fix(hermes-workspace): add HOST=0.0.0.0 for Traefik reachability, drop redundant nodejs install

The base hermets-agent image already ships Node.js; apt-get nodejs
could conflict or downgrade it. Only install tmux and curl.

Add ENV HOST=0.0.0.0 so the workspace listens on all interfaces
(default 127.0.0.1 makes it unreachable via Traefik reverse proxy).
Add ENV NODE_ENV=production for production-mode optimizations.

.gitignore

@@ -1,13 +0,0 @@
-# Temp/scratch files — never commit these
-*.bak
-*.swp
-*.tmp
-*~
-scratch/
-.env
-.env.local
-tmp/
-temp/
-replace_compose.py
-entrypoint-*.sh
-copy_*.txt

ai/compose.yml

@@ -32,18 +32,13 @@ services:
         - default
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
-      - HERMES_DASHBOARD=1
-      # Multi-profile: comma-separated list of profiles to run as gateways.
-      # The entrypoint reads this and starts one gateway per profile.
-      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
-      - HERMES_PROFILES=ashley,claire,finn,matt,paul
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -57,6 +52,10 @@ services:
       - ROCR_VISIBLE_DEVICES=0,1
       - HSA_ENABLE_SDMA=0
       - TZ=America/Montreal
+      # Hermes Workspace dashboard (port 9119) — enables multi-agent web UI
+      - HERMES_DASHBOARD=1
+      - HERMES_DASHBOARD_HOST=0.0.0.0
+      - HERMES_DASHBOARD_PORT=9119
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
       # Syncthing-shared org files — read-only view of user's agenda
@@ -76,7 +75,7 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=ai_net"
 
-      # Router for HTTP + redirection to HTTPS
+      # Router for HTTP + redirect to HTTPS
       - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
       - "traefik.http.routers.hermes-web-http.entrypoints=web"
       - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
@@ -95,6 +94,12 @@ services:
 
       # Service Loadbalancer (dashboard port 9119)
       - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsS http://localhost:8642/health && curl -fsS http://localhost:9119/api/status || exit 1"]
+      interval: 15s
+      timeout: 5s
+      retries: 5
+      start_period: 60s
 
   syncthing:
     image: syncthing/syncthing:latest
@@ -158,6 +163,46 @@ services:
       - "303"
       - "26"
 
+  # ── Hermes Workspace (combined image) ────────────────────────
+  # Web UI + Swarm worker support. Uses custom combined image with
+  # our Hermes fork + workspace web UI + tmux for Swarm workers.
+  hermes-workspace:
+    build:
+      context: ./hermes-workspace
+      ssh:
+        - default
+    container_name: hermes-workspace
+    restart: unless-stopped
+    depends_on:
+      hermes:
+        condition: service_healthy
+    environment:
+      HERMES_API_URL: http://hermes:8642
+      HERMES_DASHBOARD_URL: http://hermes:9119
+      HERMES_API_TOKEN: hermes_local_key
+      HERMES_PASSWORD: ${HERMES_WORKSPACE_PASSWORD:?must be set}
+      COOKIE_SECURE: "1"
+    volumes:
+      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      - "traefik.http.routers.workspace-http.rule=Host(`workspace.lazyworkhorse.net`)"
+      - "traefik.http.routers.workspace-http.entrypoints=web"
+      - "traefik.http.routers.workspace-http.middlewares=redirect-to-https"
+
+      - "traefik.http.routers.workspace-https.rule=Host(`workspace.lazyworkhorse.net`)"
+      - "traefik.http.routers.workspace-https.entrypoints=websecure"
+      - "traefik.http.routers.workspace-https.tls=true"
+      - "traefik.http.routers.workspace-https.tls.certresolver=njalla"
+
+      - "traefik.http.services.workspace.loadbalancer.server.port=3000"
+# ─────────────────────────────────────────────────────────────
+
 networks:
   ai_net:
     external: true

