feat: add 7zz for CHM documentation extraction

Download static 7-Zip binary at Docker build time for extracting Microsoft Compiled HTML Help (.chm) files. Follows the same pattern as the existing Himalaya CLI installation. 7zz is scraped from 7-zip.org/download.html at build time.

ai/compose.yml

@@ -32,7 +32,7 @@ services:
         - default
     container_name: hermes
     entrypoint: ["/bin/bash", "-c",
-      "bash /opt/data/hermes-tools/install.sh && /opt/hermes/.venv/bin/uv pip install openai mautrix[encryption] --system -q && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
       "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
@@ -44,7 +44,7 @@ services:
       - API_SERVER_HOST=0.0.0.0
       - API_SERVER_KEY=hermes_local_key
       - GATEWAY_ALLOW_ALL_USERS=true
-      - OPENROUTER_API_KEY=${OPEN...KEY}
+      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
       # ROCm for GPU-accelerated faster-whisper STT
       - HSA_OVERRIDE_GFX_VERSION=9.0.6
       - HCC_AMDGPU_TARGET=gfx906
@@ -54,12 +54,6 @@ services:
       - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
-      # Syncthing-shared org files — read-only view of user's agenda
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
-      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
-      # Persistent venv — Matrix bridge and other pip deps survive container rebuilds
-      - /mnt/HoardingCow_docker_data/Hermes/venv:/opt/hermes/.venv
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -69,35 +63,6 @@ services:
     networks:
       - ai_backend
 
-  syncthing:
-    image: syncthing/syncthing:latest
-    container_name: syncthing
-    hostname: syncthing
-    restart: always
-    ports:
-      - "8384:8384"
-      - "22000:22000"
-      - "21027:21027/udp"
-    environment:
-      - TZ=America/Montreal
-    volumes:
-      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
-      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
-    networks:
-      - ai_backend
-      - ai_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-http.entrypoints=web"
-      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
-      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
-      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
-      - "traefik.http.routers.syncthing-https.tls=true"
-      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
-      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
-
   ollama:
     build:
       context: ./ollama
@@ -131,62 +96,6 @@ services:
       - "303"
       - "26"
 
-  paperclip-db:
-    image: postgres:17-alpine
-    container_name: paperclip-db
-    restart: always
-    environment:
-      POSTGRES_USER: paperclip
-      POSTGRES_PASSWORD: ${PAPERCLIP_DB_PASSWORD:?PAPERCLIP_DB_PASSWORD must be set}
-      POSTGRES_DB: paperclip
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U paperclip -d paperclip"]
-      interval: 5s
-      timeout: 5s
-      retries: 10
-    volumes:
-      - /mnt/HoardingCow_docker_data/Paperclip/pgdata:/var/lib/postgresql/data
-    networks:
-      - ai_backend
-
-  paperclip:
-    image: ghcr.io/paperclipai/paperclip:v2026.517.0
-    container_name: paperclip
-    restart: always
-    ports:
-      - "127.0.0.1:3100:3100"
-    environment:
-      - HOST=0.0.0.0
-      - PORT=3100
-      - SERVE_UI=true
-      - DATABASE_URL=postgres://paperclip:***@paperclip-db:5432/paperclip
-      - BETTER_AUTH_SECRET=${PAPE...CRET must be set}
-      - PAPERCLIP_PUBLIC_URL=https://paperclip.lazyworkhorse.net
-      - PAPERCLIP_DEPLOYMENT_MODE=authenticated
-      - PAPERCLIP_DEPLOYMENT_EXPOSURE=private
-    volumes:
-      - /mnt/HoardingCow_docker_data/Paperclip/data:/paperclip
-    depends_on:
-      paperclip-db:
-        condition: service_healthy
-    networks:
-      - ai_net
-      - ai_backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=ai_net"
-
-      - "traefik.http.routers.paperclip-http.rule=Host(`paperclip.lazyworkhorse.net`)"
-      - "traefik.http.routers.paperclip-http.entrypoints=web"
-      - "traefik.http.routers.paperclip-http.middlewares=redirect-to-https"
-
-      - "traefik.http.routers.paperclip-https.rule=Host(`paperclip.lazyworkhorse.net`)"
-      - "traefik.http.routers.paperclip-https.entrypoints=websecure"
-      - "traefik.http.routers.paperclip-https.tls=true"
-      - "traefik.http.routers.paperclip-https.tls.certresolver=njalla"
-
-      - "traefik.http.services.paperclip.loadbalancer.server.port=3100"
-
 networks:
   ai_net:
     external: true
@@ -338,8 +247,8 @@ networks:
   #     - /home/gortium/infra:/data/workspace/infra
   #   environment:
   #     - TZ=America/Toronto
-  #     - OPENCLAW_GATEWAY_TOKEN=${OPEN...KEN}
+  #     - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
-  #     - OPENROUTER_API_KEY=${OPEN...KEY}
+  #     - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
   #     # Point to the sidecar browser
   #     - BROWSER_CDP_URL=http://openclaw-browser:9222
   #     - BROWSER_EVALUATE_ENABLED=true
@@ -384,7 +293,7 @@ networks:
   #     - PGID=1000
   #     - PUBLIC_KEY_FILE=/config/ssh/authorized_keys
   #     - SUDO_ACCESS=false
-  #     - PASSWORD_ACCESS=***
+  #     - PASSWORD_ACCESS=false
   #   volumes:
   #     - /mnt/HoardingCow_docker_data/openclaw/ssh-config:/config
   #     - /home/gortium/infra:/data/workspace/infra:ro

