fix(paperclip): force Traefik to use ai_net network for routing

The Hermes adapter can be installed once via Paperclip's adapter
management API and persists on the Docker volume across restarts.
No custom Dockerfile or build step required.

.gitignore

@@ -1,13 +0,0 @@
-# Temp/scratch files — never commit these
-*.bak
-*.swp
-*.tmp
-*~
-scratch/
-.env
-.env.local
-tmp/
-temp/
-replace_compose.py
-entrypoint-*.sh
-copy_*.txt

ai/compose.yml

@@ -32,18 +32,13 @@ services:
         - default
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
-      - HERMES_DASHBOARD=1
-      # Multi-profile: comma-separated list of profiles to run as gateways.
-      # The entrypoint reads this and starts one gateway per profile.
-      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
-      - HERMES_PROFILES=ashley,claire,finn,matt,paul
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -59,10 +54,6 @@ services:
       - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
-      # Syncthing-shared org files — read-only view of user's agenda
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
-      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -71,59 +62,6 @@ services:
       - "26"
     networks:
       - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=ai_net"
-
-      # Router for HTTP + redirection to HTTPS
-      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
-      - "traefik.http.routers.hermes-web-http.entrypoints=web"
-      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
-
-      # Router for HTTPS with TLS — protected by Authelia
-      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
-      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
-      - "traefik.http.routers.hermes-web-https.tls=true"
-      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
-      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
-
-      # Authelia forwardAuth
-      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
-      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
-      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
-
-      # Service Loadbalancer (dashboard port 9119)
-      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
-
-  syncthing:
-    image: syncthing/syncthing:latest
-    container_name: syncthing
-    hostname: syncthing
-    restart: always
-    ports:
-      - "8384:8384"
-      - "22000:22000"
-      - "21027:21027/udp"
-    environment:
-      - TZ=America/Montreal
-    volumes:
-      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
-    networks:
-      - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-http.entrypoints=web"
-      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
-      - "traefik.http.routers.syncthing-https.tls=true"
-      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
-      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
 
   ollama:
     build:
@@ -158,6 +96,62 @@ services:
       - "303"
       - "26"
 
+  paperclip-db:
+    image: postgres:17-alpine
+    container_name: paperclip-db
+    restart: always
+    environment:
+      POSTGRES_USER: paperclip
+      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
+      POSTGRES_DB: paperclip
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
+    networks:
+      - ai_backend
+
+  paperclip:
+    image: ghcr.io/paperclipai/paperclip:v2026.517.0
+    container_name: paperclip
+    restart: always
+    ports:
+      - "127.0.0.1:3100:3100"
+    environment:
+      - HOST=0.0.0.0
+      - PORT=3100
+      - SERVE_UI=true
+      - DATABASE_URL=postgres://paperclip:${PAPERCLIP_DB_PASSWORD}@paperclip-db:5432/paperclip
+      - BETTER_AUTH_SECRET=${PAPERCLIP_AUTH_SECRET:?PAPERCLIP_AUTH_SECRET must be set}
+      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
+      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
+      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
+    volumes:
+      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
+    depends_on:
+      paperclip-db:
+        condition: service_healthy
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-http.entrypoints=web"
+      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
+      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
+      - "traefik.http.routers.paperclip-https.tls=true"
+      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
+
 networks:
   ai_net:
     external: true

ai/hermes/Dockerfile

@@ -20,10 +20,16 @@ RUN --mount=type=ssh \
     GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
     git clone --depth 1 --branch main \
     git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rm -rf fork/node_modules fork/.venv fork/.git && \
-    cp -a fork/. /opt/hermes/ && \
+    rsync -a --delete fork/ /opt/hermes/ \
+      --exclude node_modules \
+      --exclude .venv \
+      --exclude .git && \
     rm -rf /tmp/fork /root/.ssh/
 
