feat: add 7zz for CHM documentation extraction

Download static 7-Zip binary at Docker build time for extracting Microsoft Compiled HTML Help (.chm) files. Follows the same pattern as the existing Himalaya CLI installation. 7zz is scraped from 7-zip.org/download.html at build time.
Merge pull request 'fix: use ln -sf instead of update-alternatives --set for iptables-nft' (#28 ) from fix/vpn-iptables-nft-v3 into master
2026-05-13 16:27:32 -04:00 · 2026-05-13 16:59:50 +00:00 · 2026-05-13 12:58:43 -04:00 · 2026-05-13 16:49:23 +00:00 · 2026-05-13 12:48:51 -04:00 · 2026-05-13 16:37:35 +00:00
3 changed files with 48 additions and 14 deletions
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -78,6 +78,47 @@ PYEOF
 # ---------- Install himalaya-ro wrapper ----------
 COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro

+# ---------- Install 7-Zip for CHM extraction ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil, re, subprocess
+
+# Scrape 7-zip.org for latest Linux x64 binary
+url = 'https://7-zip.org/download.html'
+req = urllib.request.Request(url, headers={'User-Agent': 'Mozilla/5.0'})
+r = urllib.request.urlopen(req, timeout=15)
+html = r.read().decode()
+
+links = re.findall(r'href="(a/7z[\d]+-linux-x64\.tar\.xz)"', html)
+if not links:
+    raise RuntimeError("Could not find 7z download link")
+
+dl_url = f'https://7-zip.org/{links[0]}'
+print(f'Downloading 7z from {dl_url}...')
+req = urllib.request.Request(dl_url, headers={'User-Agent': 'Mozilla/5.0'})
+r = urllib.request.urlopen(req, timeout=30)
+data = r.read()
+
+with open('/tmp/7z.tar.xz', 'wb') as f:
+    f.write(data)
+
+subprocess.run(['tar', '-xJf', '/tmp/7z.tar.xz', '-C', '/tmp/'], check=True)
+
+for root, dirs, files in os.walk('/tmp'):
+    for f in files:
+        if f == '7zz':
+            src = os.path.join(root, f)
+            shutil.move(src, '/usr/local/bin/7zz')
+            os.chmod('/usr/local/bin/7zz', 0o755)
+            print(f'7zz installed from {src}')
+            break
+
+os.remove('/tmp/7z.tar.xz')
+
+# Verify
+r = subprocess.run(['/usr/local/bin/7zz'], capture_output=True, text=True)
+print(f'7-Zip {r.stdout.strip()[:60]}')
+PYEOF
+

 # ---------- Runtime ----------
 USER hermes
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -1,16 +1,9 @@
 # Custom wg-easy with iptables-nft (nftables-backed iptables)
 # Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM weejewel/wg-easy:latest
+FROM ghcr.io/wg-easy/wg-easy:latest

-# Alpine's iptables-nft provides iptables that uses nftables kernel API
-# instead of the legacy iptable_nat module. This works on kernels
-# where only nftables netfilter modules are available.
-RUN apk add --no-cache iptables-nft
-
-# Ensure iptables-nft takes priority over legacy iptables
-RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
-    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
-    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
-    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
-    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
-    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore
+# The upstream image registers only iptables-legacy with update-alternatives.
+# iptables-nft binary exists but isn't registered as an alternative key.
+# Override the alternatives-managed symlinks directly.
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 services:
  wireguard:
    build:
-      context: ./vpn
+      context: .
      dockerfile: Dockerfile
    image: wg-easy-iptables-nft:latest
    container_name: wireguard
Author	SHA1	Message	Date
Hermes	c39174f0fe	feat: add 7zz for CHM documentation extraction Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Download static 7-Zip binary at Docker build time for extracting Microsoft Compiled HTML Help (.chm) files. Follows the same pattern as the existing Himalaya CLI installation. 7zz is scraped from 7-zip.org/download.html at build time.	2026-05-13 16:27:32 -04:00
Thierry Pouplier	29ae32a1c5	Merge pull request 'fix: use ln -sf instead of update-alternatives --set for iptables-nft' (#28 ) from fix/vpn-iptables-nft-v3 into master Reviewed-on: #28	2026-05-13 16:59:50 +00:00
Hermes	8dff094768	fix: use ln -sf instead of update-alternatives --set update-alternatives --set fails because the base image only registers iptables-legacy as an alternative. The iptables-nft binary (/usr/sbin/iptables-nft) exists but isn't in the alternatives database. Direct ln -sf bypasses this.	2026-05-13 12:58:43 -04:00
Thierry Pouplier	ec08f5eb5d	Merge pull request 'fix: remove apk add iptables-nft — built-in on Alpine 3.18+' (#27 ) from fix/vpn-iptables-nft-v2 into master Reviewed-on: #27	2026-05-13 16:49:23 +00:00
Hermes	611e96b306	fix: remove apk add iptables-nft — built-in on Alpine 3.18+ In Alpine 3.18+, the 'iptables' package IS the nftables variant. iptables-nft is not a separate package. The binary is already in the base image — only need to flip update-alternatives.	2026-05-13 12:48:51 -04:00
Thierry Pouplier	f184ed957c	Merge pull request 'fix: update wg-easy to official ghcr image with iptables-nft' (#26 ) from fix/vpn-iptables-nft-upstream into master Reviewed-on: #26	2026-05-13 16:37:35 +00:00
Hermes	2bf31c7ccc	fix: update wg-easy to official ghcr image with iptables-nft - Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton) - Use update-alternatives instead of raw ln -sf to flip iptables from legacy to nftables backend - Fix compose build context: ./vpn -> . (Dockerfile was at same level) The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11. The new official image has it available, we just flip the alternatives. The old ln -sf approach was fragile across Alpine versions.	2026-05-13 12:30:15 -04:00