ai/hermes-workspace/Dockerfile

@@ -0,0 +1,129 @@
+# syntax=docker/dockerfile:1
+# Hermes Agent + Hermes Workspace — combined image
+# Builds on top of official image + our forked source + workspace UI.
+# Supports Swarm Mode (tmux workers) in a single container.
+# Requires Docker BuildKit. Pass SSH agent for git clone:
+#   docker compose build hermes-workspace
+
+# ---------- Stage 1: Build Hermes Workspace (web UI) ----------
+FROM node:22-slim AS workspace-build
+
+WORKDIR /app
+
+# Install pnpm and git
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates git curl \
+    && rm -rf /var/lib/apt/lists/* \
+    && corepack enable
+
+# Clone workspace source (pinned to a known-good commit on main)
+RUN git clone --depth 1 --branch main \
+    https://github.com/outsourc-e/hermes-workspace.git /app/workspace-src \
+    && rm -rf /app/workspace-src/.git
+
+WORKDIR /app/workspace-src
+
+# Install deps and build
+RUN pnpm install --frozen-lockfile && pnpm build
+
+# ---------- Stage 2: Hermes Agent + Workspace runtime ----------
+FROM nousresearch/hermes-agent:latest
+
+# ---------- Install tmux for Swarm workers + curl for health checks ----------
+# Note: Node.js is already shipped with the base hermets-agent image; apt's nodejs
+# would be older and could conflict. Only add what's missing.
+USER root
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    tmux curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# ---------- Overlay our forked Hermes source ----------
+RUN --mount=type=ssh \
+    mkdir -p /root/.ssh && \
+    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
+    cd /tmp && \
+    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
+    git clone --depth 1 --branch main \
+    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
+    rsync -a --delete fork/ /opt/hermes/ \
+      --exclude node_modules \
+      --exclude .venv \
+      --exclude .git && \
+    rm -rf /tmp/fork /root/.ssh/
+
+# ---------- Rebuild web UI ----------
+RUN cd /opt/hermes && npm run build
+
+# ---------- Reinstall Python package ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir --no-deps -e /opt/hermes
+
+# ---------- Extra system deps ----------
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libportaudio2 ca-certificates poppler-utils imagemagick \
+    texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
+    texlive-xetex texlive-science \
+    qemu-user-static binfmt-support emacs-nox \
+    && rm -rf /var/lib/apt/lists/*
+
+# ---------- UV ----------
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
+
+# ---------- Piper TTS ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
+    mkdir -p /opt/hermes/.venv/share/piper/voices
+
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request
+base = '/opt/hermes/.venv/share/piper/voices'
+url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
+urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
+urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
+PYEOF
+
+# ---------- Install Himalaya email CLI ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil
+url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
+tgz = '/tmp/himalaya.tgz'
+urllib.request.urlretrieve(url, tgz)
+with tarfile.open(tgz) as t:
+    t.extractall('/tmp')
+shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
+os.chmod('/usr/local/bin/himalaya', 0o755)
+os.remove(tgz)
+print('himalaya v1.2.0 installed')
+PYEOF
+
+# ---------- Install himalaya-ro wrapper ----------
+COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+
+# ---------- Copy Hermes Workspace build artifacts ----------
+COPY --from=workspace-build --chown=hermes:hermes \
+    /app/workspace-src/dist /workspace/dist
+COPY --from=workspace-build --chown=hermes:hermes \
+    /app/workspace-src/node_modules /workspace/node_modules
+COPY --from=workspace-build --chown=hermes:hermes \
+    /app/workspace-src/package.json /workspace/
+COPY --from=workspace-build --chown=hermes:hermes \
+    /app/workspace-src/server-entry.js /workspace/
+COPY --from=workspace-build --chown=hermes:hermes \
+    /app/workspace-src/skills /workspace/skills
+COPY --chmod=0755 entrypoint-combined.sh /usr/local/bin/entrypoint-combined.sh
+
+# ---------- Runtime ----------
+USER hermes
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
+ENV HOST=0.0.0.0
+ENV NODE_ENV=production
+
+RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
+
+VOLUME [ "/opt/data" ]
+
+EXPOSE 8642 9119 3000
+
+ENTRYPOINT ["/usr/bin/tini", "-g", "--", "/usr/local/bin/entrypoint-combined.sh"]

ai/hermes-workspace/entrypoint-combined.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+# ── Hermes Workspace + Swarm Worker Entrypoint ──
+# Starts Hermes Workspace web UI (port 3000) and makes
+# hermes CLI + tmux available for Swarm workers.
+# The Hermes gateway runs in a separate container (hermes:8642).
+# Swarm workers spawned here connect to the gateway via HTTP.
+# ──────────────────────────────────────────────────────────
+
+# Install custom tools from persistent volume
+if [ -f /opt/data/hermes-tools/install.sh ]; then
+  bash /opt/data/hermes-tools/install.sh || true
+fi
+
+# Wait for Hermes gateway to be healthy before starting workspace
+if [ -n "${HERMES_API_URL:-}" ]; then
+  echo "Waiting for Hermes gateway..."
+  for i in $(seq 1 30); do
+    if curl -fsS "${HERMES_API_URL}/health" >/dev/null 2>&1; then
+      echo "Gateway healthy after ${i}s"
+      break
+    fi
+    if [ "$i" -eq 30 ]; then
+      echo "WARNING: Gateway not healthy after 30s, starting workspace anyway"
+    fi
+    sleep 1
+  done
+fi
+
+# Start Hermes Workspace in foreground
+cd /workspace
+exec node --max-old-space-size=2048 server-entry.js

ai/hermes-workspace/himalaya-ro.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────
+# himalaya-ro — Read-only wrapper for himalaya
+#
+# Blocks destructive commands and logs audit trail.
+# Pass-through for read-only commands (list, read, search).
+#
+# Usage:  himalaya-ro [options] <command> [args...]
+#
+# Install: place in PATH before the real himalaya, or use
+#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
+# ─────────────────────────────────────────────────────────────
+set -o pipefail
+
+# ── Configuration ───────────────────────────────────────────
+HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
+AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
+
+# ── Destructive commands we block ──────────────────────────
+BLOCKED_CMDS=(
+  "message move"
+  "message delete"
+  "message copy"
+  "flag add"
+  "flag remove"
+  "folder create"
+  "folder delete"
+  "folder rename"
+  "template send"
+  "account configure"
+  "account delete"
+)
+
+# ── Determine the subcommand being invoked ─────────────────
+# Strip leading options (--account, --output, etc.) to find the verb
+ARGS=()
+SKIP_NEXT=false
+for arg in "$@"; do
+  if $SKIP_NEXT; then
+    SKIP_NEXT=false
+    continue
+  fi
+  if [[ "$arg" == --* ]]; then
+    case "$arg" in
+      --account|--output|--page|--page-size|--folder|--color|--format)
+        SKIP_NEXT=true ;;
+    esac
+    continue
+  fi
+  ARGS+=("$arg")
+done
+
+# Build subcommand string and check against blocklist
+CMD_STR=""
+for ((i=0; i<${#ARGS[@]}; i++)); do
+  if [ -z "$CMD_STR" ]; then
+    CMD_STR="${ARGS[$i]}"
+  else
+    CMD_STR="$CMD_STR ${ARGS[$i]}"
+  fi
+  for blocked in "${BLOCKED_CMDS[@]}"; do
+    if [[ "$CMD_STR" == "$blocked" ]]; then
+      TS=$(date '+%Y-%m-%d %H:%M:%S')
+      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
+      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
+      echo "       Audit log: $AUDIT_LOG" >&2
+      exit 100
+    fi
+  done
+done
+
+# ── Allow pass-through ─────────────────────────────────────
+exec "$HIMALAYA_BIN" "$@"

ai/hermes/Dockerfile

@@ -20,10 +20,16 @@ RUN --mount=type=ssh \
     GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
     git clone --depth 1 --branch main \
     git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
-    rm -rf fork/node_modules fork/.venv fork/.git && \
-    cp -a fork/. /opt/hermes/ && \
+    rsync -a --delete fork/ /opt/hermes/ \
+      --exclude node_modules \
+      --exclude .venv \
+      --exclude .git && \
     rm -rf /tmp/fork /root/.ssh/
 