ai/hermes/Dockerfile

@@ -78,6 +78,47 @@ PYEOF
 # ---------- Install himalaya-ro wrapper ----------
 COPY --chmod=0755 himalaya-ro.sh /usr/local/bin/himalaya-ro
 
+# ---------- Install 7-Zip for CHM extraction ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil, re, subprocess
+
+# Scrape 7-zip.org for latest Linux x64 binary
+url = 'https://7-zip.org/download.html'
+req = urllib.request.Request(url, headers={'User-Agent': 'Mozilla/5.0'})
+r = urllib.request.urlopen(req, timeout=15)
+html = r.read().decode()
+
+links = re.findall(r'href="(a/7z[\d]+-linux-x64\.tar\.xz)"', html)
+if not links:
+    raise RuntimeError("Could not find 7z download link")
+
+dl_url = f'https://7-zip.org/{links[0]}'
+print(f'Downloading 7z from {dl_url}...')
+req = urllib.request.Request(dl_url, headers={'User-Agent': 'Mozilla/5.0'})
+r = urllib.request.urlopen(req, timeout=30)
+data = r.read()
+
+with open('/tmp/7z.tar.xz', 'wb') as f:
+    f.write(data)
+
+subprocess.run(['tar', '-xJf', '/tmp/7z.tar.xz', '-C', '/tmp/'], check=True)
+
+for root, dirs, files in os.walk('/tmp'):
+    for f in files:
+        if f == '7zz':
+            src = os.path.join(root, f)
+            shutil.move(src, '/usr/local/bin/7zz')
+            os.chmod('/usr/local/bin/7zz', 0o755)
+            print(f'7zz installed from {src}')
+            break
+
+os.remove('/tmp/7z.tar.xz')
+
+# Verify
+r = subprocess.run(['/usr/local/bin/7zz'], capture_output=True, text=True)
+print(f'7-Zip {r.stdout.strip()[:60]}')
+PYEOF
+
 
 # ---------- Runtime ----------
 USER hermes

backup/compose.yml

@@ -96,5 +96,5 @@ services:
 
 networks:
   backup_net:
-    driver: bridge
+    external: true
     name: backup_net

network/compose.yml

@@ -82,37 +82,37 @@ networks:
     driver: bridge
     name: traefik_backend
   ai_net:
-    driver: bridge
+    external: true
     name: ai_net
   auth_net:
-    driver: bridge
+    external: true
     name: auth_net
   backup_net:
-    driver: bridge
+    external: true
     name: backup_net
   cloud_net:
-    driver: bridge
+    external: true
     name: cloud_net
   coms_net:
-    driver: bridge
+    external: true
     name: coms_net
   finance_net:
-    driver: bridge
+    external: true
     name: finance_net
   home_auto_net:
-    driver: bridge
+    external: true
     name: home_auto_net
   homepage_net:
-    driver: bridge
+    external: true
     name: homepage_net
   passman_net:
-    driver: bridge
+    external: true
     name: passman_net
   tak_net:
-    driver: bridge
+    external: true
     name: tak_net
   vc_net:
-    driver: bridge
+    external: true
     name: vc_net
 
   # duckdns:

versioncontrol/compose.yml

@@ -8,10 +8,13 @@ services:
       - USER_GID=1000
       - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
       - GITEA__actions__ENABLED=true
+      - GITEA__actions__DEFAULT_ACTIONS_URL=off
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
       # Enable Gitea Actions (act_runner required on host)
       - GITEA__actions__ENABLED=true
+      # Don't fetch actions from GitHub (offline mode + local only)
+      - GITEA__actions__DEFAULT_ACTIONS_URL=off
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks: