Merge PR #45 : fix: create networks as bridge instead of external

Merge pull request 'feat: add Syncthing service for Hermes org-file sync' (#30 ) from feat/syncthing-org-sync into master
Reviewed-on: #30
2026-05-20 14:39:35 -04:00 · 2026-05-19 00:28:59 +00:00 · 2026-05-18 20:25:18 -04:00 · 2026-05-14 22:24:19 -04:00 · 2026-05-14 21:40:00 -04:00 · 2026-05-14 21:35:31 -04:00
8 changed files with 65 additions and 57 deletions
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -31,6 +31,9 @@ services:
      ssh:
        - default
    container_name: hermes
+    entrypoint: ["/bin/bash", "-c",
+      "bash /opt/data/hermes-tools/install.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "hermes-entrypoint"]
    restart: always
    # Gateway run enables the internal API server on port 8642
    command: gateway run
@@ -51,6 +54,10 @@ services:
      - TZ=America/Montreal
    volumes:
      - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+      # Syncthing-shared org files — read-only view of user's agenda
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
+      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
    devices:
      - /dev/kfd:/dev/kfd
      - /dev/dri:/dev/dri
@@ -60,6 +67,35 @@ services:
    networks:
      - ai_backend

+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: syncthing
+    restart: always
+    ports:
+      - "8384:8384"
+      - "22000:22000"
+      - "21027:21027/udp"
+    environment:
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.tls=true"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
+      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
+
  ollama:
    build:
      context: ./ollama
--- a/ai/hermes/Dockerfile
+++ b/ai/hermes/Dockerfile
@@ -86,7 +86,8 @@ ENV PATH="/opt/data/.local/bin:${PATH}"
 # Point browser tool to Playwright's Chromium (already in base image)
 ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome

-VOLUME [ "/opt/data" ]
+# Ensure tools directory and toolsets.py are writable by the hermes runtime user
+# so custom tools can be injected from the persistent volume at startup.
+RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py

-COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]
+VOLUME [ "/opt/data" ]
--- a/ai/hermes/fix-permissions.sh
+++ b/ai/hermes/fix-permissions.sh
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Startup permission fix + TTS patch.
-# Runs as root before the entrypoint drops to the hermes user.
-set -e
-
-HERMES_HOME="${HERMES_HOME:-/opt/data}"
-
-# Fix ownership on critical writable directories
-chown -R hermes:hermes \
-  "$HERMES_HOME/sessions" \
-  "$HERMES_HOME/checkpoints" \
-  "$HERMES_HOME/skills" \
-  "$HERMES_HOME/memories" \
-  "$HERMES_HOME/workspace" \
-  "$HERMES_HOME/pastes" \
-  "$HERMES_HOME/logs" \
-  "$HERMES_HOME/cron" \
-  "$HERMES_HOME/plans" \
-  "$HERMES_HOME/hooks" \
-  "$HERMES_HOME/cache" \
-  2>/dev/null || true
-
-# Fix data volume root ownership
-if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
-  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
-fi
-
-# ---------- Patch tts_tool.py: replace Edge TTS with Piper ----------
-# Fallback runtime patch in case the volume's site-packages differ from the image.
-# Idempotent: if already patched, the script does nothing.
-PATCH_SCRIPT="/opt/hermes/patch_tts_tool.py"
-if [ -f "$PATCH_SCRIPT" ]; then
-  echo "Applying TTS patch (Piper only, no Edge fallback)..."
-  /opt/hermes/.venv/bin/python3 "$PATCH_SCRIPT" 2>&1 || true
-fi
-
-# Chain to the official Hermes entrypoint
-exec /opt/hermes/docker/entrypoint.sh "$@"
--- a/backup/compose.yml
+++ b/backup/compose.yml
@@ -96,5 +96,5 @@ services:

 networks:
  backup_net:
-    external: true
+    driver: bridge
    name: backup_net
--- a/network/compose.yml
+++ b/network/compose.yml
@@ -82,37 +82,37 @@ networks:
    driver: bridge
    name: traefik_backend
  ai_net:
-    external: true
+    driver: bridge
    name: ai_net
  auth_net:
-    external: true
+    driver: bridge
    name: auth_net
  backup_net:
-    external: true
+    driver: bridge
    name: backup_net
  cloud_net:
-    external: true
+    driver: bridge
    name: cloud_net
  coms_net:
-    external: true
+    driver: bridge
    name: coms_net
  finance_net:
-    external: true
+    driver: bridge
    name: finance_net
  home_auto_net:
-    external: true
+    driver: bridge
    name: home_auto_net
  homepage_net:
-    external: true
+    driver: bridge
    name: homepage_net
  passman_net:
-    external: true
+    driver: bridge
    name: passman_net
  tak_net:
-    external: true
+    driver: bridge
    name: tak_net
  vc_net:
-    external: true
+    driver: bridge
    name: vc_net

  # duckdns:
--- a/versioncontrol/compose.yml
+++ b/versioncontrol/compose.yml
@@ -8,13 +8,10 @@ services:
      - USER_GID=1000
      - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
      - GITEA__actions__ENABLED=true
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
      - SSH_PORT=2222
      - SSH_LISTEN_PORT=2222
      # Enable Gitea Actions (act_runner required on host)
      - GITEA__actions__ENABLED=true
-      # Don't fetch actions from GitHub (offline mode + local only)
-      - GITEA__actions__DEFAULT_ACTIONS_URL=off
    volumes:
      - /mnt/HoardingCow_docker_data/Gitea:/data
    networks:
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -0,0 +1,9 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM ghcr.io/wg-easy/wg-easy:latest
+
+# The upstream image registers only iptables-legacy with update-alternatives.
+# iptables-nft binary exists but isn't registered as an alternative key.
+# Override the alternatives-managed symlinks directly.
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -2,7 +2,10 @@ version: "3.8"

 services:
  wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
Author	SHA1	Message	Date
Hermes	d7449e93c1	Merge PR #45 : fix: create networks as bridge instead of external	2026-05-20 14:39:35 -04:00
Thierry Pouplier	d3f2e3b7b9	Merge pull request 'feat: add Syncthing service for Hermes org-file sync' (#30 ) from feat/syncthing-org-sync into master Some checks failed Build Hermes agent / build (push) Has been cancelled Details Build ollama (gfx906) / build (push) Has been cancelled Details Reviewed-on: #30	2026-05-19 00:28:59 +00:00
Thierry Pouplier	6a44120b1a	Fixed syncthing dir path Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details	2026-05-18 20:25:18 -04:00
Thierry Pouplier	38a1451689	Merge branch 'master' into feat/syncthing-org-sync	2026-05-14 22:24:19 -04:00
Hermes	f9fb28d560	fix: route Syncthing web UI through Traefik with HTTPS Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details	2026-05-14 21:40:00 -04:00
Hermes	bcc4b6d157	feat: add Syncthing service for Hermes org-file sync Some checks failed Build Hermes agent / build (pull_request) Has been cancelled Details Build ollama (gfx906) / build (pull_request) Has been cancelled Details	2026-05-14 21:35:31 -04:00
Thierry Pouplier	8d1ae7e632	Remove the unsuported gitea action off	2026-05-13 13:11:11 -04:00
Thierry Pouplier	29ae32a1c5	Merge pull request 'fix: use ln -sf instead of update-alternatives --set for iptables-nft' (#28 ) from fix/vpn-iptables-nft-v3 into master Reviewed-on: #28	2026-05-13 16:59:50 +00:00
Hermes	8dff094768	fix: use ln -sf instead of update-alternatives --set update-alternatives --set fails because the base image only registers iptables-legacy as an alternative. The iptables-nft binary (/usr/sbin/iptables-nft) exists but isn't in the alternatives database. Direct ln -sf bypasses this.	2026-05-13 12:58:43 -04:00
Thierry Pouplier	ec08f5eb5d	Merge pull request 'fix: remove apk add iptables-nft — built-in on Alpine 3.18+' (#27 ) from fix/vpn-iptables-nft-v2 into master Reviewed-on: #27	2026-05-13 16:49:23 +00:00
Hermes	611e96b306	fix: remove apk add iptables-nft — built-in on Alpine 3.18+ In Alpine 3.18+, the 'iptables' package IS the nftables variant. iptables-nft is not a separate package. The binary is already in the base image — only need to flip update-alternatives.	2026-05-13 12:48:51 -04:00
Thierry Pouplier	f184ed957c	Merge pull request 'fix: update wg-easy to official ghcr image with iptables-nft' (#26 ) from fix/vpn-iptables-nft-upstream into master Reviewed-on: #26	2026-05-13 16:37:35 +00:00
Hermes	2bf31c7ccc	fix: update wg-easy to official ghcr image with iptables-nft - Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton) - Use update-alternatives instead of raw ln -sf to flip iptables from legacy to nftables backend - Fix compose build context: ./vpn -> . (Dockerfile was at same level) The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11. The new official image has it available, we just flip the alternatives. The old ln -sf approach was fragile across Alpine versions.	2026-05-13 12:30:15 -04:00
Thierry Pouplier	f44f93e35a	Merge pull request 'fix: add Himalaya email CLI to Hermes Docker image' (#25 ) from fix/himalaya-email-cli into master Some checks failed Build Hermes agent / build (push) Has been cancelled Details Reviewed-on: #25	2026-05-13 15:03:40 +00:00
Thierry Pouplier	4cdd157e3f	Merge pull request 'fix: add iptables-nft to wg-easy for nftables-only kernels' (#24 ) from fix/wg-easy-iptables-nft into master Reviewed-on: #24	2026-05-13 15:03:25 +00:00
Thierry Pouplier	3ba0345887	Merge pull request 'feat: install custom Hermes tools at startup, remove deprecated fix-permissions.sh' (#23 ) from feat/hermes-custom-tools-startup into master Some checks failed Build Hermes agent / build (push) Failing after 2s Details Build ollama (gfx906) / build (push) Failing after 2s Details Reviewed-on: #23	2026-05-13 13:52:36 +00:00
Hermes	5e242eb946	fix: add iptables-nft to wg-easy for nftables-only kernels wg-easy's Alpine wg-quick uses legacy iptables which requires the iptable_nat kernel module. On NixOS kernels compiled without legacy netfilter modules, the container crashes in a restart loop: iptables v1.8.3 (legacy): can't initialize iptables table 'nat' Table does not exist (do you need to insmod?) Fix: build a custom image that installs Alpine's iptables-nft package and symlinks iptables -> iptables-nft (nftables backend).	2026-05-12 14:52:33 -04:00
Hermes	e607982b21	refactor: chown tools dir at build time instead of root at runtime Some checks failed Build Hermes agent / build (pull_request) Failing after 3s Details Build ollama (gfx906) / build (pull_request) Failing after 2s Details	2026-05-12 14:47:34 -04:00
Hermes	4627199217	feat: install custom tools at startup, remove deprecated fix-permissions.sh Some checks failed Build Hermes agent / build (pull_request) Failing after 41m55s Details Build ollama (gfx906) / build (pull_request) Failing after 2s Details	2026-05-12 13:38:26 -04:00
Thierry Pouplier	28a172e828	fix: create networks as bridge instead of external - Changed all networks from external: true to driver: bridge - Fixes chicken-and-egg problem where networks must exist before stacks can start - backup_net, ai_net, auth_net, cloud_net, coms_net, finance_net, home_auto_net, homepage_net, passman_net, tak_net, vc_net now created automatically	2026-04-29 18:42:09 +00:00