+# ---------- Rebuild web UI ----------
+# Source files changed; node_modules (from base image) reused.
+RUN cd /opt/hermes && npm run build
+
 # ---------- Reinstall Python package (editable) ----------
 # Picks up source changes from our fork.
 RUN . /opt/hermes/.venv/bin/activate && \
@@ -34,7 +40,6 @@ USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         libportaudio2 ca-certificates poppler-utils imagemagick \
-        libolm-dev \
         texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
         texlive-xetex texlive-science \
         qemu-user-static binfmt-support emacs-nox && \
@@ -43,12 +48,6 @@ RUN apt-get update && \
 # ---------- UV ----------
 COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
 
-# ---------- Matrix bridge + extra pip deps ----------
-# Previously installed inline at container startup and persisted via volume mount.
-# Now baked into the image so the fragile venv volume mount can be removed.
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir 'mautrix[encryption]' openai
-
 # ---------- Piper TTS ----------
 RUN . /opt/hermes/.venv/bin/activate && \
     uv pip install --no-cache-dir piper-tts sounddevice numpy && \
@@ -76,9 +75,9 @@ os.remove(tgz)
 print('himalaya v1.2.0 installed')
 PYEOF
 
-# ---------- Install multi-gateway launcher ----------
-# Launches one gateway process per profile (HERMES_PROFILES env var)
-COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
+# ---------- Install himalaya-ro wrapper ----------
+COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+
 
 # ---------- Runtime ----------
 USER hermes
@@ -89,7 +88,6 @@ ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
 
 # Ensure tools directory and toolsets.py are writable by the hermes runtime user
 # so custom tools can be injected from the persistent volume at startup.
-USER root
 RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
 
 VOLUME [ "/opt/data" ]

ai/hermes/himalaya-ro.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────
+# himalaya-ro — Read-only wrapper for himalaya
+#
+# Blocks destructive commands and logs audit trail.
+# Pass-through for read-only commands (list, read, search).
+#
+# Usage:  himalaya-ro [options] <command> [args...]
+#
+# Install: place in PATH before the real himalaya, or use
+#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
+# ─────────────────────────────────────────────────────────────
+set -o pipefail
+
+# ── Configuration ───────────────────────────────────────────
+HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
+AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
+
+# ── Destructive commands we block ──────────────────────────
+BLOCKED_CMDS=(
+  "message move"
+  "message delete"
+  "message copy"
+  "flag add"
+  "flag remove"
+  "folder create"
+  "folder delete"
+  "folder rename"
+  "template send"
+  "account configure"
+  "account delete"
+)
+
+# ── Determine the subcommand being invoked ─────────────────
+# Strip leading options (--account, --output, etc.) to find the verb
+ARGS=()
+SKIP_NEXT=false
+for arg in "$@"; do
+  if $SKIP_NEXT; then
+    SKIP_NEXT=false
+    continue
+  fi
+  if [[ "$arg" == --* ]]; then
+    case "$arg" in
+      --account|--output|--page|--page-size|--folder|--color|--format)
+        SKIP_NEXT=true ;;
+    esac
+    continue
+  fi
+  ARGS+=("$arg")
+done
+
+# Build subcommand string and check against blocklist
+CMD_STR=""
+for ((i=0; i<${#ARGS[@]}; i++)); do
+  if [ -z "$CMD_STR" ]; then
+    CMD_STR="${ARGS[$i]}"
+  else
+    CMD_STR="$CMD_STR ${ARGS[$i]}"
+  fi
+  for blocked in "${BLOCKED_CMDS[@]}"; do
+    if [[ "$CMD_STR" == "$blocked" ]]; then
+      TS=$(date '+%Y-%m-%d %H:%M:%S')
+      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
+      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
+      echo "       Audit log: $AUDIT_LOG" >&2
+      exit 100
+    fi
+  done
+done
+
+# ── Allow pass-through ─────────────────────────────────────
+exec "$HIMALAYA_BIN" "$@"

