00 · 2026-05-20 14:05:45 -04:00
20 changed files with 418 additions and 91 deletions
--- a/.env.production
+++ b/.env.production
@@ -1,4 +0,0 @@
 # Production environment
 # docker compose --env-file .env.production up -d
 DOMAIN=lazyworkhorse.net
 SITE_URL=https://lazyworkhorse.net
--- a/.env.staging
+++ b/.env.staging
@@ -1,4 +0,0 @@
 # Staging environment
 # docker compose --env-file .env.staging up -d
 DOMAIN=staging.lazyworkhorse.net
 SITE_URL=https://staging.lazyworkhorse.net
--- a/33
+++ b/33
@@ -1,18 +1,13 @@
 # Base path for docker-compose files
-COMPOSE_PATH?=~/Projects/AltNet/docker-compose
+COMPOSE_PATH=~/Projects/AltNet/docker-compose
 # Environment selection: staging or production (default)
 ENV?=production
 ENV_FILE=.env.$(ENV)
 # List of services (folder names)
 SERVICES=monitoring ai cloudstorage crm_tp crm_cf mediacenter homeautomation network backup homepage passwordmanager
 # Bring up all services
 all_up:
 	@echo "Deploying with $(ENV) environment ($(ENV_FILE))..."
 	@for service in $(SERVICES); do \
-		docker compose --env-file $(ENV_FILE) -f $(COMPOSE_PATH)/$$service/compose.yml up -d; \
+		docker compose -f $(COMPOSE_PATH)/$$service/compose.yml up -d; \
 	done
 # Bring down all services
@@ -23,27 +18,15 @@ all_down:
 # Generic target to deploy a specific service
 %_up:
-	@echo "Deploying $* with $(ENV) environment ($(ENV_FILE))..."
+	@docker compose -f $(COMPOSE_PATH)/$*/compose.yml up -d
 	@docker compose --env-file $(ENV_FILE) -f $(COMPOSE_PATH)/$*/compose.yml up -d
 # Generic target to bring down a specific service
 %_down:
 	@docker compose -f $(COMPOSE_PATH)/$*/compose.yml down
 # Deploy staging (all services)
 staging:
 	@$(MAKE) all_up ENV=staging
 # Deploy production (all services)
 production:
 	@$(MAKE) all_up ENV=production
 # Staging per-service: make openwebui_up ENV=staging
 # Production per-service: make openwebui_up ENV=production
 all_stack_up:
 	@for service in $(SERVICES); do \
-		docker stack deploy --env-file $(ENV_FILE) -c $(COMPOSE_PATH)/$$service/compose.yml $$service; \
+		docker stack deploy -c $(COMPOSE_PATH)/$$service/compose.yml $$service; \
 	done
 all_stack_down:
@@ -52,7 +35,7 @@ all_stack_down:
 	done
 %_stack_up:
-	@docker stack deploy --env-file $(ENV_FILE) -c $(COMPOSE_PATH)/$*/compose.yml $*
+	@docker stack deploy -c $(COMPOSE_PATH)/$*/compose.yml $*
 %_stack_down:
 	@docker stack rm $*
@@ -60,9 +43,3 @@ all_stack_down:
 stack_ls:
 	@docker node ps workGoat;
 	docker node ps workHorse
 # Show current environment settings
 env:
 	@echo "Active environment: $(ENV)"
 	@echo "Env file: $(ENV_FILE)"
 	@test -f $(ENV_FILE) && cat $(ENV_FILE) || echo "WARNING: $(ENV_FILE) not found!"
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -15,12 +15,12 @@ services:
  #     - "traefik.enable=true"
  #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.${DOMAIN}`)"
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
  #     - "traefik.http.routers.webui-http.entrypoints=web"
  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
  #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.${DOMAIN}`)"
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
  #     - "traefik.http.routers.webui-https.tls=true"
  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
@@ -44,7 +44,7 @@ services:
      - API_SERVER_HOST=0.0.0.0
      - API_SERVER_KEY=hermes_local_key
      - GATEWAY_ALLOW_ALL_USERS=true
-      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+      - OPENROUTER_API_KEY=${OPEN...KEY}
      # ROCm for GPU-accelerated faster-whisper STT
      - HSA_OVERRIDE_GFX_VERSION=9.0.6
      - HCC_AMDGPU_TARGET=gfx906
@@ -87,10 +87,10 @@ services:
      - ai_net
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.${DOMAIN}`)"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
      - "traefik.http.routers.syncthing-http.entrypoints=web"
      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.${DOMAIN}`)"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
      - "traefik.http.routers.syncthing-https.tls=true"
      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
@@ -129,6 +129,150 @@ services:
      - "303"
      - "26"
  paperclip-db:
    image: postgres:17-alpine
    container_name: paperclip-db
    restart: always
    environment:
      POSTGRES_USER: paperclip
      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
      POSTGRES_DB: paperclip
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
      interval: 5s
      timeout: 5s
      retries: 10
    volumes:
      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
    networks:
      - ai_backend
  paperclip:
    image: ghcr.io/paperclipai/paperclip:v2026.517.0
    container_name: paperclip
    restart: always
    ports:
      - "127.0.0.1:3100:3100"
    environment:
      - HOST=0.0.0.0
      - PORT=3100
      - SERVE_UI=true
      - DATABASE_URL=postgres://paperclip:***@paperclip-db:5432/paperclip
      - BETTER_AUTH_SECRET=${PAPE...CRET must be set}
      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
    volumes:
      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
    depends_on:
      paperclip-db:
        condition: service_healthy
    networks:
      - ai_net
      - ai_backend
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=ai_net"
      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
      - "traefik.http.routers.paperclip-http.entrypoints=web"
      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
      - "traefik.http.routers.paperclip-https.tls=true"
      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
  # ---------------------------------------------------------------------------
  # Honcho — Memory infrastructure for stateful AI agents
  # Self-hosted memory server with pgvector for embedding storage.
  # Defaults to Ollama for embeddings; configure LLM provider for full deriver
  # and summarization support.
  #
  # API port: 8000
  # Web:       https://honcho.lazyworkhorse.net
  # Docs:      https://github.com/plastic-labs/honcho
  # ---------------------------------------------------------------------------
  honcho-db:
    image: pgvector/pgvector:pg17-trixie
    container_name: honcho-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: honcho
      POSTGRES_USER: honcho
      POSTGRES_PASSWORD: ${HONCHO_DB_PASSWORD:?HONCHO_DB_PASSWORD must be set}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U honcho -d honcho"]
      interval: 5s
      timeout: 5s
      retries: 10
    volumes:
      - /mnt/HoardingCow_docker_data/Honcho/pgdata:/var/lib/postgresql/data
      - ./honcho/init.sql:/docker-entrypoint-initdb.d/init.sql
    networks:
      - ai_backend
  honcho:
    build:
      context: ./honcho
      dockerfile: Dockerfile
    container_name: honcho
    restart: unless-stopped
    ports:
      - "127.0.0.1:8000:8000"
    depends_on:
      honcho-db:
        condition: service_healthy
    environment:
      DB_CONNECTION_URI: postgresql+psycopg://honcho:${HONCHO_DB_PASSWORD:?HONCHO_DB_PASSWORD must be set}@honcho-db:5432/honcho
      LOG_LEVEL: INFO
      LLM_OPENAI_API_KEY: ${LLM_OPENAI_API_KEY:-ollama}
    volumes:
      - /mnt/HoardingCow_docker_data/Honcho/config.toml:/app/config.toml
    networks:
      - ai_backend
      - ai_net
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=ai_net"
      - "traefik.http.routers.honcho-http.rule=Host(`honcho.lazyworkhorse.net`)"
      - "traefik.http.routers.honcho-http.entrypoints=web"
      - "traefik.http.routers.honcho-http.middlewares=redirect-to-https"
      - "traefik.http.routers.honcho-https.rule=Host(`honcho.lazyworkhorse.net`)"
      - "traefik.http.routers.honcho-https.entrypoints=websecure"
      - "traefik.http.routers.honcho-https.tls=true"
      - "traefik.http.routers.honcho-https.tls.certresolver=njalla"
      - "traefik.http.services.honcho.loadbalancer.server.port=8000"
  holographic-memory:
    build:
      context: ./holographic-memory
    image: holographic-memory:latest
    container_name: holographic-memory
    restart: unless-stopped
    ports:
      - "127.0.0.1:8100:8100"
    environment:
      - HOLOGRAPHIC_DB_PATH=/data/holographic/memory_store.db
      - HOLOGRAPHIC_PORT=8100
      - HOLOGRAPHIC_DEFAULT_TRUST=0.5
    volumes:
      - /mnt/HoardingCow_docker_data/HolographicMemory:/data/holographic
    networks:
      - ai_backend
    healthcheck:
      test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8100/health')"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
 networks:
  ai_net:
    external: true
@@ -232,12 +376,12 @@ networks:
  #   networks:
  #     - ai_net
  #   environment:
-  #     - N8N_HOST=n8n.${DOMAIN}
+  #     - N8N_HOST=n8n.lazyworkhorse.net
  #     - N8N_PORT=5678
  #     - N8N_PROTOCOL=https
  #     - NODE_ENV=production
  #     - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
-  #     - WEBHOOK_URL=https://n8n.${DOMAIN}/
+  #     - WEBHOOK_URL=https://n8n.lazyworkhorse.net/
  #     - GENERIC_TIMEZONE=America/New_York # Adjust to your timezone
  #     - N8N_BLOCK_EXTERNAL_STORAGE_ACCESS=false
  #     - N8N_NODES_PYTHON_CAN_IMPORT_MODULES=true 
@@ -251,12 +395,12 @@ networks:
  #     - "traefik.enable=true"
  #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.${DOMAIN}`)"
+  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.lazyworkhorse.net`)"
  #     - "traefik.http.routers.n8n-http.entrypoints=web"
  #     - "traefik.http.routers.n8n-http.middlewares=redirect-to-https"
  #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.${DOMAIN}`)"
+  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.lazyworkhorse.net`)"
  #     - "traefik.http.routers.n8n-https.entrypoints=websecure"
  #     - "traefik.http.routers.n8n-https.tls=true"
  #     - "traefik.http.routers.n8n-https.tls.certresolver=njalla"
@@ -280,21 +424,21 @@ networks:
  #     - /home/gortium/infra:/data/workspace/infra
  #   environment:
  #     - TZ=America/Toronto
-  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPEN...KEN}
-  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
+  #     - OPENROUTER_API_KEY=${OPEN...KEY}
  #     # Point to the sidecar browser
  #     - BROWSER_CDP_URL=http://openclaw-browser:9222
  #     - BROWSER_EVALUATE_ENABLED=true
  #     - OPENCLAW_GATEWAY_HOST=0.0.0.0
-  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.${DOMAIN}
+  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.lazyworkhorse.net
  #   labels:
  #     - "traefik.enable=true"
-  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.${DOMAIN}`)"
+  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.lazyworkhorse.net`)"
  #     - "traefik.http.routers.openclaw-http.entrypoints=web"
  #     - "traefik.http.routers.openclaw-http.middlewares=redirect-to-https"
-  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.${DOMAIN}`)"
+  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.lazyworkhorse.net`)"
  #     - "traefik.http.routers.openclaw-https.priority=50"
  #     - "traefik.http.routers.openclaw-https.entrypoints=websecure"
  #     - "traefik.http.routers.openclaw-https.tls=true"
@@ -326,7 +470,7 @@ networks:
  #     - PGID=1000
  #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
  #     - SUDO_ACCESS=false
-  #     - PASSWORD_ACCESS=false
+  #     - PASSWORD_ACCESS=***
  #   volumes:
  #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
  #     - /home/gortium/infra:/data/workspace/infra:ro
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -79,6 +79,26 @@ PYEOF
 COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
 # ---------- Install 7-Zip (7zz) for CHM extraction ----------
 RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
 import urllib.request, tarfile, os, shutil, subprocess
 url = 'https://github.com/ip7z/7zip/releases/download/26.01/7z2601-linux-x64.tar.xz'
 xz = '/tmp/7z2601-linux-x64.tar.xz'
 urllib.request.urlretrieve(url, xz)
 os.makedirs('/tmp/7z', exist_ok=True)
 with tarfile.open(xz, 'r:xz') as t:
    t.extractall('/tmp/7z')
 shutil.move('/tmp/7z/7zz', '/usr/local/bin/7zz')
 os.chmod('/usr/local/bin/7zz', 0o755)
 shutil.rmtree('/tmp/7z', ignore_errors=True)
 os.remove(xz)
 # Verify
 result = subprocess.run(['/usr/local/bin/7zz'], capture_output=True, text=True)
 assert result.returncode == 0, f'7zz verify failed: {result.stderr}'
 print('7-Zip 26.01 installed successfully')
