refactor: use $DOMAIN env var instead of hardcoded lazyworkhorse.net

Replace all hardcoded lazyworkhorse.net references in compose files
with ${DOMAIN} variable substitution. Create .env.production and
.env.staging environment files. Update Makefile with ENV selection
(--env-file support) and staging/production targets.

Changes:
- All 13 compose YAML files: lazyworkhorse.net -> ${DOMAIN}
- New .env.production (DOMAIN=lazyworkhorse.net)
- New .env.staging (DOMAIN=staging.lazyworkhorse.net)
- Makefile: ENV var, --env-file flag, staging/production targets
- Gitea redirect regex updated for variable substitution
- CI workflow checkout URLs left hardcoded (infrastructure refs)
- Dockerfile SSH host refs left hardcoded (infrastructure refs)

Deploy: make ENV=staging all_up  or  make staging
        make ENV=production all_up  or  make production

.env.production

@@ -0,0 +1,4 @@
+# Production environment
+# docker compose --env-file .env.production up -d
+DOMAIN=lazyworkhorse.net
+SITE_URL=https://lazyworkhorse.net

.env.staging

@@ -0,0 +1,4 @@
+# Staging environment
+# docker compose --env-file .env.staging up -d
+DOMAIN=staging.lazyworkhorse.net
+SITE_URL=https://staging.lazyworkhorse.net

.gitea/workflows/build-hermes.yml

@@ -0,0 +1,31 @@
+name: Build Hermes agent
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'ai/hermes/**'
+      - 'ai/compose.yml'
+  push:
+    branches: [ master ]
+    paths:
+      - 'ai/hermes/**'
+      - 'ai/compose.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        run: |
+          git clone -b "${{ github.head_ref || github.ref_name }}" \
+            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/compose.git .
+          git log --oneline -3
+
+      - name: Build hermes image
+        run: |
+          cd ai
+          docker compose build hermes 2>&1
+
+      - name: Verify image
+        run: |
+          docker run --rm ai-hermes /opt/hermes/.venv/bin/python --version 2>&1

.gitea/workflows/build-ollama.yml

@@ -0,0 +1,31 @@
+name: Build ollama (gfx906)
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'ai/ollama/**'
+      - 'ai/compose.yml'
+  push:
+    branches: [ master ]
+    paths:
+      - 'ai/ollama/**'
+      - 'ai/compose.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        run: |
+          git clone -b "${{ github.head_ref || github.ref_name }}" \
+            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/compose.git .
+          git log --oneline -3
+
+      - name: Build ollama image
+        run: |
+          cd ai
+          docker compose build ollama --no-cache 2>&1
+
+      - name: Verify version
+        run: |
+          docker run --rm ollama/ollama:rocm-gfx906 ollama --version 2>&1

Makefile

@@ -1,13 +1,18 @@
 # Base path for docker-compose files
-COMPOSE_PATH=~/Projects/AltNet/docker-compose
+COMPOSE_PATH?=~/Projects/AltNet/docker-compose
+
+# Environment selection: staging or production (default)
+ENV?=production
+ENV_FILE=.env.$(ENV)
 
 # List of services (folder names)
 SERVICES=monitoring ai cloudstorage crm_tp crm_cf mediacenter homeautomation network backup homepage passwordmanager
 
 # Bring up all services
 all_up:
+	@echo "Deploying with $(ENV) environment ($(ENV_FILE))..."
 	@for service in $(SERVICES); do \
-		docker compose -f $(COMPOSE_PATH)/$$service/compose.yml up -d; \
+		docker compose --env-file $(ENV_FILE) -f $(COMPOSE_PATH)/$$service/compose.yml up -d; \
 	done
 
 # Bring down all services
@@ -18,15 +23,27 @@ all_down:
 
 # Generic target to deploy a specific service
 %_up:
-	@docker compose -f $(COMPOSE_PATH)/$*/compose.yml up -d
+	@echo "Deploying $* with $(ENV) environment ($(ENV_FILE))..."
+	@docker compose --env-file $(ENV_FILE) -f $(COMPOSE_PATH)/$*/compose.yml up -d
 
 # Generic target to bring down a specific service
 %_down:
 	@docker compose -f $(COMPOSE_PATH)/$*/compose.yml down
 
+# Deploy staging (all services)
+staging:
+	@$(MAKE) all_up ENV=staging
+
+# Deploy production (all services)
+production:
+	@$(MAKE) all_up ENV=production
+
+# Staging per-service: make openwebui_up ENV=staging
+# Production per-service: make openwebui_up ENV=production
+
 all_stack_up:
 	@for service in $(SERVICES); do \
-		docker stack deploy -c $(COMPOSE_PATH)/$$service/compose.yml $$service; \
+		docker stack deploy --env-file $(ENV_FILE) -c $(COMPOSE_PATH)/$$service/compose.yml $$service; \
 	done
 
 all_stack_down:
@@ -35,7 +52,7 @@ all_stack_down:
 	done
 
 %_stack_up:
-	@docker stack deploy -c $(COMPOSE_PATH)/$*/compose.yml $*
+	@docker stack deploy --env-file $(ENV_FILE) -c $(COMPOSE_PATH)/$*/compose.yml $*
 
 %_stack_down:
 	@docker stack rm $*
@@ -43,3 +60,9 @@ all_stack_down:
 stack_ls:
 	@docker node ps workGoat;
 	docker node ps workHorse
+
+# Show current environment settings
+env:
+	@echo "Active environment: $(ENV)"
+	@echo "Env file: $(ENV_FILE)"
+	@test -f $(ENV_FILE) && cat $(ENV_FILE) || echo "WARNING: $(ENV_FILE) not found!"

ai/compose.yml

@@ -15,19 +15,25 @@ services:
   #     - "traefik.enable=true"
 
   #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.${DOMAIN}`)"
   #     - "traefik.http.routers.webui-http.entrypoints=web"
   #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
   #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.${DOMAIN}`)"
   #     - "traefik.http.routers.webui-https.entrypoints=websecure"
   #     - "traefik.http.routers.webui-https.tls=true"
   #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./hermes
+    build:
+      context: ./hermes
+      ssh:
+        - default
     container_name: hermes
+    entrypoint: ["/bin/bash", "-c",
+      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
@@ -48,6 +54,10 @@ services:
       - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+      # Syncthing-shared org files — read-only view of user's agenda
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
+      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -57,6 +67,35 @@ services:
     networks:
       - ai_backend
 
+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: syncthing
+    restart: always
+    ports:
+      - "8384:8384"
+      - "22000:22000"
+      - "21027:21027/udp"
+    environment:
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.${DOMAIN}`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.${DOMAIN}`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.tls=true"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
+      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
+
   ollama:
     build:
       context: ./ollama
@@ -193,12 +232,12 @@ networks:
   #   networks:
   #     - ai_net
   #   environment:
-  #     - N8N_HOST=n8n.lazyworkhorse.net
+  #     - N8N_HOST=n8n.${DOMAIN}
   #     - N8N_PORT=5678
   #     - N8N_PROTOCOL=https
   #     - NODE_ENV=production
   #     - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
-  #     - WEBHOOK_URL=https://n8n.lazyworkhorse.net/
+  #     - WEBHOOK_URL=https://n8n.${DOMAIN}/
   #     - GENERIC_TIMEZONE=America/New_York # Adjust to your timezone
   #     - N8N_BLOCK_EXTERNAL_STORAGE_ACCESS=false
   #     - N8N_NODES_PYTHON_CAN_IMPORT_MODULES=true 
@@ -212,12 +251,12 @@ networks:
   #     - "traefik.enable=true"
 
   #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.n8n-http.rule=Host(`n8n.${DOMAIN}`)"
   #     - "traefik.http.routers.n8n-http.entrypoints=web"
   #     - "traefik.http.routers.n8n-http.middlewares=redirect-to-https"
 
   #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.n8n-https.rule=Host(`n8n.${DOMAIN}`)"
   #     - "traefik.http.routers.n8n-https.entrypoints=websecure"
   #     - "traefik.http.routers.n8n-https.tls=true"
   #     - "traefik.http.routers.n8n-https.tls.certresolver=njalla"
@@ -247,15 +286,15 @@ networks:
   #     - BROWSER_CDP_URL=http://openclaw-browser:9222
   #     - BROWSER_EVALUATE_ENABLED=true
   #     - OPENCLAW_GATEWAY_HOST=0.0.0.0
-  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.lazyworkhorse.net
+  #     - OPENCLAW_ALLOWED_ORIGINS=https://claw.${DOMAIN}
   #   labels:
   #     - "traefik.enable=true"
 
-  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.openclaw-http.rule=Host(`claw.${DOMAIN}`)"
   #     - "traefik.http.routers.openclaw-http.entrypoints=web"
   #     - "traefik.http.routers.openclaw-http.middlewares=redirect-to-https"
 
-  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.openclaw-https.rule=Host(`claw.${DOMAIN}`)"
   #     - "traefik.http.routers.openclaw-https.priority=50"
   #     - "traefik.http.routers.openclaw-https.entrypoints=websecure"
   #     - "traefik.http.routers.openclaw-https.tls=true"

ai/hermes/Dockerfile

@@ -1,50 +1,59 @@
-# 1. On récupère la version la plus récente d'UV
+# syntax=docker/dockerfile:1
-FROM ghcr.io/astral-sh/uv:latest AS uv_source
+# Hermes Agent -- custom fork build
+# Builds on top of official image + overlays our forked source from Gitea.
+# Requires Docker BuildKit. Pass SSH agent for git clone:
+#   docker compose build hermes
+# Or manually:
+#   DOCKER_BUILDKIT=1 docker build --ssh default -t hermes-agent:custom .
 
-# 2. Image officielle Hermes Agent de NousResearch
+# ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
-# Contient déjà: Python, Node.js, npm, Playwright/Chromium, venv, tts_tool.py, etc.
 FROM nousresearch/hermes-agent:latest
 
-# ---------- System dependencies ----------
+# ---------- Overlay our forked source ----------
-# The official hermes-agent image already has: git, curl, ffmpeg, python3,
+# Uses SSH agent forwarding from the build host (no key baked into image).
-# gcc, build-essential, openssh-client, procps, tini, ripgrep, docker-cli,
+# --exclude node_modules/.venv keeps the base image's pre-built layers intact.
-# libportaudio2, ca-certificates, etc.
+# Only the Python source, web UI source, and config change.
-#
+RUN --mount=type=ssh \
-# These extras we need to add back:
+    mkdir -p /root/.ssh && \
-#   - poppler-utils, imagemagick  (PDF/image processing)
+    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
-#   - texlive-*                   (LaTeX typesetting for reports)
+    cd /tmp && \
-#   - qemu-user-static, binfmt-support (QEMU cross-compilation)
+    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
-#   - emacs-nox                   (text editing in container)
+    git clone --depth 1 --branch main \
+    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
+    rsync -a --delete fork/ /opt/hermes/ \
+      --exclude node_modules \
+      --exclude .venv \
+      --exclude .git && \
+    rm -rf /tmp/fork /root/.ssh/
+
+# ---------- Rebuild web UI ----------
+# Source files changed; node_modules (from base image) reused.
+RUN cd /opt/hermes && npm run build
+
+# ---------- Reinstall Python package (editable) ----------
+# Picks up source changes from our fork.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir --no-deps -e /opt/hermes
+
+# ---------- Extra system deps ----------
 USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        libportaudio2 \
+        libportaudio2 ca-certificates poppler-utils imagemagick \
-        ca-certificates \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
-        poppler-utils \
+        texlive-xetex texlive-science \
-        imagemagick \
+        qemu-user-static binfmt-support emacs-nox && \
-        texlive-latex-base \
-        texlive-latex-extra \
-        texlive-fonts-recommended \
-        texlive-xetex \
-        texlive-science \
-        qemu-user-static \
-        binfmt-support \
-        emacs-nox && \
     rm -rf /var/lib/apt/lists/*
 
-# ---------- UV (hyperfast pip alternative) ----------
+# ---------- UV ----------
-COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
 
-WORKDIR /opt/hermes
+# ---------- Piper TTS ----------
-
-# ---------- Piper TTS dans le venv existant ----------
-# Le venv de l'image de base est root-owned, on doit installer en root aussi
 RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy
+    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
+    mkdir -p /opt/hermes/.venv/share/piper/voices
 
-# ---------- Télécharger la voix Piper Ryan (high quality) ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
-    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
 import urllib.request
 base = '/opt/hermes/.venv/share/piper/voices'
 url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
@@ -52,22 +61,33 @@ urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
 PYEOF
 
-# ---------- Patch tts_tool.py: remplacer Edge TTS par Piper ----------
+# ---------- Install Himalaya email CLI ----------
-# Edge TTS appelle les serveurs Microsoft — on ne veut jamais ça.
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-# Piper roule localement sur CPU, aucun cloud, aucune donnée qui sort.
+import urllib.request, tarfile, os, shutil
-COPY patch_tts_tool.py /tmp/patch_tts_tool.py
+url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
-RUN /opt/hermes/.venv/bin/python3 /tmp/patch_tts_tool.py && rm /tmp/patch_tts_tool.py
+tgz = '/tmp/himalaya.tgz'
+urllib.request.urlretrieve(url, tgz)
+with tarfile.open(tgz) as t:
+    t.extractall('/tmp')
+shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
+os.chmod('/usr/local/bin/himalaya', 0o755)
+os.remove(tgz)
+print('himalaya v1.2.0 installed')
+PYEOF
+
+# ---------- Install himalaya-ro wrapper ----------
+COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+
 
 # ---------- Runtime ----------
-# Retour à l'utilisateur non-root pour la sécurité
 USER hermes
-
 ENV HERMES_HOME=/opt/data
 ENV PATH="/opt/data/.local/bin:${PATH}"
+# Point browser tool to Playwright's Chromium (already in base image)
+ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
+
+# Ensure tools directory and toolsets.py are writable by the hermes runtime user
+# so custom tools can be injected from the persistent volume at startup.
+RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
 
 VOLUME [ "/opt/data" ]
-
-# Script de réparation des permissions + patch TTS au démarrage
-COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
-
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]

ai/hermes/fix-permissions.sh

@@ -1,38 +0,0 @@
-#!/bin/bash
-# Startup permission fix + TTS patch.
-# Runs as root before the entrypoint drops to the hermes user.
-set -e
-
-HERMES_HOME="${HERMES_HOME:-/opt/data}"
-
-# Fix ownership on critical writable directories
-chown -R hermes:hermes \
-  "$HERMES_HOME/sessions" \
-  "$HERMES_HOME/checkpoints" \
-  "$HERMES_HOME/skills" \
-  "$HERMES_HOME/memories" \
-  "$HERMES_HOME/workspace" \
-  "$HERMES_HOME/pastes" \
-  "$HERMES_HOME/logs" \
-  "$HERMES_HOME/cron" \
-  "$HERMES_HOME/plans" \
-  "$HERMES_HOME/hooks" \
-  "$HERMES_HOME/cache" \
-  2>/dev/null || true
-
-# Fix data volume root ownership
-if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
-  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
-fi
-
-# ---------- Patch tts_tool.py: replace Edge TTS with Piper ----------
-# Fallback runtime patch in case the volume's site-packages differ from the image.
-# Idempotent: if already patched, the script does nothing.
-PATCH_SCRIPT="/opt/hermes/patch_tts_tool.py"
-if [ -f "$PATCH_SCRIPT" ]; then
-  echo "Applying TTS patch (Piper only, no Edge fallback)..."
-  /opt/hermes/.venv/bin/python3 "$PATCH_SCRIPT" 2>&1 || true
-fi
-
-# Chain to the official Hermes entrypoint
-exec /opt/hermes/docker/entrypoint.sh "$@"

