fix(paperclip): force Traefik to use ai_net network for routing

Revert custom Dockerfile - not needed, adapter installs on persistent volume
The Hermes adapter can be installed once via Paperclip's adapter management API and persists on the Docker volume across restarts. No custom Dockerfile or build step required.
2026-05-18 22:13:59 -04:00 · 2026-05-18 18:38:17 -04:00 · 2026-05-18 18:37:31 -04:00 · 2026-05-18 18:17:15 -04:00 · 2026-05-13 13:11:11 -04:00 · 2026-05-13 16:59:50 +00:00
6 changed files with 160 additions and 4 deletions
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -96,6 +96,62 @@ services:
      - "303"
      - "26"

+  paperclip-db:
+    image: postgres:17-alpine
+    container_name: paperclip-db
+    restart: always
+    environment:
+      POSTGRES_USER: paperclip
+      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
+      POSTGRES_DB: paperclip
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
+    networks:
+      - ai_backend
+
+  paperclip:
+    image: ghcr.io/paperclipai/paperclip:v2026.517.0
+    container_name: paperclip
+    restart: always
+    ports:
+      - "127.0.0.1:3100:3100"
+    environment:
+      - HOST=0.0.0.0
+      - PORT=3100
+      - SERVE_UI=true
+      - DATABASE_URL=postgres://paperclip:${PAPERCLIP_DB_PASSWORD}@paperclip-db:5432/paperclip
+      - BETTER_AUTH_SECRET=${PAPERCLIP_AUTH_SECRET:?PAPERCLIP_AUTH_SECRET must be set}
+      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
+      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
+      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
+    depends_on:
+      paperclip-db:
+        condition: service_healthy
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-http.entrypoints=web"
+      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
+      - "traefik.http.routers.paperclip-https.tls=true"
+      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
+
 networks:
  ai_net:
    external: true
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -61,6 +61,24 @@ urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
 urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
 PYEOF

+# ---------- Install Himalaya email CLI ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil
+url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
+tgz = '/tmp/himalaya.tgz'
+urllib.request.urlretrieve(url, tgz)
+with tarfile.open(tgz) as t:
+    t.extractall('/tmp')
+shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
+os.chmod('/usr/local/bin/himalaya', 0o755)
+os.remove(tgz)
+print('himalaya v1.2.0 installed')
+PYEOF
+
+# ---------- Install himalaya-ro wrapper ----------
+COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+
+
 # ---------- Runtime ----------
 USER hermes
 ENV HERMES_HOME=/opt/data
--- a/ai/hermes/himalaya-ro.sh
+++ b/ai/hermes/himalaya-ro.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────
+# himalaya-ro — Read-only wrapper for himalaya
+#
+# Blocks destructive commands and logs audit trail.
+# Pass-through for read-only commands (list, read, search).
+#
+# Usage:  himalaya-ro [options] <command> [args...]
+#
+# Install: place in PATH before the real himalaya, or use
+#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
+# ─────────────────────────────────────────────────────────────
+set -o pipefail
+
+# ── Configuration ───────────────────────────────────────────
+HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
+AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
+
+# ── Destructive commands we block ──────────────────────────
+BLOCKED_CMDS=(
+  "message move"
+  "message delete"
+  "message copy"
+  "flag add"
+  "flag remove"
+  "folder create"
+  "folder delete"
+  "folder rename"
+  "template send"
+  "account configure"
+  "account delete"
+)
+
+# ── Determine the subcommand being invoked ─────────────────
+# Strip leading options (--account, --output, etc.) to find the verb
+ARGS=()
+SKIP_NEXT=false
+for arg in "$@"; do
+  if $SKIP_NEXT; then
+    SKIP_NEXT=false
+    continue
+  fi
+  if [[ "$arg" == --* ]]; then
+    case "$arg" in
+      --account|--output|--page|--page-size|--folder|--color|--format)
+        SKIP_NEXT=true ;;
+    esac
+    continue
+  fi
+  ARGS+=("$arg")
+done
+
+# Build subcommand string and check against blocklist
+CMD_STR=""
+for ((i=0; i<${#ARGS[@]}; i++)); do
+  if [ -z "$CMD_STR" ]; then
+    CMD_STR="${ARGS[$i]}"
+  else
+    CMD_STR="$CMD_STR ${ARGS[$i]}"
+  fi
+  for blocked in "${BLOCKED_CMDS[@]}"; do
+    if [[ "$CMD_STR" == "$blocked" ]]; then
+      TS=$(date '+%Y-%m-%d %H:%M:%S')
+      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
+      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
+      echo "       Audit log: $AUDIT_LOG" >&2
+      exit 100
+    fi
+  done
+done
+
+# ── Allow pass-through ─────────────────────────────────────
+exec "$HIMALAYA_BIN" "$@"
--- a/versioncontrol/compose.yml
+++ b/versioncontrol/compose.yml
@@ -8,13 +8,10 @@ services:
      - USER_GID=1000
      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
      - GITEA__actions__ENABLED=true
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
      - SSH_PORT=2222
      - SSH_LISTEN_PORT=2222
      # Enable Gitea Actions (act_runner required on host)
      - GITEA__actions__ENABLED=true
-      # Don't fetch actions from GitHub (offline mode + local only)
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
    volumes:
      - /mnt/HoardingCow_docker_data/Gitea:/data
    networks:
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -0,0 +1,9 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM ghcr.io/wg-easy/wg-easy:latest
+
+# The upstream image registers only iptables-legacy with update-alternatives.
+# iptables-nft binary exists but isn't registered as an alternative key.
+# Override the alternatives-managed symlinks directly.
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -2,7 +2,10 @@ version: "3.8"