 PYEOF
 # ---------- Runtime ----------
 USER hermes
 ENV HERMES_HOME=/opt/data
--- a/ai/honcho/Dockerfile
+++ b/ai/honcho/Dockerfile
@@ -0,0 +1,72 @@
 # Honcho — Memory infrastructure for stateful AI agents
 # Builds the Honcho FastAPI server from the official GitHub repository.
 #
 # Usage:
 #   docker compose build honcho
 #   docker compose up honcho
 #
 # Reference: https://github.com/plastic-labs/honcho
 # ---------------------------------------------------------------------------
 # Stage 1 — clone source & install dependencies
 # ---------------------------------------------------------------------------
 FROM python:3.13-slim-bookworm AS builder
 RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
 COPY --from=ghcr.io/astral-sh/uv:0.9.24 /uv /bin/uv
 WORKDIR /src
 RUN git clone --depth 1 --branch main https://github.com/plastic-labs/honcho.git .
 ENV UV_COMPILE_BYTECODE=1
 ENV UV_LINK_MODE=copy
 # Install project dependencies (frozen from lockfile, no dev)
 RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-group dev
 # ---------------------------------------------------------------------------
 # Stage 2 — runtime image
 # ---------------------------------------------------------------------------
 FROM python:3.13-slim-bookworm AS runtime
 COPY --from=ghcr.io/astral-sh/uv:0.9.24 /uv /bin/uv
 RUN apt-get update && \
    apt-get install -y --no-install-recommends ca-certificates && \
    rm -rf /var/lib/apt/lists/*
 WORKDIR /app
 ENV UV_COMPILE_BYTECODE=1
 ENV UV_LINK_MODE=copy
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/app/.venv/bin:$PATH"
 ENV HOME=/app
 ENV UV_CACHE_DIR=/tmp/uv-cache
 # Copy the dependency layer from the builder
 COPY --from=builder /src/uv.lock /src/pyproject.toml /app/
 RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-group dev
 # Copy application source and config
 COPY --from=builder /src/src/ /app/src/
 COPY --from=builder /src/migrations/ /app/migrations/
 COPY --from=builder /src/scripts/ /app/scripts/
 COPY --from=builder /src/docker/ /app/docker/
 COPY --from=builder /src/alembic.ini /app/alembic.ini
 # Create non-root user
 RUN addgroup --system app && \
    adduser --system --ingroup app app && \
    mkdir -p /tmp/uv-cache && \
    chown -R app:app /app /tmp/uv-cache
 USER app
 EXPOSE 8000
 # The entrypoint.sh script runs database migrations then starts the FastAPI server
 ENTRYPOINT ["sh", "docker/entrypoint.sh"]
--- a/ai/honcho/init.sql
+++ b/ai/honcho/init.sql
@@ -0,0 +1 @@
 CREATE EXTENSION IF NOT EXISTS vector;
--- a/authentification/compose.yml
+++ b/authentification/compose.yml
@@ -13,12 +13,12 @@ services:
      - "traefik.enable=true"
      # HTTP router
-      - "traefik.http.routers.authelia-http.rule=Host(`auth.${DOMAIN}`)"
+      - "traefik.http.routers.authelia-http.rule=Host(`auth.lazyworkhorse.net`)"
      - "traefik.http.routers.authelia-http.entrypoints=web"
      - "traefik.http.routers.authelia-http.middlewares=redirect-to-https"
      # HTTPS router
-      - "traefik.http.routers.authelia-https.rule=Host(`auth.${DOMAIN}`)"
+      - "traefik.http.routers.authelia-https.rule=Host(`auth.lazyworkhorse.net`)"
      - "traefik.http.routers.authelia-https.entrypoints=websecure"
      - "traefik.http.routers.authelia-https.tls=true"
      - "traefik.http.routers.authelia-https.tls.certresolver=njalla"
@@ -26,7 +26,7 @@ services:
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      # forward auth middleware definition