+# ---------- Rebuild web UI ----------
+# Source files changed; node_modules (from base image) reused.
+RUN cd /opt/hermes && npm run build
+
 # ---------- Reinstall Python package (editable) ----------
 # Picks up source changes from our fork.
 RUN . /opt/hermes/.venv/bin/activate && \
@@ -34,7 +40,6 @@ USER root
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         libportaudio2 ca-certificates poppler-utils imagemagick \
-        libolm-dev \
         texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
         texlive-xetex texlive-science \
         qemu-user-static binfmt-support emacs-nox && \
@@ -43,12 +48,6 @@ RUN apt-get update && \
 # ---------- UV ----------
 COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
 
-# ---------- Matrix bridge + extra pip deps ----------
-# Previously installed inline at container startup and persisted via volume mount.
-# Now baked into the image so the fragile venv volume mount can be removed.
-RUN . /opt/hermes/.venv/bin/activate && \
-    uv pip install --no-cache-dir 'mautrix[encryption]' openai
-
 # ---------- Piper TTS ----------
 RUN . /opt/hermes/.venv/bin/activate && \
     uv pip install --no-cache-dir piper-tts sounddevice numpy && \
@@ -76,9 +75,9 @@ os.remove(tgz)
 print('himalaya v1.2.0 installed')
 PYEOF
 
-# ---------- Install multi-gateway launcher ----------
-# Launches one gateway process per profile (HERMES_PROFILES env var)
-COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
+# ---------- Install himalaya-ro wrapper ----------
+COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
+
 
 # ---------- Runtime ----------
 USER hermes
@@ -89,7 +88,6 @@ ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
 
 # Ensure tools directory and toolsets.py are writable by the hermes runtime user
 # so custom tools can be injected from the persistent volume at startup.
-USER root
 RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
 
 VOLUME [ "/opt/data" ]

ai/hermes/himalaya-ro.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────
+# himalaya-ro — Read-only wrapper for himalaya
+#
+# Blocks destructive commands and logs audit trail.
+# Pass-through for read-only commands (list, read, search).
+#
+# Usage:  himalaya-ro [options] <command> [args...]
+#
+# Install: place in PATH before the real himalaya, or use
+#          `ln -sf himalaya-ro /usr/local/bin/himalaya`
+# ─────────────────────────────────────────────────────────────
+set -o pipefail
+
+# ── Configuration ───────────────────────────────────────────
+HIMALAYA_BIN="${HIMALAYA_BIN:-/usr/local/bin/himalaya}"
+AUDIT_LOG="${HIMALAYA_AUDIT_LOG:-/var/log/himalaya-audit.log}"
+
+# ── Destructive commands we block ──────────────────────────
+BLOCKED_CMDS=(
+  "message move"
+  "message delete"
+  "message copy"
+  "flag add"
+  "flag remove"
+  "folder create"
+  "folder delete"
+  "folder rename"
+  "template send"
+  "account configure"
+  "account delete"
+)
+
+# ── Determine the subcommand being invoked ─────────────────
+# Strip leading options (--account, --output, etc.) to find the verb
+ARGS=()
+SKIP_NEXT=false
+for arg in "$@"; do
+  if $SKIP_NEXT; then
+    SKIP_NEXT=false
+    continue
+  fi
+  if [[ "$arg" == --* ]]; then
+    case "$arg" in
+      --account|--output|--page|--page-size|--folder|--color|--format)
+        SKIP_NEXT=true ;;
+    esac
+    continue
+  fi
+  ARGS+=("$arg")
+done
+
+# Build subcommand string and check against blocklist
+CMD_STR=""
+for ((i=0; i<${#ARGS[@]}; i++)); do
+  if [ -z "$CMD_STR" ]; then
+    CMD_STR="${ARGS[$i]}"
+  else
+    CMD_STR="$CMD_STR ${ARGS[$i]}"
+  fi
+  for blocked in "${BLOCKED_CMDS[@]}"; do
+    if [[ "$CMD_STR" == "$blocked" ]]; then
+      TS=$(date '+%Y-%m-%d %H:%M:%S')
+      echo "[AUDIT] $TS BLOCKED: himalaya $*" >> "$AUDIT_LOG"
+      echo "ERROR: Command 'himalaya $CMD_STR ...' is blocked by read-only policy." >&2
+      echo "       Audit log: $AUDIT_LOG" >&2
+      exit 100
+    fi
+  done
+done
+
+# ── Allow pass-through ─────────────────────────────────────
+exec "$HIMALAYA_BIN" "$@"