 services:
  wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
Author	SHA1	Message	Date
Hermes	1eacc3cd8e	fix(paperclip): force Traefik to use ai_net network for routing Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details	2026-05-18 22:13:59 -04:00
Hermes	bce403232a	Revert custom Dockerfile - not needed, adapter installs on persistent volume Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details The Hermes adapter can be installed once via Paperclip's adapter management API and persists on the Docker volume across restarts. No custom Dockerfile or build step required.	2026-05-18 18:38:17 -04:00
Hermes	37bf43c3ea	feat: add custom Dockerfile with Hermes adapter baked in Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details Creates ai/paperclip/ with: - Dockerfile: extends upstream paperclip image, pre-installs hermes-paperclip-adapter@0.3.0 npm package as seed data - docker-entrypoint.sh: seeds the adapter plugin on first boot if the persistent volume is empty, then runs original startup This ensures the Hermes adapter is available on first boot without requiring network access — no npm install needed at runtime. The adapter persists on the Docker volume across restarts.	2026-05-18 18:37:31 -04:00
Hermes	563ccc5632	feat: add Paperclip agent orchestrator to AI compose stack Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details Paperclip (ghcr.io/paperclipai/paperclip:v2026.517.0) is an open-source agent management dashboard. Adds paperclip-db (PostgreSQL 17) and paperclip services with Traefik reverse proxy on paperclip.lazyworkhorse.net. Requires .env: PAPERCLIP_DB_PASSWORD, PAPERCLIP_AUTH_SECRET.	2026-05-18 18:17:15 -04:00
Thierry Pouplier	8d1ae7e632	Remove the unsuported gitea action off	2026-05-13 13:11:11 -04:00
Thierry Pouplier	29ae32a1c5	Merge pull request 'fix: use ln -sf instead of update-alternatives --set for iptables-nft' (#28 ) from fix/vpn-iptables-nft-v3 into master Reviewed-on: #28	2026-05-13 16:59:50 +00:00
Hermes	8dff094768	fix: use ln -sf instead of update-alternatives --set update-alternatives --set fails because the base image only registers iptables-legacy as an alternative. The iptables-nft binary (/usr/sbin/iptables-nft) exists but isn't in the alternatives database. Direct ln -sf bypasses this.	2026-05-13 12:58:43 -04:00
Thierry Pouplier	ec08f5eb5d	Merge pull request 'fix: remove apk add iptables-nft — built-in on Alpine 3.18+' (#27 ) from fix/vpn-iptables-nft-v2 into master Reviewed-on: #27	2026-05-13 16:49:23 +00:00
Hermes	611e96b306	fix: remove apk add iptables-nft — built-in on Alpine 3.18+ In Alpine 3.18+, the 'iptables' package IS the nftables variant. iptables-nft is not a separate package. The binary is already in the base image — only need to flip update-alternatives.	2026-05-13 12:48:51 -04:00
Thierry Pouplier	f184ed957c	Merge pull request 'fix: update wg-easy to official ghcr image with iptables-nft' (#26 ) from fix/vpn-iptables-nft-upstream into master Reviewed-on: #26	2026-05-13 16:37:35 +00:00
Hermes	2bf31c7ccc	fix: update wg-easy to official ghcr image with iptables-nft - Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton) - Use update-alternatives instead of raw ln -sf to flip iptables from legacy to nftables backend - Fix compose build context: ./vpn -> . (Dockerfile was at same level) The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11. The new official image has it available, we just flip the alternatives. The old ln -sf approach was fragile across Alpine versions.	2026-05-13 12:30:15 -04:00
Thierry Pouplier	f44f93e35a	Merge pull request 'fix: add Himalaya email CLI to Hermes Docker image' (#25 ) from fix/himalaya-email-cli into master Some checks failed Build Hermes agent / build (push) Has been cancelled Details Reviewed-on: #25	2026-05-13 15:03:40 +00:00
Thierry Pouplier	4cdd157e3f	Merge pull request 'fix: add iptables-nft to wg-easy for nftables-only kernels' (#24 ) from fix/wg-easy-iptables-nft into master Reviewed-on: #24	2026-05-13 15:03:25 +00:00
Thierry Pouplier	3ba0345887	Merge pull request 'feat: install custom Hermes tools at startup, remove deprecated fix-permissions.sh' (#23 ) from feat/hermes-custom-tools-startup into master Some checks failed Build Hermes agent / build (push) Failing after 2s Details Build ollama (gfx906) / build (push) Failing after 2s Details Reviewed-on: #23	2026-05-13 13:52:36 +00:00
Hermes	27571ddb3f	feat: add Himalaya email CLI to Hermes Docker image Some checks failed Build Hermes agent / build (pull_request) Failing after 2s Details	2026-05-12 18:09:40 -04:00
Hermes	5e242eb946	fix: add iptables-nft to wg-easy for nftables-only kernels wg-easy's Alpine wg-quick uses legacy iptables which requires the iptable_nat kernel module. On NixOS kernels compiled without legacy netfilter modules, the container crashes in a restart loop: iptables v1.8.3 (legacy): can't initialize iptables table 'nat' Table does not exist (do you need to insmod?) Fix: build a custom image that installs Alpine's iptables-nft package and symlinks iptables -> iptables-nft (nftables backend).	2026-05-12 14:52:33 -04:00