-      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
--- a/backup/compose.yml
+++ b/backup/compose.yml
@@ -37,12 +37,12 @@ services:
  #   labels:
  #     - "traefik.enable=true"
  #     # 1. HTTP to HTTPS Redirect
-  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.${DOMAIN}`)"
+  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
  #     - "traefik.http.routers.kopia-http.entrypoints=web"
  #     - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
  #     
  #     # 2. HTTPS Configuration
-  #     - "traefik.http.routers.kopia.rule=Host(`backup.${DOMAIN}`)"
+  #     - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
  #     - "traefik.http.routers.kopia.entrypoints=websecure"
  #     - "traefik.http.routers.kopia.tls=true"
  #     - "traefik.http.routers.kopia.tls.certresolver=njalla"
@@ -81,12 +81,12 @@ services:
    labels:
      - "traefik.enable=true"
      # 1. HTTP to HTTPS Redirect
-      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.${DOMAIN}`)"
+      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.lazyworkhorse.net`)"
      - "traefik.http.routers.restic-browser-http.entrypoints=web"
      - "traefik.http.routers.restic-browser-http.middlewares=redirect-to-https@docker"
      # 2. HTTPS Configuration
-      - "traefik.http.routers.restic-browser.rule=Host(`backup.${DOMAIN}`)"
+      - "traefik.http.routers.restic-browser.rule=Host(`backup.lazyworkhorse.net`)"
      - "traefik.http.routers.restic-browser.entrypoints=websecure"
      - "traefik.http.routers.restic-browser.tls=true"
      - "traefik.http.routers.restic-browser.tls.certresolver=njalla"
--- a/build/honcho/config.toml
+++ b/build/honcho/config.toml
@@ -0,0 +1,93 @@
 # Honcho Configuration
 # Pre-configured for self-hosted deployment with Ollama embeddings.
 # Mount this file at /app/config.toml in the Honcho container.
 #
 # Environment variables override these values at runtime
 # (e.g. DB_CONNECTION_URI, DERIVER_*).
 [app]
 LOG_LEVEL = "INFO"
 NAMESPACE = "honcho"
 SESSION_OBSERVERS_LIMIT = 10
 GET_CONTEXT_MAX_TOKENS = 16384
 EMBED_MESSAGES = true
 [db]
 # Connection URI is set via environment variable DB_CONNECTION_URI
 SCHEMA = "public"
 POOL_SIZE = 10
 MAX_OVERFLOW = 20
 POOL_TIMEOUT = 30
 POOL_RECYCLE = 300
 POOL_PRE_PING = true
 POOL_USE_LIFO = true
 SQL_DEBUG = false
 [auth]
 USE_AUTH = false
 [llm]
 DEFAULT_MAX_TOKENS = 4096
 [embedding]
 VECTOR_DIMENSIONS = 768
 MAX_INPUT_TOKENS = 8192
 MAX_TOKENS_PER_REQUEST = 2048
 [embedding.model_config]
 transport = "openai"
 model = "nomic-embed-text:latest"
 [embedding.model_config.overrides]
 base_url = "http://ollama:11434/v1"
 # Ollama does not require an API key; env var must be set to non-empty string
 api_key_env = "LLM_OPENAI_API_KEY"
 [deriver]
 ENABLED = false
 WORKERS = 1
 POLLING_SLEEP_INTERVAL_SECONDS = 1.0
 STALE_SESSION_TIMEOUT_MINUTES = 5
 DEDUPLICATE = true
 LOG_OBSERVATIONS = false
 [deriver.model_config]
 transport = "openai"
 model = "qwen3.6:27b-q4_K_M"
 [deriver.model_config.overrides]
 base_url = "http://ollama:11434/v1"
 api_key_env = "LLM_OPENAI_API_KEY"
 [summary]
 ENABLED = false
 [summary.model_config]
 transport = "openai"
 model = "qwen3.6:27b-q4_K_M"
 [summary.model_config.overrides]
 base_url = "http://ollama:11434/v1"
 api_key_env = "LLM_OPENAI_API_KEY"
 [dream]
 ENABLED = false
 [dialectic]
 MAX_OUTPUT_TOKENS = 4096
 MAX_INPUT_TOKENS = 16384
