Merge remote-tracking branch 'origin/feat/wireguard-vpn' into HEAD

Commeneted nomadnet for now. not usingit.
Commented webui for now. now using it
2026-05-04 23:05:09 -04:00 · 2026-05-04 23:01:58 -04:00 · 2026-05-04 22:56:07 -04:00 · 2026-05-05 02:11:37 +00:00 · 2026-05-05 01:48:21 +00:00 · 2026-05-05 01:42:55 +00:00
5 changed files with 76 additions and 60 deletions
--- a/ai/Dockerfile
+++ b/ai/Dockerfile
@@ -15,7 +15,13 @@ ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick && \
+        curl poppler-utils imagemagick \
+        chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
+        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
+        qemu-user-static binfmt-support qemu-user-binfmt \
+        emacs-nox \
+        libportaudio2 && \
    rm -rf /var/lib/apt/lists/*

 # Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
@@ -54,7 +60,8 @@ RUN chmod -R a+rX /opt/hermes

 # ---------- Python virtualenv ----------
 RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]"
+    uv pip install --no-cache-dir -e ".[all]" && \
+    uv pip install --no-cache-dir sounddevice numpy faster-whisper

 # ---------- Runtime ----------
 ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -1,32 +1,32 @@
 version: "3.8"
 services:

-  webui:
-    image: ghcr.io/open-webui/open-webui:main
-    volumes:
-      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-    restart: always
-    environment:
-      - OLLAMA_API_BASE_URL=http://ollama:11434/api
-    networks:
-      - ai_net
-      - ai_backend
-    labels:
-      - "traefik.enable=true"
+  # webui:
+  #   image: ghcr.io/open-webui/open-webui:main
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+  #   restart: always
+  #   environment:
+  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+  #   networks:
+  #     - ai_net
+  #     - ai_backend
+  #   labels:
+  #     - "traefik.enable=true"

-      # Router for HTTP + redirection to HTTPS
-      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-      - "traefik.http.routers.webui-http.entrypoints=web"
-      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+  #     # Router for HTTP + redirection to HTTPS
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-http.entrypoints=web"
+  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"

-      # Router for HTTPS with TLS
-      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-      - "traefik.http.routers.webui-https.entrypoints=websecure"
-      - "traefik.http.routers.webui-https.tls=true"
-      - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+  #     # Router for HTTPS with TLS
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+  #     - "traefik.http.routers.webui-https.tls=true"
+  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"

  hermes:
-    image: nousresearch/hermes-agent:latest
+    build: ./
    container_name: hermes
    restart: always
    # Gateway run enables the internal API server on port 8642
--- a/coms/compose.yml
+++ b/coms/compose.yml
@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  nomadnet:
-    image: ghcr.io/markqvist/nomadnet:master
-    container_name: nomadnet
-    restart: always
-    volumes:
-      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-    # Reticulum transport must be reachable directly (NOT through Traefik)
-    ports:
-      - "4242:4242"
+  # nomadnet:
+  #   image: ghcr.io/markqvist/nomadnet:master
+  #   container_name: nomadnet
+  #   restart: always
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+  #   ports:
+  #     - "4242:4242"

  synapse:
    image: ghcr.io/element-hq/synapse:latest
--- a/env/.env.example.paperclip
+++ b/env/.env.example.paperclip
@@ -1,26 +0,0 @@
-# Paperclip Environment Variables
-# Copy this file to your .env (at the compose root or docker-compose working directory)
-# and fill in the secrets.
-#
-#   cp env/.env.example.paperclip .env
-#
-# Then reference it from compose.yml:
-#   env_file:
-#     - path: .env
-#       required: true
-
-# ---------------------------------------------------------------------------
-# Database
-# ---------------------------------------------------------------------------
-# PostgreSQL password for the paperclip-db service.
-# Generate a strong random password:
-#   openssl rand -base64 32
-PAPERCLIP_DB_PASSWORD=change_me_to_a_strong_random_password
-
-# ---------------------------------------------------------------------------
-# Authentication
-# ---------------------------------------------------------------------------
-# Secret key used by Better Auth for signing and verifying tokens.
-# Generate a strong random secret:
-#   openssl rand -base64 32
-PAPERCLIP_AUTH_SECRET=change_me_to_a_strong_random_secret
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -0,0 +1,35 @@
+version: "3.8"
+
+services:
+  wireguard:
+    image: weejewel/wg-easy:latest
+    container_name: wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - WG_HOST=vpn.lazyworkhorse.net
+      - PASSWORD=${WG_PASSWORD}
+      - WG_PORT=51820
+      - WG_DEFAULT_ADDRESS=10.8.0.x
+      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
+      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
+      - WG_PERSISTENT_KEEPALIVE=25
+      - UI_TRAFFIC_STATS=true
+      - UI_CHART_TYPE=0
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    volumes:
+      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    restart: unless-stopped
+    networks:
+      - vpn_net
+
+networks:
+  vpn_net:
+    external: true
+    name: vpn_net
Author	SHA1	Message	Date
Thierry Pouplier	434b2835ff	Merge remote-tracking branch 'origin/feat/wireguard-vpn' into HEAD	2026-05-04 23:05:09 -04:00
Thierry Pouplier	51cf83c420	Commeneted nomadnet for now. not usingit.	2026-05-04 23:01:58 -04:00
Thierry Pouplier	d9f62652cb	Commented webui for now. now using it	2026-05-04 22:56:07 -04:00
Thierry Pouplier	bc49391b4f	chore: clean up WireGuard from Hermes Dockerfile, keep custom build	2026-05-05 02:11:37 +00:00
Thierry Pouplier	acf45acdd9	feat: enable NET_ADMIN for Hermes container to support WireGuard	2026-05-05 01:48:21 +00:00
Thierry Pouplier	b021d0dba7	feat: add custom Hermes Dockerfile with WireGuard tools	2026-05-05 01:42:55 +00:00
Thierry Pouplier	eea6db3ceb	feat: add WireGuard VPN stack (wg-easy, named wireguard)	2026-05-05 01:21:31 +00:00
Thierry Pouplier	4a57ca69b2	fix: switch to linuxserver/wireguard instead of wg-easy	2026-05-05 01:17:57 +00:00
Thierry Pouplier	293429a124	feat: add WireGuard VPN stack with wg-easy	2026-05-04 22:46:50 +00:00