ai/hermes/himalaya-ro.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────
+# himalaya-ro — Read-only wrapper for himalaya
+#
+# Blocks destructive commands and logs audit trail.
+# Pass-through for read-only commands (list, read, search).
+#
+# Usage:  himalaya-ro [options] <command> [args...]
+#
+# Install: place in PATH before the real himalaya, or use
+#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
+# ─────────────────────────────────────────────────────────────
+set -o pipefail
+
+# ── Configuration ───────────────────────────────────────────
+HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
+AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
+
+# ── Destructive commands we block ──────────────────────────
+BLOCKED_CMDS=(
+  "message move"
+  "message delete"
+  "message copy"
+  "flag add"
+  "flag remove"
+  "folder create"
+  "folder delete"
+  "folder rename"
+  "template send"
+  "account configure"
+  "account delete"
+)
+
+# ── Determine the subcommand being invoked ─────────────────
+# Strip leading options (--account, --output, etc.) to find the verb
+ARGS=()
+SKIP_NEXT=false
+for arg in "$@"; do
+  if $SKIP_NEXT; then
+    SKIP_NEXT=false
+    continue
+  fi
+  if [[ "$arg" == --* ]]; then
+    case "$arg" in
+      --account|--output|--page|--page-size|--folder|--color|--format)
+        SKIP_NEXT=true ;;
+    esac
+    continue
+  fi
+  ARGS+=("$arg")
+done
+
+# Build subcommand string and check against blocklist
+CMD_STR=""
+for ((i=0; i<${#ARGS[@]}; i++)); do
+  if [ -z "$CMD_STR" ]; then
+    CMD_STR="${ARGS[$i]}"
+  else
+    CMD_STR="$CMD_STR ${ARGS[$i]}"
+  fi
+  for blocked in "${BLOCKED_CMDS[@]}"; do
+    if [[ "$CMD_STR" == "$blocked" ]]; then
+      TS=$(date '+%Y-%m-%d %H:%M:%S')
+      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
+      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
+      echo "       Audit log: $AUDIT_LOG" >&2
+      exit 100
+    fi
+  done
+done
+
+# ── Allow pass-through ─────────────────────────────────────
+exec "$HIMALAYA_BIN" "$@"

authentification/compose.yml

@@ -13,12 +13,12 @@ services:
       - "traefik.enable=true"
 
       # HTTP router
-      - "traefik.http.routers.authelia-http.rule=Host(`auth.lazyworkhorse.net`)"
+      - "traefik.http.routers.authelia-http.rule=Host(`auth.${DOMAIN}`)"
       - "traefik.http.routers.authelia-http.entrypoints=web"
       - "traefik.http.routers.authelia-http.middlewares=redirect-to-https"
 
       # HTTPS router
-      - "traefik.http.routers.authelia-https.rule=Host(`auth.lazyworkhorse.net`)"
+      - "traefik.http.routers.authelia-https.rule=Host(`auth.${DOMAIN}`)"
       - "traefik.http.routers.authelia-https.entrypoints=websecure"
       - "traefik.http.routers.authelia-https.tls=true"
       - "traefik.http.routers.authelia-https.tls.certresolver=njalla"
@@ -26,7 +26,7 @@ services:
       - "traefik.http.services.authelia.loadbalancer.server.port=9091"
 
       # forward auth middleware definition
-      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
       - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
 

backup/compose.yml

@@ -37,12 +37,12 @@ services:
   #   labels:
   #     - "traefik.enable=true"
   #     # 1. HTTP to HTTPS Redirect
-  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.kopia-http.rule=Host(`backup.${DOMAIN}`)"
   #     - "traefik.http.routers.kopia-http.entrypoints=web"
   #     - "traefik.http.routers.kopia-http.middlewares=redirect-to-https@docker"
   #     
   #     # 2. HTTPS Configuration
-  #     - "traefik.http.routers.kopia.rule=Host(`backup.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.kopia.rule=Host(`backup.${DOMAIN}`)"
   #     - "traefik.http.routers.kopia.entrypoints=websecure"
   #     - "traefik.http.routers.kopia.tls=true"
   #     - "traefik.http.routers.kopia.tls.certresolver=njalla"
@@ -81,12 +81,12 @@ services:
     labels:
       - "traefik.enable=true"
       # 1. HTTP to HTTPS Redirect
-      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.lazyworkhorse.net`)"
+      - "traefik.http.routers.restic-browser-http.rule=Host(`backup.${DOMAIN}`)"
       - "traefik.http.routers.restic-browser-http.entrypoints=web"
       - "traefik.http.routers.restic-browser-http.middlewares=redirect-to-https@docker"
       
       # 2. HTTPS Configuration
-      - "traefik.http.routers.restic-browser.rule=Host(`backup.lazyworkhorse.net`)"
+      - "traefik.http.routers.restic-browser.rule=Host(`backup.${DOMAIN}`)"
       - "traefik.http.routers.restic-browser.entrypoints=websecure"
       - "traefik.http.routers.restic-browser.tls=true"
       - "traefik.http.routers.restic-browser.tls.certresolver=njalla"

cloudstorage/compose.yml

@@ -17,8 +17,8 @@ services:
       - MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
       # Reverse Proxy Overrides (Crucial for HTTPS behind Traefik)
       - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://cloud.lazyworkhorse.net
+      - OVERWRITECLIURL=https://cloud.${DOMAIN}
-      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.lazyworkhorse.net
+      - NEXTCLOUD_TRUSTED_DOMAINS=cloud.${DOMAIN}
     volumes:
       - /mnt/HoardingCow_docker_data/NextCloud/data:/var/www/html:rw
     depends_on:
@@ -27,12 +27,12 @@ services:
       - "traefik.enable=true"
 
       # Router for HTTP -> HTTPS Redirection (Matching your Gitea style)
-      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.lazyworkhorse.net`)"
+      - "traefik.http.routers.nextcloud-http.rule=Host(`cloud.${DOMAIN}`)"
       - "traefik.http.routers.nextcloud-http.entrypoints=web"
       - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https"
 
       # Router for HTTPS
-      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.lazyworkhorse.net`)"
+      - "traefik.http.routers.nextcloud-https.rule=Host(`cloud.${DOMAIN}`)"
       - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
       - "traefik.http.routers.nextcloud-https.tls=true"
       - "traefik.http.routers.nextcloud-https.tls.certresolver=njalla"

coms/compose.yml

@@ -25,10 +25,10 @@ services:
         condition: service_healthy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.matrix-http.rule=Host(`matrix.lazyworkhorse.net`)"
+      - "traefik.http.routers.matrix-http.rule=Host(`matrix.${DOMAIN}`)"
       - "traefik.http.routers.matrix-http.entrypoints=web"
       - "traefik.http.routers.matrix-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.matrix-https.rule=Host(`matrix.lazyworkhorse.net`)"
+      - "traefik.http.routers.matrix-https.rule=Host(`matrix.${DOMAIN}`)"
       - "traefik.http.routers.matrix-https.entrypoints=websecure"
       - "traefik.http.routers.matrix-https.tls=true"
       - "traefik.http.routers.matrix-https.tls.certresolver=njalla"
@@ -62,10 +62,10 @@ services:
       - coms_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.lazyworkhorse.net`)"
+      - "traefik.http.routers.synapse-admin-http.rule=Host(`synadm.${DOMAIN}`)"
       - "traefik.http.routers.synapse-admin-http.entrypoints=web"
       - "traefik.http.routers.synapse-admin-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.lazyworkhorse.net`)"
+      - "traefik.http.routers.synapse-admin-https.rule=Host(`synadm.${DOMAIN}`)"
       - "traefik.http.routers.synapse-admin-https.entrypoints=websecure"
       - "traefik.http.routers.synapse-admin-https.tls=true"
       - "traefik.http.routers.synapse-admin-https.tls.certresolver=njalla"
@@ -88,12 +88,12 @@ services:
   #     - "traefik.enable=true"
   #
   #     # HTTP → HTTPS
-  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.rns-http.rule=Host(`nomad.${DOMAIN}`)"
   #     - "traefik.http.routers.rns-http.entrypoints=web"
   #     - "traefik.http.routers.rns-http.middlewares=redirect-to-https"
   #
   #     # HTTPS protected by Authelia
-  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.rns-https.rule=Host(`nomad.${DOMAIN}`)"
   #     - "traefik.http.routers.rns-https.entrypoints=websecure"
   #     - "traefik.http.routers.rns-https.tls=true"
   #     - "traefik.http.routers.rns-https.tls.certresolver=njalla"

finance/compose.yml

@@ -15,20 +15,20 @@ services:
       - "traefik.enable=true"
 
       # HTTP → HTTPS redirect
-      - "traefik.http.routers.fava-http.rule=Host(`money.lazyworkhorse.net`)"
+      - "traefik.http.routers.fava-http.rule=Host(`money.${DOMAIN}`)"
       - "traefik.http.routers.fava-http.entrypoints=web"
       - "traefik.http.routers.fava-http.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
       # HTTPS router protected by Authelia
-      - "traefik.http.routers.fava-https.rule=Host(`money.lazyworkhorse.net`)"
+      - "traefik.http.routers.fava-https.rule=Host(`money.${DOMAIN}`)"
       - "traefik.http.routers.fava-https.entrypoints=websecure"
       - "traefik.http.routers.fava-https.tls=true"
       - "traefik.http.routers.fava-https.tls.certresolver=njalla"
       - "traefik.http.routers.fava-https.middlewares=fava-auth"
 
       # Authelia forwardAuth
-      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.fava-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
       - "traefik.http.middlewares.fava-auth.forwardauth.trustforwardheader=true"
       - "traefik.http.middlewares.fava-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 

homeautomation/compose.yml

@@ -17,11 +17,11 @@ services:
     labels:
       - "traefik.enable=true"
 
-      - "traefik.http.routers.hass-http.rule=Host(`home.lazyworkhorse.net`)"
+      - "traefik.http.routers.hass-http.rule=Host(`home.${DOMAIN}`)"
       - "traefik.http.routers.hass-http.entrypoints=web"
       - "traefik.http.routers.hass-http.middlewares=redirect-to-https"
 
-      - "traefik.http.routers.hass-https.rule=Host(`home.lazyworkhorse.net`)"
+      - "traefik.http.routers.hass-https.rule=Host(`home.${DOMAIN}`)"
       - "traefik.http.routers.hass-https.entrypoints=websecure"
       - "traefik.http.routers.hass-https.tls.certresolver=njalla"
 

homepage/compose.yml

@@ -16,20 +16,20 @@ services:
       - "traefik.enable=true"
 
       # HTTP → HTTPS redirect
-      - "traefik.http.routers.homer-http.rule=Host(`lazyworkhorse.net`)"
+      - "traefik.http.routers.homer-http.rule=Host(`${DOMAIN}`)"
       - "traefik.http.routers.homer-http.entrypoints=web"
       - "traefik.http.routers.homer-http.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
       # HTTPS router protected by Authelia
-      - "traefik.http.routers.homer-https.rule=Host(`lazyworkhorse.net`)"
+      - "traefik.http.routers.homer-https.rule=Host(`${DOMAIN}`)"
       - "traefik.http.routers.homer-https.entrypoints=websecure"
       - "traefik.http.routers.homer-https.tls=true"
       - "traefik.http.routers.homer-https.tls.certresolver=njalla"
       - "traefik.http.routers.homer-https.middlewares=homer-auth"
 
       # Authelia forwardAuth
-      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.homer-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
       - "traefik.http.middlewares.homer-auth.forwardauth.trustforwardheader=true"
       - "traefik.http.middlewares.homer-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 

passwordmanager/compose.yml

@@ -9,7 +9,10 @@ services:
       - TZ=America/Montreal
       - WEBSOCKET_ENABLED=true
       - SIGNUPS_ALLOWED=false
-      - DOMAIN=https://pass.lazyworkhorse.net
+      # Vaultwarden env var DOMAIN — the ${DOMAIN} on the RHS is expanded
+      # by docker compose before the env var is set, so this resolves to
+      # DOMAIN=https://pass.lazyworkhorse.net in production.
+      - DOMAIN=https://pass.${DOMAIN}
     volumes:
       - /mnt/HoardingCow_docker_data/BitWarden/data:/data:rw
     networks:
@@ -19,12 +22,12 @@ services:
       - "traefik.enable=true"
 
       # HTTP → HTTPS
-      - "traefik.http.routers.pass-http.rule=Host(`pass.lazyworkhorse.net`)"
+      - "traefik.http.routers.pass-http.rule=Host(`pass.${DOMAIN}`)"
       - "traefik.http.routers.pass-http.entrypoints=web"
       - "traefik.http.routers.pass-http.middlewares=redirect-to-https"
 
       # HTTPS
-      - "traefik.http.routers.pass-https.rule=Host(`pass.lazyworkhorse.net`)"
+      - "traefik.http.routers.pass-https.rule=Host(`pass.${DOMAIN}`)"
       - "traefik.http.routers.pass-https.entrypoints=websecure"
       - "traefik.http.routers.pass-https.tls=true"
       - "traefik.http.routers.pass-https.tls.certresolver=njalla"

tak/compose.yml

@@ -74,12 +74,12 @@ services:
       - "traefik.docker.network=traefik-net"
 
       # HTTP -> HTTPS Redirect
-      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.${DOMAIN}`)"
       - "traefik.http.routers.fts-ui-http.entrypoints=web"
       - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
 
       # HTTPS Router
-      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.${DOMAIN}`)"
       - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
       - "traefik.http.routers.fts-ui-https.tls=true"
       - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"

versioncontrol/compose.yml

@@ -6,11 +6,12 @@ services:
     environment:
       - USER_UID=1000
       - USER_GID=1000
-      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
+      - GITEA__server__ROOT_URL=https://code.${DOMAIN}
       - GITEA__actions__ENABLED=true
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
+      # Enable Gitea Actions (act_runner required on host)
+      - GITEA__actions__ENABLED=true
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks:
@@ -22,21 +23,21 @@ services:
       - "traefik.enable=true"
 
       # HTTP -> HTTPS Redirect
-      - "traefik.http.routers.gitea-http.rule=Host(`code.lazyworkhorse.net`)"
+      - "traefik.http.routers.gitea-http.rule=Host(`code.${DOMAIN}`)"
       - "traefik.http.routers.gitea-http.entrypoints=web"
       - "traefik.http.routers.gitea-http.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
       # HTTPS Router
-      - "traefik.http.routers.gitea-https.rule=Host(`code.lazyworkhorse.net`)"
+      - "traefik.http.routers.gitea-https.rule=Host(`code.${DOMAIN}`)"
       - "traefik.http.routers.gitea-https.entrypoints=websecure"
       - "traefik.http.routers.gitea-https.tls=true"
       - "traefik.http.routers.gitea-https.tls.certresolver=njalla"
       - "traefik.http.routers.gitea-https.middlewares=gitea-home-redirect"
 
       # The Redirect Logic - Using single quotes to allow backslashes
-      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.lazyworkhorse\.net/?$$'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.regex=^https://code\.${DOMAIN}/?$$'
-      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.lazyworkhorse.net/gortium'
+      - 'traefik.http.middlewares.gitea-home-redirect.redirectregex.replacement=https://code.${DOMAIN}/gortium'
       - "traefik.http.middlewares.gitea-home-redirect.redirectregex.permanent=true"
 
       # Internal Routing
@@ -46,10 +47,10 @@ services:
     image: gitea/act_runner:latest
     container_name: act_runner
     environment:
-      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
+      - GITEA_INSTANCE_URL=https://code.${DOMAIN}
       - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
       - GITEA_RUNNER_NAME=ai-host-runner
-      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04
+      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     networks:

vpn/Dockerfile

@@ -0,0 +1,9 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM ghcr.io/wg-easy/wg-easy:latest
+
+# The upstream image registers only iptables-legacy with update-alternatives.
+# iptables-nft binary exists but isn't registered as an alternative key.
+# Override the alternatives-managed symlinks directly.
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables

vpn/compose.yml

@@ -2,13 +2,16 @@ version: "3.8"
 
 services:
   wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
     container_name: wireguard
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
     environment:
-      - WG_HOST=vpn.lazyworkhorse.net
+      - WG_HOST=vpn.${DOMAIN}
       - PASSWORD=${WG_PASSWORD}
       - WG_PORT=51820
       - WG_DEFAULT_ADDRESS=10.8.0.x