fix: route Syncthing web UI through Traefik with HTTPS

feat: add Syncthing service for Hermes org-file sync
Merge pull request 'fix: use ln -sf instead of update-alternatives --set for iptables-nft' (#28 ) from fix/vpn-iptables-nft-v3 into master
2026-05-14 21:40:00 -04:00 · 2026-05-14 21:35:31 -04:00 · 2026-05-13 16:59:50 +00:00 · 2026-05-13 12:58:43 -04:00 · 2026-05-13 16:49:23 +00:00 · 2026-05-13 12:48:51 -04:00
5 changed files with 137 additions and 1 deletions
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -54,6 +54,10 @@ services:
      - TZ=America/Montreal
    volumes:
      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
      # Syncthing-shared org files — read-only view of user's agenda
      - /mnt/HoardingCow_docker_data/Syncthing/org-ro:/opt/data/org-ro:ro
      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
      - /mnt/HoardingCow_docker_data/Syncthing/org-rw:/opt/data/org-rw:rw
    devices:
      - /dev/kfd:/dev/kfd
      - /dev/dri:/dev/dri
@@ -63,6 +67,35 @@ services:
    networks:
      - ai_backend
  syncthing:
    image: syncthing/syncthing:latest
    container_name: syncthing
    hostname: syncthing
    restart: always
    ports:
      - "8384:8384"
      - "22000:22000"
      - "21027:21027/udp"
    environment:
      - TZ=America/Montreal
    volumes:
      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
      - /mnt/HoardingCow_docker_data/Syncthing/org-ro:/org-ro
      - /mnt/HoardingCow_docker_data/Syncthing/org-rw:/org-rw
    networks:
      - ai_backend
      - ai_net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
      - "traefik.http.routers.syncthing-http.entrypoints=web"
      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
      - "traefik.http.routers.syncthing-https.tls=true"
      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
  ollama:
    build:
      context: ./ollama
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -61,6 +61,24 @@ urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
 PYEOF
 # ---------- Install Himalaya email CLI ----------
 RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
 import urllib.request, tarfile, os, shutil
 url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
 tgz = '/tmp/himalaya.tgz'
 urllib.request.urlretrieve(url, tgz)
 with tarfile.open(tgz) as t:
    t.extractall('/tmp')
 shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
 os.chmod('/usr/local/bin/himalaya', 0o755)
 os.remove(tgz)
 print('himalaya v1.2.0 installed')
 PYEOF
 # ---------- Install himalaya-ro wrapper ----------
 COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
 # ---------- Runtime ----------
 USER hermes
 ENV HERMES_HOME=/opt/data
--- a/ai/hermes/himalaya-ro.sh
+++ b/ai/hermes/himalaya-ro.sh
@@ -0,0 +1,73 @@
 #!/usr/bin/env bash
 # ─────────────────────────────────────────────────────────────
 # himalaya-ro — Read-only wrapper for himalaya
 #
 # Blocks destructive commands and logs audit trail.
 # Pass-through for read-only commands (list, read, search).
 #
 # Usage:  himalaya-ro [options] <command> [args...]
 #
 # Install: place in PATH before the real himalaya, or use
 #          `ln -sf himalaya-ro /usr/local/bin/himalaya`
 # ─────────────────────────────────────────────────────────────
 set -o pipefail
 # ── Configuration ───────────────────────────────────────────
 HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
 AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
 # ── Destructive commands we block ──────────────────────────
 BLOCKED_CMDS=(
  "message move"
  "message delete"
  "message copy"
  "flag add"
  "flag remove"
  "folder create"
  "folder delete"
  "folder rename"
  "template send"
  "account configure"
  "account delete"
 )
 # ── Determine the subcommand being invoked ─────────────────
 # Strip leading options (--account, --output, etc.) to find the verb
 ARGS=()
 SKIP_NEXT=false
 for arg in "$@"; do
  if $SKIP_NEXT; then
    SKIP_NEXT=false
    continue
  fi
  if [[ "$arg" == --* ]]; then
    case "$arg" in
      --account|--output|--page|--page-size|--folder|--color|--format)
        SKIP_NEXT=true ;;
    esac
    continue
  fi
  ARGS+=("$arg")
 done
 # Build subcommand string and check against blocklist
 CMD_STR=""
 for ((i=0; i<${#ARGS[@]}; i++)); do
  if [ -z "$CMD_STR" ]; then
    CMD_STR="${ARGS[$i]}"
  else
    CMD_STR="$CMD_STR ${ARGS[$i]}"
  fi
  for blocked in "${BLOCKED_CMDS[@]}"; do
    if [[ "$CMD_STR" == "$blocked" ]]; then
      TS=$(date '+%Y-%m-%d %H:%M:%S')
      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
      echo "       Audit log: $AUDIT_LOG" >&2
      exit 100
    fi
  done
 done
 # ── Allow pass-through ─────────────────────────────────────
 exec "$HIMALAYA_BIN" "$@"