ai/hermes/run-multi-gateways.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-# Multi-gateway launcher for HERMES_PROFILES env var.
-# Reads comma-separated profile names, spawns one gateway per profile.
-# Designed to run before the main entrypoint — gateways run in background.
-set -e
-
-if [ -z "${HERMES_PROFILES}" ]; then
-  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
-  exit 0
-fi
-
-# Source venv to make 'hermes' available (entrypoint.sh sources it later,
-# but we need it NOW for the background gateways)
-HERMES_BIN="/opt/hermes/.venv/bin/hermes"
-if [ ! -x "$HERMES_BIN" ]; then
-  echo "ERROR: hermes binary not found at $HERMES_BIN"
-  exit 1
-fi
-
-mkdir -p /opt/data/logs
-
-IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
-for profile in "${PROFILES[@]}"; do
-  profile="$(echo "${profile}" | xargs)"  # trim whitespace
-  [ -z "${profile}" ] && continue
-
-  echo "Starting gateway for profile: ${profile}"
-  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
-      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
-done
-
-echo "All gateways launched: ${HERMES_PROFILES}"

int/.env.example

@@ -1,53 +0,0 @@
-# =============================================================================
-# WorldMonitor — Environment Variables
-# =============================================================================
-# Copy this file to .env (gitignored) and fill in your keys.
-# All keys are optional — the dashboard works without them,
-# but the corresponding features will be disabled.
-#
-# Usage:
-#   cp .env.example .env.local   (docker-compose auto-loads .env from CWD)
-#
-# For production secrets, add these to the shared containers.env
-# agenix secret at: secrets/containers.env.age
-# =============================================================================
-
-# ── REQUIRED: These containers refuse to start without them ──
-# Generate with: openssl rand -hex 32
-REDIS_PASSWORD=
-REDIS_TOKEN=
-RELAY_SHARED_SECRET=
-
-# ── LLM / AI (for intelligence assessments) ──
-# Pick one or both
-GROQ_API_KEY=               # https://console.groq.com (free: 14,400 req/day)
-OPENROUTER_API_KEY=         # https://openrouter.ai (free: 50 req/day)
-
-# ── Markets & Economics (optional) ──
-FINNHUB_API_KEY=            # https://finnhub.io (free tier)
-FRED_API_KEY=               # https://fred.stlouisfed.org (free)
-EIA_API_KEY=                # https://www.eia.gov/opendata/ (free)
-
-# ── Aviation (optional) ──
-AVIATIONSTACK_API=          # https://aviationstack.com (free tier)
-WINGBITS_API_KEY=           # https://wingbits.com (contact them)
-
-# ── Maritime (optional) ──
-AISSTREAM_API_KEY=          # https://aisstream.io (free tier)
-
-# ── Conflict & Unrest (optional) ──
-ACLED_ACCESS_TOKEN=         # https://acleddata.com (free for researchers)
-
-# ── Earth Observation (optional) ──
-NASA_FIRMS_API_KEY=         # https://firms.modaps.eosdis.nasa.gov (free)
-
-# ── Infrastructure / Internet (optional) ──
-CLOUDFLARE_API_TOKEN=       # https://developers.cloudflare.com/fundamentals/api/
-
-# ── Port (optional, defaults to 3000) ──
-WM_PORT=3000
-
-# ── Convex (for cloud sync / auth — optional for self-host) ──
-CONVEX_URL=
-CLERK_SECRET_KEY=
-VITE_CLERK_PUBLISHABLE_KEY=

