feat(ai): add QEMU cross-compilation support (PR 4/5)

Add QEMU user-mode emulation for building aarch64 images (uConsole CM5):
- qemu-user-static: Static QEMU binaries for user-mode emulation
- binfmt-support: Linux kernel support for recognizing binary formats
- qemu-user-binfmt: Registers QEMU handlers with binfmt_misc

Enables cross-compilation of NixOS configurations for ARM devices
from the x86_64 Hermes container.

Depends on PR #7, #8, and #9

ai/Dockerfile

@@ -19,9 +19,7 @@ RUN apt-get update && \
         chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
         libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
         texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        qemu-user-static binfmt-support qemu-user-binfmt \
+        qemu-user-static binfmt-support qemu-user-binfmt && \
-        emacs-nox \
-        libportaudio2 && \
     rm -rf /var/lib/apt/lists/*
 
 # Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
@@ -60,8 +58,7 @@ RUN chmod -R a+rX /opt/hermes
 
 # ---------- Python virtualenv ----------
 RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]" && \
+    uv pip install --no-cache-dir -e ".[all]"
-    uv pip install --no-cache-dir sounddevice numpy faster-whisper
 
 # ---------- Runtime ----------
 ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist

ai/compose.yml

@@ -1,32 +1,32 @@
 version: "3.8"
 services:
 
-  # webui:
+  webui:
-  #   image: ghcr.io/open-webui/open-webui:main
+    image: ghcr.io/open-webui/open-webui:main
-  #   volumes:
+    volumes:
-  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-  #   restart: always
+    restart: always
-  #   environment:
+    environment:
-  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+      - OLLAMA_API_BASE_URL=http://ollama:11434/api
-  #   networks:
+    networks:
-  #     - ai_net
+      - ai_net
-  #     - ai_backend
+      - ai_backend
-  #   labels:
+    labels:
-  #     - "traefik.enable=true"
+      - "traefik.enable=true"
 
-  #     # Router for HTTP + redirection to HTTPS
+      # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-http.entrypoints=web"
+      - "traefik.http.routers.webui-http.entrypoints=web"
-  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
-  #     # Router for HTTPS with TLS
+      # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+      - "traefik.http.routers.webui-https.entrypoints=websecure"
-  #     - "traefik.http.routers.webui-https.tls=true"
+      - "traefik.http.routers.webui-https.tls=true"
-  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+      - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./
+    image: nousresearch/hermes-agent:latest
     container_name: hermes
     restart: always
     # Gateway run enables the internal API server on port 8642

coms/compose.yml

@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  # nomadnet:
+  nomadnet:
-  #   image: ghcr.io/markqvist/nomadnet:master
+    image: ghcr.io/markqvist/nomadnet:master
-  #   container_name: nomadnet
+    container_name: nomadnet
-  #   restart: always
+    restart: always
-  #   volumes:
+    volumes:
-  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+    # Reticulum transport must be reachable directly (NOT through Traefik)
-  #   ports:
+    ports:
-  #     - "4242:4242"
+      - "4242:4242"
 
   synapse:
     image: ghcr.io/element-hq/synapse:latest

vpn/compose.yml

@@ -1,35 +0,0 @@
-version: "3.8"
-
-services:
-  wireguard:
-    image: weejewel/wg-easy:latest
-    container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - WG_HOST=vpn.lazyworkhorse.net
-      - PASSWORD=${WG_PASSWORD}
-      - WG_PORT=51820
-      - WG_DEFAULT_ADDRESS=10.8.0.x
-      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
-      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
-      - WG_PERSISTENT_KEEPALIVE=25
-      - UI_TRAFFIC_STATS=true
-      - UI_CHART_TYPE=0
-    ports:
-      - "51820:51820/udp"
-      - "51821:51821/tcp"
-    volumes:
-      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv4.ip_forward=1
-    restart: unless-stopped
-    networks:
-      - vpn_net
-
-networks:
-  vpn_net:
-    external: true
-    name: vpn_net