ai/hermes/run-multi-gateways.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-# Multi-gateway launcher for HERMES_PROFILES env var.
-# Reads comma-separated profile names, spawns one gateway per profile.
-# Designed to run before the main entrypoint — gateways run in background.
-set -e
-
-if [ -z "${HERMES_PROFILES}" ]; then
-  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
-  exit 0
-fi
-
-# Source venv to make 'hermes' available (entrypoint.sh sources it later,
-# but we need it NOW for the background gateways)
-HERMES_BIN="/opt/hermes/.venv/bin/hermes"
-if [ ! -x "$HERMES_BIN" ]; then
-  echo "ERROR: hermes binary not found at $HERMES_BIN"
-  exit 1
-fi
-
-mkdir -p /opt/data/logs
-
-IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
-for profile in "${PROFILES[@]}"; do
-  profile="$(echo "${profile}" | xargs)"  # trim whitespace
-  [ -z "${profile}" ] && continue
-
-  echo "Starting gateway for profile: ${profile}"
-  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
-      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
-done
-
-echo "All gateways launched: ${HERMES_PROFILES}"

int/.env.example

@@ -1,53 +0,0 @@
-# =============================================================================
-# WorldMonitor — Environment Variables
-# =============================================================================
-# Copy this file to .env (gitignored) and fill in your keys.
-# All keys are optional — the dashboard works without them,
-# but the corresponding features will be disabled.
-#
-# Usage:
-#   cp .env.example .env.local   (docker-compose auto-loads .env from CWD)
-#
-# For production secrets, add these to the shared containers.env
-# agenix secret at: secrets/containers.env.age
-# =============================================================================
-
-# ── REQUIRED: These containers refuse to start without them ──
-# Generate with: openssl rand -hex 32
-REDIS_PASSWORD=
-REDIS_TOKEN=
-RELAY_SHARED_SECRET=
-
-# ── LLM / AI (for intelligence assessments) ──
-# Pick one or both
-GROQ_API_KEY=               # https://console.groq.com (free: 14,400 req/day)
-OPENROUTER_API_KEY=         # https://openrouter.ai (free: 50 req/day)
-
-# ── Markets & Economics (optional) ──
-FINNHUB_API_KEY=            # https://finnhub.io (free tier)
-FRED_API_KEY=               # https://fred.stlouisfed.org (free)
-EIA_API_KEY=                # https://www.eia.gov/opendata/ (free)
-
-# ── Aviation (optional) ──
-AVIATIONSTACK_API=          # https://aviationstack.com (free tier)
-WINGBITS_API_KEY=           # https://wingbits.com (contact them)
-
-# ── Maritime (optional) ──
-AISSTREAM_API_KEY=          # https://aisstream.io (free tier)
-
-# ── Conflict & Unrest (optional) ──
-ACLED_ACCESS_TOKEN=         # https://acleddata.com (free for researchers)
-
-# ── Earth Observation (optional) ──
-NASA_FIRMS_API_KEY=         # https://firms.modaps.eosdis.nasa.gov (free)
-
-# ── Infrastructure / Internet (optional) ──
-CLOUDFLARE_API_TOKEN=       # https://developers.cloudflare.com/fundamentals/api/
-
-# ── Port (optional, defaults to 3000) ──
-WM_PORT=3000
-
-# ── Convex (for cloud sync / auth — optional for self-host) ──
-CONVEX_URL=
-CLERK_SECRET_KEY=
-VITE_CLERK_PUBLISHABLE_KEY=