int/compose.yml

@@ -1,177 +0,0 @@
-# =============================================================================
-# Integrations stack
-# =============================================================================
-# Currently running: WorldMonitor
-# Planned: TAK server (commented out — needs fixing)
-# =============================================================================
-
-# ── TAK Server (FreeTAKServer) ──
-# Disabled: needs debugging. Was having connectivity/auth issues.
-# See: https://github.com/FreeTAKTeam/FreeTAKServer
-#
-# services:
-#   freetakserver:
-#     image: ghcr.io/freetakteam/freetakserver:master
-#     container_name: freetakserver
-#     hostname: freetakserver
-#     restart: always
-#     networks:
-#       - int_backend
-#     volumes:
-#       - /mnt/HoardingCow_docker_data/TAK/fts_data:/opt/fts:z,rw
-#     ports:
-#       - 8087:8087
-#       - 8089:8089
-#       - 8443:8443
-#       - 9000:9000
-#       - 19023:19023
-#     environment:
-#       FTS_FED_PASSWORD: "${FTS_FED_PASSWORD}"
-#       FTS_CLIENT_CERT_PASSWORD: "${FTS_CLIENT_CERT_PASSWORD}"
-#       FTS_WEBSOCKET_KEY: "${FTS_WEBSOCKET_KEY}"
-#       FTS_SECRET_KEY: "${FTS_SECRET_KEY}"
-#       FTS_CONNECTION_MESSAGE: "Welcome to FreeTAKServer. The Parrot is not dead. It's just resting"
-#       FTS_COT_PORT: 8087
-#       FTS_SSLCOT_PORT: 8089
-#       FTS_API_PORT: 19023
-#       FTS_FED_PORT: 9000
-#       FTS_DP_ADDRESS: 'freetakserver'
-#       FTS_USER_ADDRESS: 'freetakserver'
-#       FTS_API_ADDRESS: 'freetakserver'
-#       FTS_ROUTING_PROXY_SUBSCRIBE_PORT: 19030
-#       FTS_ROUTING_PROXY_SUBSCRIBE_IP: 'freetakserver'
-#       FTS_ROUTING_PROXY_PUBLISHER_PORT: 19032
-#       FTS_ROUTING_PROXY_PUBLISHER_IP: 'freetakserver'
-#       FTS_ROUTING_PROXY_SERVER_PORT: 19031
-#       FTS_ROUTING_PROXY_SERVER_IP: 'freetakserver'
-#       FTS_INTEGRATION_MANAGER_PULLER_PORT: 19033
-#       FTS_INTEGRATION_MANAGER_PULLER_ADDRESS: 'freetakserver'
-#       FTS_INTEGRATION_MANAGER_PUBLISHER_PORT: 19034
-#       FTS_INTEGRATION_MANAGER_PUBLISHER_ADDRESS: 'freetakserver'
-#       FTS_OPTIMIZE_API: "True"
-#       FTS_DATA_RECEPTION_BUFFER: 1024
-#       FTS_MAX_RECEPTION_TIME: 4
-#       FTS_NUM_ROUTING_WORKERS: 3
-#       FTS_COT_TO_DB: "True"
-#       FTS_MAINLOOP_DELAY: 100
-#       FTS_EMERGENCY_RADIUS: 0
-#       FTS_LOG_LEVEL: "info"
-#
-#   freetakserver-ui:
-#     image: ghcr.io/freetakteam/ui:latest
-#     container_name: freetakserver-ui
-#     hostname: freetakserver-ui
-#     restart: always
-#     networks:
-#       - int_net
-#     ports:
-#       - 5000:5000
-#     volumes:
-#       - /mnt/HoardingCow_docker_data/TAK/fts_ui_data:/home/freetak/data:z,rw
-#     environment:
-#       FTS_IP: "freetakserver" 
-#       FTS_API_PORT: 19023
-#       FTS_API_PROTO: 'http'
-#       FTS_UI_EXPOSED_IP: 'freetakserver-ui'
-#       FTS_MAP_EXPOSED_IP: '127.0.0.1'
-#       FTS_MAP_PORT: 8000
-#       FTS_MAP_PROTO: 'http'
-#       FTS_UI_PORT: 5000
-#       FTS_UI_WSKEY: "${FTS_WEBSOCKET_KEY}"
-#       FTS_API_KEY: 'Bearer token'
-#       FTS_UI_SQLALCHEMY_DATABASE_URI: 'sqlite:////home/freetak/data/FTSServer-UI.db'
-#     labels:
-#       - "traefik.enable=true"
-#       - "traefik.docker.network=traefik-net"