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -0,0 +1,9 @@
 # Custom wg-easy with iptables-nft (nftables-backed iptables)
 # Fixes crash-loop when host kernel lacks legacy iptable_nat module.
 FROM ghcr.io/wg-easy/wg-easy:latest
 # The upstream image registers only iptables-legacy with update-alternatives.
 # iptables-nft binary exists but isn't registered as an alternative key.
 # Override the alternatives-managed symlinks directly.
 RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -2,7 +2,10 @@ version: "3.8"
 services:
  wireguard:
-    image: weejewel/wg-easy:latest
+    build:
      context: .
      dockerfile: Dockerfile
    image: wg-easy-iptables-nft:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
Author	SHA1	Message	Date
Hermes	f9fb28d560	fix: route Syncthing web UI through Traefik with HTTPS Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details	2026-05-14 21:40:00 -04:00
Hermes	bcc4b6d157	feat: add Syncthing service for Hermes org-file sync Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details	2026-05-14 21:35:31 -04:00
Thierry Pouplier	29ae32a1c5	Merge pull request 'fix: use ln -sf instead of update-alternatives --set for iptables-nft' (#28 ) from fix/vpn-iptables-nft-v3 into master Reviewed-on: #28	2026-05-13 16:59:50 +00:00
Hermes	8dff094768	fix: use ln -sf instead of update-alternatives --set update-alternatives --set fails because the base image only registers iptables-legacy as an alternative. The iptables-nft binary (/usr/sbin/iptables-nft) exists but isn't in the alternatives database. Direct ln -sf bypasses this.	2026-05-13 12:58:43 -04:00
Thierry Pouplier	ec08f5eb5d	Merge pull request 'fix: remove apk add iptables-nft — built-in on Alpine 3.18+' (#27 ) from fix/vpn-iptables-nft-v2 into master Reviewed-on: #27	2026-05-13 16:49:23 +00:00
Hermes	611e96b306	fix: remove apk add iptables-nft — built-in on Alpine 3.18+ In Alpine 3.18+, the 'iptables' package IS the nftables variant. iptables-nft is not a separate package. The binary is already in the base image — only need to flip update-alternatives.	2026-05-13 12:48:51 -04:00
Thierry Pouplier	f184ed957c	Merge pull request 'fix: update wg-easy to official ghcr image with iptables-nft' (#26 ) from fix/vpn-iptables-nft-upstream into master Reviewed-on: #26	2026-05-13 16:37:35 +00:00
Hermes	2bf31c7ccc	fix: update wg-easy to official ghcr image with iptables-nft - Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton) - Use update-alternatives instead of raw ln -sf to flip iptables from legacy to nftables backend - Fix compose build context: ./vpn -> . (Dockerfile was at same level) The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11. The new official image has it available, we just flip the alternatives. The old ln -sf approach was fragile across Alpine versions.	2026-05-13 12:30:15 -04:00
Thierry Pouplier	f44f93e35a	Merge pull request 'fix: add Himalaya email CLI to Hermes Docker image' (#25 ) from fix/himalaya-email-cli into master Some checks failed Build Hermes agent / build (push) Has been cancelled Details Reviewed-on: #25	2026-05-13 15:03:40 +00:00
Thierry Pouplier	4cdd157e3f	Merge pull request 'fix: add iptables-nft to wg-easy for nftables-only kernels' (#24 ) from fix/wg-easy-iptables-nft into master Reviewed-on: #24	2026-05-13 15:03:25 +00:00
Thierry Pouplier	3ba0345887	Merge pull request 'feat: install custom Hermes tools at startup, remove deprecated fix-permissions.sh' (#23 ) from feat/hermes-custom-tools-startup into master Some checks failed Build Hermes agent / build (push) Failing after 2s Details Build ollama (gfx906) / build (push) Failing after 2s Details Reviewed-on: #23	2026-05-13 13:52:36 +00:00
Hermes	27571ddb3f	feat: add Himalaya email CLI to Hermes Docker image Some checks failed Build Hermes agent / build (pull_request) Failing after 2s Details	2026-05-12 18:09:40 -04:00
Hermes	5e242eb946	fix: add iptables-nft to wg-easy for nftables-only kernels wg-easy's Alpine wg-quick uses legacy iptables which requires the iptable_nat kernel module. On NixOS kernels compiled without legacy netfilter modules, the container crashes in a restart loop: iptables v1.8.3 (legacy): can't initialize iptables table 'nat' Table does not exist (do you need to insmod?) Fix: build a custom image that installs Alpine's iptables-nft package and symlinks iptables -> iptables-nft (nftables backend).	2026-05-12 14:52:33 -04:00