int/compose.yml

@@ -1,177 +0,0 @@
-# =============================================================================
-# Integrations stack
-# =============================================================================
-# Currently running: WorldMonitor
-# Planned: TAK server (commented out — needs fixing)
-# =============================================================================
-
-# ── TAK Server (FreeTAKServer) ──
-# Disabled: needs debugging. Was having connectivity/auth issues.
-# See: https://github.com/FreeTAKTeam/FreeTAKServer
-#
-# services:
-#   freetakserver:
-#     image: ghcr.io/freetakteam/freetakserver:master
-#     container_name: freetakserver
-#     hostname: freetakserver
-#     restart: always
-#     networks:
-#       - int_backend
-#     volumes:
-#       - /mnt/HoardingCow_docker_data/TAK/fts_data:/opt/fts:z,rw
-#     ports:
-#       - 8087:8087
-#       - 8089:8089
-#       - 8443:8443
-#       - 9000:9000
-#       - 19023:19023
-#     environment:
-#       FTS_FED_PASSWORD: "${FTS_FED_PASSWORD}"
-#       FTS_CLIENT_CERT_PASSWORD: "${FTS_CLIENT_CERT_PASSWORD}"
-#       FTS_WEBSOCKET_KEY: "${FTS_WEBSOCKET_KEY}"
-#       FTS_SECRET_KEY: "${FTS_SECRET_KEY}"
-#       FTS_CONNECTION_MESSAGE: "Welcome to FreeTAKServer. The Parrot is not dead. It's just resting"
-#       FTS_COT_PORT: 8087
-#       FTS_SSLCOT_PORT: 8089
-#       FTS_API_PORT: 19023
-#       FTS_FED_PORT: 9000
-#       FTS_DP_ADDRESS: 'freetakserver'
-#       FTS_USER_ADDRESS: 'freetakserver'
-#       FTS_API_ADDRESS: 'freetakserver'
-#       FTS_ROUTING_PROXY_SUBSCRIBE_PORT: 19030
-#       FTS_ROUTING_PROXY_SUBSCRIBE_IP: 'freetakserver'
-#       FTS_ROUTING_PROXY_PUBLISHER_PORT: 19032
-#       FTS_ROUTING_PROXY_PUBLISHER_IP: 'freetakserver'
-#       FTS_ROUTING_PROXY_SERVER_PORT: 19031
-#       FTS_ROUTING_PROXY_SERVER_IP: 'freetakserver'
-#       FTS_INTEGRATION_MANAGER_PULLER_PORT: 19033
-#       FTS_INTEGRATION_MANAGER_PULLER_ADDRESS: 'freetakserver'
-#       FTS_INTEGRATION_MANAGER_PUBLISHER_PORT: 19034
-#       FTS_INTEGRATION_MANAGER_PUBLISHER_ADDRESS: 'freetakserver'
-#       FTS_OPTIMIZE_API: "True"
-#       FTS_DATA_RECEPTION_BUFFER: 1024
-#       FTS_MAX_RECEPTION_TIME: 4
-#       FTS_NUM_ROUTING_WORKERS: 3
-#       FTS_COT_TO_DB: "True"
-#       FTS_MAINLOOP_DELAY: 100
-#       FTS_EMERGENCY_RADIUS: 0
-#       FTS_LOG_LEVEL: "info"
-#
-#   freetakserver-ui:
-#     image: ghcr.io/freetakteam/ui:latest
-#     container_name: freetakserver-ui
-#     hostname: freetakserver-ui
-#     restart: always
-#     networks:
-#       - int_net
-#     ports:
-#       - 5000:5000
-#     volumes:
-#       - /mnt/HoardingCow_docker_data/TAK/fts_ui_data:/home/freetak/data:z,rw
-#     environment:
-#       FTS_IP: "freetakserver" 
-#       FTS_API_PORT: 19023
-#       FTS_API_PROTO: 'http'
-#       FTS_UI_EXPOSED_IP: 'freetakserver-ui'
-#       FTS_MAP_EXPOSED_IP: '127.0.0.1'
-#       FTS_MAP_PORT: 8000
-#       FTS_MAP_PROTO: 'http'
-#       FTS_UI_PORT: 5000
-#       FTS_UI_WSKEY: "${FTS_WEBSOCKET_KEY}"
-#       FTS_API_KEY: 'Bearer token'
-#       FTS_UI_SQLALCHEMY_DATABASE_URI: 'sqlite:////home/freetak/data/FTSServer-UI.db'
-#     labels:
-#       - "traefik.enable=true"
-#       - "traefik.docker.network=traefik-net"