-#       - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
-#       - "traefik.http.routers.fts-ui-http.entrypoints=web"
-#       - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
-#       - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
-#       - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
-#       - "traefik.http.routers.fts-ui-https.tls=true"
-#       - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
-#       - "traefik.http.services.fts-ui.loadbalancer.server.port=5000"
-#       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
-# ── WorldMonitor ──
-# Real-time global intelligence dashboard
-# Repo: https://github.com/koala73/worldmonitor
-# Self-hosted, map-first OSINT with MCP support (39 tools)
-services:
-
-  worldmonitor:
-    build:
-      context: https://github.com/koala73/worldmonitor.git
-      dockerfile: Dockerfile
-    image: worldmonitor:latest
-    container_name: worldmonitor
-    ports:
-      - "${WM_PORT:-3000}:8080"
-    environment:
-      UPSTASH_REDIS_REST_URL: "http://redis-rest:80"
-      UPSTASH_REDIS_REST_TOKEN: "${REDIS_TOKEN:?REDIS_TOKEN required}"
-      LOCAL_API_PORT: "46123"
-      LOCAL_API_MODE: "docker"
-      LOCAL_API_CLOUD_FALLBACK: "false"
-      WS_RELAY_URL: "http://ais-relay:3004"
-      # LLM providers (optional — features degrade gracefully)
-      LLM_API_URL: "${LLM_API_URL:-}"
-      LLM_API_KEY: "${LLM_API_KEY:-}"
-      LLM_MODEL: "${LLM_MODEL:-}"
-      GROQ_API_KEY: "${GROQ_API_KEY:-}"
-      # Data source API keys (optional — features degrade gracefully)
-      AISSTREAM_API_KEY: "${AISSTREAM_API_KEY:-}"
-      FINNHUB_API_KEY: "${FINNHUB_API_KEY:-}"
-      EIA_API_KEY: "${EIA_API_KEY:-}"
-      FRED_API_KEY: "${FRED_API_KEY:-}"
-      ACLED_ACCESS_TOKEN: "${ACLED_ACCESS_TOKEN:-}"
-      NASA_FIRMS_API_KEY: "${NASA_FIRMS_API_KEY:-}"
-      CLOUDFLARE_API_TOKEN: "${CLOUDFLARE_API_TOKEN:-}"
-      AVIATIONSTACK_API: "${AVIATIONSTACK_API:-}"
-    depends_on:
-      redis-rest:
-        condition: service_started
-      ais-relay:
-        condition: service_started
-    restart: unless-stopped
-
-  ais-relay:
-    build:
-      context: https://github.com/koala73/worldmonitor.git
-      dockerfile: Dockerfile.relay
-    image: worldmonitor-ais-relay:latest
-    container_name: worldmonitor-ais-relay
-    environment:
-      AISSTREAM_API_KEY: "${AISSTREAM_API_KEY:-}"
-      PORT: "3004"
-    restart: unless-stopped
-
-  redis:
-    image: docker.io/redis:7-alpine
-    container_name: worldmonitor-redis
-    command: >
-      redis-server
-      --requirepass "${REDIS_PASSWORD:?REDIS_PASSWORD required}"
-      --maxmemory 256mb
-      --maxmemory-policy allkeys-lru
-    volumes:
-      - wm-redis-data:/data
-    restart: unless-stopped
-
-  redis-rest:
-    build:
-      context: https://github.com/koala73/worldmonitor.git
-      dockerfile: docker/Dockerfile.redis-rest
-    image: worldmonitor-redis-rest:latest
-    container_name: worldmonitor-redis-rest
-    ports:
-      - "127.0.0.1:8079:80"
-    environment:
-      SRH_TOKEN: "${REDIS_TOKEN:?REDIS_TOKEN required}"
-      SRH_CONNECTION_STRING: "redis://:${REDIS_PASSWORD:?REDIS_PASSWORD required}@redis:6379"
-    depends_on:
-      - redis
-    restart: unless-stopped
-
-volumes:
-  wm-redis-data:

tak/compose.yml

@@ -0,0 +1,98 @@
+services:
+  freetakserver:
+    image: ghcr.io/freetakteam/freetakserver:master
+    container_name: freetakserver
+    hostname: freetakserver
+    restart: always
+    networks:
+      - tak_backend
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_data:/opt/fts:z,rw
+    ports:
+      - 8087:8087
+      - 8089:8089
+      - 8443:8443
+      - 9000:9000
+      - 19023:19023
+    environment:
+      FTS_FED_PASSWORD: "${FTS_FED_PASSWORD}"
+      FTS_CLIENT_CERT_PASSWORD: "${FTS_CLIENT_CERT_PASSWORD}"
+      FTS_WEBSOCKET_KEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_SECRET_KEY: "${FTS_SECRET_KEY}"
+      FTS_CONNECTION_MESSAGE: "Welcome to FreeTAKServer. The Parrot is not dead. It's just resting"
+      FTS_COT_PORT: 8087
+      FTS_SSLCOT_PORT: 8089
+      FTS_API_PORT: 19023
+      FTS_FED_PORT: 9000
+      FTS_DP_ADDRESS: 'freetakserver'
+      FTS_USER_ADDRESS: 'freetakserver'
+      FTS_API_ADDRESS: 'freetakserver'
+      FTS_ROUTING_PROXY_SUBSCRIBE_PORT: 19030
+      FTS_ROUTING_PROXY_SUBSCRIBE_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_PUBLISHER_PORT: 19032
+      FTS_ROUTING_PROXY_PUBLISHER_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_SERVER_PORT: 19031
+      FTS_ROUTING_PROXY_SERVER_IP: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PULLER_PORT: 19033
+      FTS_INTEGRATION_MANAGER_PULLER_ADDRESS: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PUBLISHER_PORT: 19034
+      FTS_INTEGRATION_MANAGER_PUBLISHER_ADDRESS: 'freetakserver'
+      FTS_OPTIMIZE_API: "True"
+      FTS_DATA_RECEPTION_BUFFER: 1024
+      FTS_MAX_RECEPTION_TIME: 4
+      FTS_NUM_ROUTING_WORKERS: 3
+      FTS_COT_TO_DB: "True"
+      FTS_MAINLOOP_DELAY: 100
+      FTS_EMERGENCY_RADIUS: 0
+      FTS_LOG_LEVEL: "info"
+
+  freetakserver-ui:
+    image: ghcr.io/freetakteam/ui:latest
+    container_name: freetakserver-ui
+    hostname: freetakserver-ui
+    restart: always
+    networks:
+      - tak_net
+    ports:
+      - 5000:5000
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_ui_data:/home/freetak/data:z,rw
+    environment:
+      FTS_IP: "freetakserver" 
+      FTS_API_PORT: 19023
+      FTS_API_PROTO: 'http'
+      FTS_UI_EXPOSED_IP: 'freetakserver-ui'
+      FTS_MAP_EXPOSED_IP: '127.0.0.1'
+      FTS_MAP_PORT: 8000
+      FTS_MAP_PROTO: 'http'
+      FTS_UI_PORT: 5000
+      FTS_UI_WSKEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_API_KEY: 'Bearer token'
+      FTS_UI_SQLALCHEMY_DATABASE_URI: 'sqlite:////home/freetak/data/FTSServer-UI.db'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+
+      # HTTP -> HTTPS Redirect
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-http.entrypoints=web"
+      - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
+
+      # HTTPS Router
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
+      - "traefik.http.routers.fts-ui-https.tls=true"
+      - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
+      
+      # Service & Port
+      - "traefik.http.services.fts-ui.loadbalancer.server.port=5000"
+
+      # Reuse your existing redirect middleware
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+networks:
+  tak_net:
+    external: true
+  tak_backend:
+    driver: bridge
+    name: tak_backend