 [cache]
 ENABLED = false
 [vector_store]
 TYPE = "pgvector"
 [metrics]
 ENABLED = false
 [telemetry]
 ENABLED = false
 [sentry]
 ENABLED = false
--- a/cloudstorage/compose.yml
+++ b/cloudstorage/compose.yml
@@ -17,8 +17,8 @@ services:
      - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
      # Reverse Proxy Overrides (Crucial for HTTPS behind Traefik)
      - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://cloud.${DOMAIN}
+      - OVERWRITECLIURL=https://cloud.lazyworkhorse.net
-      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.${DOMAIN}
+      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.lazyworkhorse.net
    volumes:
      - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
    depends_on:
@@ -27,12 +27,12 @@ services:
      - "traefik.enable=true"
      # Router for HTTP -> HTTPS Redirection (Matching your Gitea style)
-      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.${DOMAIN}`)"
+      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.lazyworkhorse.net`)"
      - "traefik.http.routers.nextcloud-http.entrypoints=web"
      - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https"
      # Router for HTTPS
-      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.${DOMAIN}`)"
+      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.lazyworkhorse.net`)"
      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-https.tls=true"
      - "traefik.http.routers.nextcloud-https.tls.certresolver=njalla"
--- a/coms/compose.yml
+++ b/coms/compose.yml
@@ -25,10 +25,10 @@ services:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.matrix-http.rule=Host(`matrix.${DOMAIN}`)"
+      - "traefik.http.routers.matrix-http.rule=Host(`matrix.lazyworkhorse.net`)"
      - "traefik.http.routers.matrix-http.entrypoints=web"
      - "traefik.http.routers.matrix-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.matrix-https.rule=Host(`matrix.${DOMAIN}`)"
+      - "traefik.http.routers.matrix-https.rule=Host(`matrix.lazyworkhorse.net`)"
      - "traefik.http.routers.matrix-https.entrypoints=websecure"
      - "traefik.http.routers.matrix-https.tls=true"
      - "traefik.http.routers.matrix-https.tls.certresolver=njalla"
@@ -62,10 +62,10 @@ services:
      - coms_net
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.${DOMAIN}`)"
+      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.lazyworkhorse.net`)"
      - "traefik.http.routers.synapse-admin-http.entrypoints=web"
      - "traefik.http.routers.synapse-admin-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.${DOMAIN}`)"
+      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.lazyworkhorse.net`)"
      - "traefik.http.routers.synapse-admin-https.entrypoints=websecure"
      - "traefik.http.routers.synapse-admin-https.tls=true"
      - "traefik.http.routers.synapse-admin-https.tls.certresolver=njalla"
@@ -88,12 +88,12 @@ services:
  #     - "traefik.enable=true"
  #
  #     # HTTP → HTTPS
-  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.${DOMAIN}`)"
+  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.lazyworkhorse.net`)"
  #     - "traefik.http.routers.rns-http.entrypoints=web"
  #     - "traefik.http.routers.rns-http.middlewares=redirect-to-https"
  #
  #     # HTTPS protected by Authelia
-  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.${DOMAIN}`)"
+  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.lazyworkhorse.net`)"
  #     - "traefik.http.routers.rns-https.entrypoints=websecure"
  #     - "traefik.http.routers.rns-https.tls=true"
  #     - "traefik.http.routers.rns-https.tls.certresolver=njalla"
--- a/env/.env.example.honcho
+++ b/env/.env.example.honcho
@@ -0,0 +1,31 @@
 # Honcho Environment Variables
 # Copy this file to your .env (at the compose root or docker-compose working directory)
 # and fill in the secrets.
 #
 #   cp env/.env.example.honcho .env
 #
 # Then reference it from compose.yml:
 #   env_file:
 #     - path: .env
 #       required: true
 # ---------------------------------------------------------------------------
 # Database
 # ---------------------------------------------------------------------------
 # PostgreSQL connection string for Honcho.
 # The password must match HONCHO_DB_PASSWORD below.
 HONCHO_DB_PASSWORD=change_me_to_a_strong_random_password
 # ---------------------------------------------------------------------------
 # LLM Provider
 # ---------------------------------------------------------------------------
 # Ollama does not require a real API key, but the env var must be set to a
 # non-empty string for the OpenAI-compatible client to connect.
 LLM_OPENAI_API_KEY=ollama
 # ---------------------------------------------------------------------------
 # Honcho Server
 # ---------------------------------------------------------------------------
 # Honcho will pick up DB_CONNECTION_URI from the compose environment.
 # You can override additional settings here if needed.
 # LOG_LEVEL=INFO
--- a/finance/compose.yml
+++ b/finance/compose.yml
@@ -15,20 +15,20 @@ services:
      - "traefik.enable=true"
      # HTTP → HTTPS redirect
-      - "traefik.http.routers.fava-http.rule=Host(`money.${DOMAIN}`)"
+      - "traefik.http.routers.fava-http.rule=Host(`money.lazyworkhorse.net`)"
      - "traefik.http.routers.fava-http.entrypoints=web"
      - "traefik.http.routers.fava-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTPS router protected by Authelia
-      - "traefik.http.routers.fava-https.rule=Host(`money.${DOMAIN}`)"
+      - "traefik.http.routers.fava-https.rule=Host(`money.lazyworkhorse.net`)"
      - "traefik.http.routers.fava-https.entrypoints=websecure"
      - "traefik.http.routers.fava-https.tls=true"
      - "traefik.http.routers.fava-https.tls.certresolver=njalla"
      - "traefik.http.routers.fava-https.middlewares=fava-auth"
      # Authelia forwardAuth
-      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
      - "traefik.http.middlewares.fava-auth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.fava-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
--- a/homeautomation/compose.yml
+++ b/homeautomation/compose.yml
@@ -17,11 +17,11 @@ services:
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.hass-http.rule=Host(`home.${DOMAIN}`)"
+      - "traefik.http.routers.hass-http.rule=Host(`home.lazyworkhorse.net`)"
      - "traefik.http.routers.hass-http.entrypoints=web"
      - "traefik.http.routers.hass-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.hass-https.rule=Host(`home.${DOMAIN}`)"
+      - "traefik.http.routers.hass-https.rule=Host(`home.lazyworkhorse.net`)"
      - "traefik.http.routers.hass-https.entrypoints=websecure"
      - "traefik.http.routers.hass-https.tls.certresolver=njalla"
--- a/homepage/compose.yml
+++ b/homepage/compose.yml
@@ -16,20 +16,20 @@ services:
      - "traefik.enable=true"
      # HTTP → HTTPS redirect
-      - "traefik.http.routers.homer-http.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.homer-http.rule=Host(`lazyworkhorse.net`)"
      - "traefik.http.routers.homer-http.entrypoints=web"
      - "traefik.http.routers.homer-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTPS router protected by Authelia
-      - "traefik.http.routers.homer-https.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.homer-https.rule=Host(`lazyworkhorse.net`)"
      - "traefik.http.routers.homer-https.entrypoints=websecure"
      - "traefik.http.routers.homer-https.tls=true"
      - "traefik.http.routers.homer-https.tls.certresolver=njalla"
      - "traefik.http.routers.homer-https.middlewares=homer-auth"
      # Authelia forwardAuth
-      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
      - "traefik.http.middlewares.homer-auth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.homer-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
--- a/passwordmanager/compose.yml
+++ b/passwordmanager/compose.yml
@@ -9,10 +9,7 @@ services:
      - TZ=America/Montreal
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false
-      # Vaultwarden env var DOMAIN — the ${DOMAIN} on the RHS is expanded
+      - DOMAIN=https://pass.lazyworkhorse.net
      # by docker compose before the env var is set, so this resolves to
      # DOMAIN=https://pass.lazyworkhorse.net in production.
      - DOMAIN=https://pass.${DOMAIN}
    volumes:
      - /mnt/HoardingCow_docker_data/BitWarden/data:/data:rw
    networks:
@@ -22,12 +19,12 @@ services:
      - "traefik.enable=true"
      # HTTP → HTTPS
-      - "traefik.http.routers.pass-http.rule=Host(`pass.${DOMAIN}`)"
+      - "traefik.http.routers.pass-http.rule=Host(`pass.lazyworkhorse.net`)"
      - "traefik.http.routers.pass-http.entrypoints=web"
      - "traefik.http.routers.pass-http.middlewares=redirect-to-https"
      # HTTPS
-      - "traefik.http.routers.pass-https.rule=Host(`pass.${DOMAIN}`)"
+      - "traefik.http.routers.pass-https.rule=Host(`pass.lazyworkhorse.net`)"
      - "traefik.http.routers.pass-https.entrypoints=websecure"
      - "traefik.http.routers.pass-https.tls=true"
      - "traefik.http.routers.pass-https.tls.certresolver=njalla"
--- a/tak/compose.yml
+++ b/tak/compose.yml
@@ -74,12 +74,12 @@ services:
      - "traefik.docker.network=traefik-net"
      # HTTP -> HTTPS Redirect
-      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.${DOMAIN}`)"
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
      - "traefik.http.routers.fts-ui-http.entrypoints=web"
      - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
      # HTTPS Router
-      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.${DOMAIN}`)"
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
      - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
      - "traefik.http.routers.fts-ui-https.tls=true"
      - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
--- a/versioncontrol/compose.yml
+++ b/versioncontrol/compose.yml
@@ -6,7 +6,7 @@ services:
    environment:
      - USER_UID=1000
      - USER_GID=1000
-      - GITEA__server__ROOT_URL=https://code.${DOMAIN}
+      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
      - GITEA__actions__ENABLED=true
      - SSH_PORT=2222
      - SSH_LISTEN_PORT=2222
@@ -23,21 +23,21 @@ services:
      - "traefik.enable=true"
      # HTTP -> HTTPS Redirect
-      - "traefik.http.routers.gitea-http.rule=Host(`code.${DOMAIN}`)"
+      - "traefik.http.routers.gitea-http.rule=Host(`code.lazyworkhorse.net`)"
      - "traefik.http.routers.gitea-http.entrypoints=web"
      - "traefik.http.routers.gitea-http.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTPS Router
-      - "traefik.http.routers.gitea-https.rule=Host(`code.${DOMAIN}`)"
+      - "traefik.http.routers.gitea-https.rule=Host(`code.lazyworkhorse.net`)"
      - "traefik.http.routers.gitea-https.entrypoints=websecure"
      - "traefik.http.routers.gitea-https.tls=true"
      - "traefik.http.routers.gitea-https.tls.certresolver=njalla"
      - "traefik.http.routers.gitea-https.middlewares=gitea-home-redirect"
      # The Redirect Logic - Using single quotes to allow backslashes
-      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.${DOMAIN}/?$$'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.lazyworkhorse\.net/?$$'
-      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.${DOMAIN}/gortium'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.lazyworkhorse.net/gortium'
      - "traefik.http.middlewares.gitea-home-redirect.redirectregex.permanent=true"
      # Internal Routing
@@ -47,7 +47,7 @@ services:
    image: gitea/act_runner:latest
    container_name: act_runner
    environment:
-      - GITEA_INSTANCE_URL=https://code.${DOMAIN}
+      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
      - GITEA_RUNNER_NAME=ai-host-runner
      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -11,7 +11,7 @@ services:
      - NET_ADMIN
      - SYS_MODULE
    environment:
-      - WG_HOST=vpn.${DOMAIN}
+      - WG_HOST=vpn.lazyworkhorse.net
      - PASSWORD=${WG_PASSWORD}
      - WG_PORT=51820
      - WG_DEFAULT_ADDRESS=10.8.0.x