feat: add Paperclip env example file with placeholder secrets

Add env/.env.example.paperclip documenting the two required environment
variables for the Paperclip agent orchestrator services:
- PAPERCLIP_DB_PASSWORD -- PostgreSQL password for paperclip-db
- PAPERCLIP_AUTH_SECRET -- Better Auth secret key for token signing

Users copy this to .env and fill in the secrets before deploying.

ai/Dockerfile

@@ -15,13 +15,7 @@ ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick \
+        curl poppler-utils imagemagick && \
-        chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
-        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        qemu-user-static binfmt-support qemu-user-binfmt \
-        emacs-nox \
-        libportaudio2 && \
     rm -rf /var/lib/apt/lists/*
 
 # Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
@@ -60,8 +54,7 @@ RUN chmod -R a+rX /opt/hermes
 
 # ---------- Python virtualenv ----------
 RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]" && \
+    uv pip install --no-cache-dir -e ".[all]"
-    uv pip install --no-cache-dir sounddevice numpy faster-whisper
 
 # ---------- Runtime ----------
 ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist

ai/compose.yml

@@ -1,32 +1,32 @@
 version: "3.8"
 services:
 
-  # webui:
+  webui:
-  #   image: ghcr.io/open-webui/open-webui:main
+    image: ghcr.io/open-webui/open-webui:main
-  #   volumes:
+    volumes:
-  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-  #   restart: always
+    restart: always
-  #   environment:
+    environment:
-  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+      - OLLAMA_API_BASE_URL=http://ollama:11434/api
-  #   networks:
+    networks:
-  #     - ai_net
+      - ai_net
-  #     - ai_backend
+      - ai_backend
-  #   labels:
+    labels:
-  #     - "traefik.enable=true"
+      - "traefik.enable=true"
 
-  #     # Router for HTTP + redirection to HTTPS
+      # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-http.entrypoints=web"
+      - "traefik.http.routers.webui-http.entrypoints=web"
-  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
-  #     # Router for HTTPS with TLS
+      # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+      - "traefik.http.routers.webui-https.entrypoints=websecure"
-  #     - "traefik.http.routers.webui-https.tls=true"
+      - "traefik.http.routers.webui-https.tls=true"
-  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+      - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./
+    image: nousresearch/hermes-agent:latest
     container_name: hermes
     restart: always
     # Gateway run enables the internal API server on port 8642

coms/compose.yml

@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  # nomadnet:
+  nomadnet:
-  #   image: ghcr.io/markqvist/nomadnet:master
+    image: ghcr.io/markqvist/nomadnet:master
-  #   container_name: nomadnet
+    container_name: nomadnet
-  #   restart: always
+    restart: always
-  #   volumes:
+    volumes:
-  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+    # Reticulum transport must be reachable directly (NOT through Traefik)
-  #   ports:
+    ports:
-  #     - "4242:4242"
+      - "4242:4242"
 
   synapse:
     image: ghcr.io/element-hq/synapse:latest

env/.env.example.paperclip

@@ -0,0 +1,26 @@
+# Paperclip Environment Variables
+# Copy this file to your .env (at the compose root or docker-compose working directory)
+# and fill in the secrets.
+#
+#   cp env/.env.example.paperclip .env
+#
+# Then reference it from compose.yml:
+#   env_file:
+#     - path: .env
+#       required: true
+
+# ---------------------------------------------------------------------------
+# Database
+# ---------------------------------------------------------------------------
+# PostgreSQL password for the paperclip-db service.
+# Generate a strong random password:
+#   openssl rand -base64 32
+PAPERCLIP_DB_PASSWORD=change_me_to_a_strong_random_password
+
+# ---------------------------------------------------------------------------
+# Authentication
+# ---------------------------------------------------------------------------
+# Secret key used by Better Auth for signing and verifying tokens.
+# Generate a strong random secret:
+#   openssl rand -base64 32
+PAPERCLIP_AUTH_SECRET=change_me_to_a_strong_random_secret

vpn/compose.yml

@@ -1,35 +0,0 @@
-version: "3.8"
-
-services:
-  wireguard:
-    image: weejewel/wg-easy:latest
-    container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - WG_HOST=vpn.lazyworkhorse.net
-      - PASSWORD=${WG_PASSWORD}
-      - WG_PORT=51820
-      - WG_DEFAULT_ADDRESS=10.8.0.x
-      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
-      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
-      - WG_PERSISTENT_KEEPALIVE=25
-      - UI_TRAFFIC_STATS=true
-      - UI_CHART_TYPE=0
-    ports:
-      - "51820:51820/udp"
-      - "51821:51821/tcp"
-    volumes:
-      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv4.ip_forward=1
-    restart: unless-stopped
-    networks:
-      - vpn_net
-
-networks:
-  vpn_net:
-    external: true
-    name: vpn_net