-#       - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
-#       - "traefik.http.routers.fts-ui-http.entrypoints=web"
-#       - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
-#       - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
-#       - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
-#       - "traefik.http.routers.fts-ui-https.tls=true"
-#       - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
-#       - "traefik.http.services.fts-ui.loadbalancer.server.port=5000"
-#       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
-# ── WorldMonitor ──
-# Real-time global intelligence dashboard
-# Repo: https://github.com/koala73/worldmonitor
-# Self-hosted, map-first OSINT with MCP support (39 tools)
-services:
-
-  worldmonitor:
-    build:
-      context: https://github.com/koala73/worldmonitor.git
-      dockerfile: Dockerfile
-    image: worldmonitor:latest
-    container_name: worldmonitor
-    ports:
-      - "${WM_PORT:-3000}:8080"
-    environment:
-      UPSTASH_REDIS_REST_URL: "http://redis-rest:80"
-      UPSTASH_REDIS_REST_TOKEN: "${REDIS_TOKEN:?REDIS_TOKEN required}"
-      LOCAL_API_PORT: "46123"
-      LOCAL_API_MODE: "docker"
-      LOCAL_API_CLOUD_FALLBACK: "false"
-      WS_RELAY_URL: "http://ais-relay:3004"
-      # LLM providers (optional — features degrade gracefully)
-      LLM_API_URL: "${LLM_API_URL:-}"
-      LLM_API_KEY: "${LLM_API_KEY:-}"
-      LLM_MODEL: "${LLM_MODEL:-}"
-      GROQ_API_KEY: "${GROQ_API_KEY:-}"
-      # Data source API keys (optional — features degrade gracefully)
-      AISSTREAM_API_KEY: "${AISSTREAM_API_KEY:-}"
-      FINNHUB_API_KEY: "${FINNHUB_API_KEY:-}"
-      EIA_API_KEY: "${EIA_API_KEY:-}"
-      FRED_API_KEY: "${FRED_API_KEY:-}"
-      ACLED_ACCESS_TOKEN: "${ACLED_ACCESS_TOKEN:-}"
-      NASA_FIRMS_API_KEY: "${NASA_FIRMS_API_KEY:-}"
-      CLOUDFLARE_API_TOKEN: "${CLOUDFLARE_API_TOKEN:-}"
-      AVIATIONSTACK_API: "${AVIATIONSTACK_API:-}"
-    depends_on:
-      redis-rest:
-        condition: service_started
-      ais-relay:
-        condition: service_started
-    restart: unless-stopped
-
-  ais-relay:
-    build:
-      context: https://github.com/koala73/worldmonitor.git
-      dockerfile: Dockerfile.relay
-    image: worldmonitor-ais-relay:latest
-    container_name: worldmonitor-ais-relay
-    environment:
-      AISSTREAM_API_KEY: "${AISSTREAM_API_KEY:-}"
-      PORT: "3004"
-    restart: unless-stopped
-
-  redis:
-    image: docker.io/redis:7-alpine
-    container_name: worldmonitor-redis
-    command: >
-      redis-server
-      --requirepass "${REDIS_PASSWORD:?REDIS_PASSWORD required}"
-      --maxmemory 256mb
-      --maxmemory-policy allkeys-lru
-    volumes:
-      - wm-redis-data:/data
-    restart: unless-stopped
-
-  redis-rest:
-    build:
-      context: https://github.com/koala73/worldmonitor.git
-      dockerfile: docker/Dockerfile.redis-rest
-    image: worldmonitor-redis-rest:latest
-    container_name: worldmonitor-redis-rest
-    ports:
-      - "127.0.0.1:8079:80"
-    environment:
-      SRH_TOKEN: "${REDIS_TOKEN:?REDIS_TOKEN required}"
-      SRH_CONNECTION_STRING: "redis://:${REDIS_PASSWORD:?REDIS_PASSWORD required}@redis:6379"
-    depends_on:
-      - redis
-    restart: unless-stopped
-
-volumes:
-  wm-redis-data:

tak/compose.yml

@@ -0,0 +1,98 @@
+services:
+  freetakserver:
+    image: ghcr.io/freetakteam/freetakserver:master
+    container_name: freetakserver
+    hostname: freetakserver
+    restart: always
+    networks:
+      - tak_backend
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_data:/opt/fts:z,rw
+    ports:
+      - 8087:8087
+      - 8089:8089
+      - 8443:8443
+      - 9000:9000
+      - 19023:19023
+    environment:
+      FTS_FED_PASSWORD: "${FTS_FED_PASSWORD}"
+      FTS_CLIENT_CERT_PASSWORD: "${FTS_CLIENT_CERT_PASSWORD}"
+      FTS_WEBSOCKET_KEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_SECRET_KEY: "${FTS_SECRET_KEY}"
+      FTS_CONNECTION_MESSAGE: "Welcome to FreeTAKServer. The Parrot is not dead. It's just resting"
+      FTS_COT_PORT: 8087
+      FTS_SSLCOT_PORT: 8089
+      FTS_API_PORT: 19023
+      FTS_FED_PORT: 9000
+      FTS_DP_ADDRESS: 'freetakserver'
+      FTS_USER_ADDRESS: 'freetakserver'
+      FTS_API_ADDRESS: 'freetakserver'
+      FTS_ROUTING_PROXY_SUBSCRIBE_PORT: 19030
+      FTS_ROUTING_PROXY_SUBSCRIBE_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_PUBLISHER_PORT: 19032
+      FTS_ROUTING_PROXY_PUBLISHER_IP: 'freetakserver'
+      FTS_ROUTING_PROXY_SERVER_PORT: 19031
+      FTS_ROUTING_PROXY_SERVER_IP: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PULLER_PORT: 19033
+      FTS_INTEGRATION_MANAGER_PULLER_ADDRESS: 'freetakserver'
+      FTS_INTEGRATION_MANAGER_PUBLISHER_PORT: 19034
+      FTS_INTEGRATION_MANAGER_PUBLISHER_ADDRESS: 'freetakserver'
+      FTS_OPTIMIZE_API: "True"
+      FTS_DATA_RECEPTION_BUFFER: 1024
+      FTS_MAX_RECEPTION_TIME: 4
+      FTS_NUM_ROUTING_WORKERS: 3
+      FTS_COT_TO_DB: "True"
+      FTS_MAINLOOP_DELAY: 100
+      FTS_EMERGENCY_RADIUS: 0
+      FTS_LOG_LEVEL: "info"
+
+  freetakserver-ui:
+    image: ghcr.io/freetakteam/ui:latest
+    container_name: freetakserver-ui
+    hostname: freetakserver-ui
+    restart: always
+    networks:
+      - tak_net
+    ports:
+      - 5000:5000
+    volumes:
+      - /mnt/HoardingCow_docker_data/TAK/fts_ui_data:/home/freetak/data:z,rw
+    environment:
+      FTS_IP: "freetakserver" 
+      FTS_API_PORT: 19023
+      FTS_API_PROTO: 'http'
+      FTS_UI_EXPOSED_IP: 'freetakserver-ui'
+      FTS_MAP_EXPOSED_IP: '127.0.0.1'
+      FTS_MAP_PORT: 8000
+      FTS_MAP_PROTO: 'http'
+      FTS_UI_PORT: 5000
+      FTS_UI_WSKEY: "${FTS_WEBSOCKET_KEY}"
+      FTS_API_KEY: 'Bearer token'
+      FTS_UI_SQLALCHEMY_DATABASE_URI: 'sqlite:////home/freetak/data/FTSServer-UI.db'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+
+      # HTTP -> HTTPS Redirect
+      - "traefik.http.routers.fts-ui-http.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-http.entrypoints=web"
+      - "traefik.http.routers.fts-ui-http.middlewares=redirect-to-https"
+
+      # HTTPS Router
+      - "traefik.http.routers.fts-ui-https.rule=Host(`tak.lazyworkhorse.net`)"
+      - "traefik.http.routers.fts-ui-https.entrypoints=websecure"
+      - "traefik.http.routers.fts-ui-https.tls=true"
+      - "traefik.http.routers.fts-ui-https.tls.certresolver=njalla"
+      
+      # Service & Port
+      - "traefik.http.services.fts-ui.loadbalancer.server.port=5000"
+
+      # Reuse your existing redirect middleware
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+networks:
+  tak_net:
+    external: true
+  tak_backend:
+    driver: bridge
+    name: tak_backend