switch-openconcho-to-fork

- Update Dockerfile to clone from code.lazyworkhorse.net/Hermes/honcho.git
  (uses build arg HONCHO_REPO, can be overridden at build time)
- Add config.toml volume mount from HoardingCow persistent path
- Use named volume honcho_data instead of host bind mount
- Declare honcho_data as external volume in top-level volumes section

.gitea/workflows/build-hermes.yml

@@ -0,0 +1,31 @@
+name: Build Hermes agent
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'ai/hermes/**'
+      - 'ai/compose.yml'
+  push:
+    branches: [ master ]
+    paths:
+      - 'ai/hermes/**'
+      - 'ai/compose.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        run: |
+          git clone -b "${{ github.head_ref || github.ref_name }}" \
+            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/compose.git .
+          git log --oneline -3
+
+      - name: Build hermes image
+        run: |
+          cd ai
+          docker compose build hermes 2>&1
+
+      - name: Verify image
+        run: |
+          docker run --rm ai-hermes /opt/hermes/.venv/bin/python --version 2>&1

.gitea/workflows/build-ollama.yml

@@ -0,0 +1,31 @@
+name: Build ollama (gfx906)
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'ai/ollama/**'
+      - 'ai/compose.yml'
+  push:
+    branches: [ master ]
+    paths:
+      - 'ai/ollama/**'
+      - 'ai/compose.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        run: |
+          git clone -b "${{ github.head_ref || github.ref_name }}" \
+            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/compose.git .
+          git log --oneline -3
+
+      - name: Build ollama image
+        run: |
+          cd ai
+          docker compose build ollama --no-cache 2>&1
+
+      - name: Verify version
+        run: |
+          docker run --rm ollama/ollama:rocm-gfx906 ollama --version 2>&1

ai/Dockerfile

@@ -1,116 +0,0 @@
-# 1. On récupère la version la plus récente d'UV
-FROM ghcr.io/astral-sh/uv:latest AS uv_source
-
-# 2. Image de base stable
-FROM debian:stable-slim
-
-# Disable Python stdout buffering to ensure logs are printed immediately
-ENV PYTHONUNBUFFERED=1
-
-# Install system dependencies in one layer, clear APT cache
-# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        qemu-user-static binfmt-support qemu-user-binfmt \
-        emacs-nox \
-        libportaudio2 \
-        ca-certificates && \
-    rm -rf /var/lib/apt/lists/*
-
-# Création de l'utilisateur 'hermes' directement avec les bons accès
-RUN useradd -u 10000 -m -d /opt/data hermes
-
-# Copie d'uv (dernière version)
-COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
-
-WORKDIR /opt/hermes
-
-# On donne la propriété du dossier de travail à l'utilisateur hermes
-RUN chown hermes:hermes /opt/hermes
-
-# ---------- Hermes venv ----------
-# Passer immédiatement sous l'utilisateur hermes pour tout le reste du build
-USER hermes
-
-# ---------- Source code ----------
-# On copie tout le projet d'un coup sans assumer la présence de fichiers de lock spécifiques
-COPY --chown=hermes:hermes . .
-
-# ---------- Python virtualenv avec Piper TTS ----------
-RUN uv venv && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy faster-whisper
-
-# ---------- Télécharger la voix Piper Ryan (high quality) ----------
-RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
-    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request
-base = '/opt/hermes/.venv/share/piper/voices'
-url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
-urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
-urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
-PYEOF
- 
-# ---------- Patch atomic writes to preserve file permissions ----------
-# Fixes https://github.com/NousResearch/hermes-agent/issues/14181
-# tempfile.mkstemp() creates files as 0600; os.replace() preserves that mode,
-# so group-readable files silently collapse to owner-private 0600.
-# This affects: skills, sessions, memories, and any file written atomically.
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import os
-
-patches = [
-    ("/opt/hermes/tools/skill_manager_tool.py", [
-        ("# Restore existing file mode if present", True),  # already patched
-    ]),
-    ("/opt/hermes/tools/skills_sync.py", [
-        ("# Restore existing file mode if present", True),  # already patched
-    ]),
-]
-
-for fpath, checks in patches:
-    if not os.path.exists(fpath):
-        print(f"SKIP {fpath} (not found)")
-        continue
-    with open(fpath) as f:
-        code = f.read()
-    all_ok = all(marker in code for marker, _ in checks)
-    if all_ok:
-        print(f"OK {fpath} (already patched)")
-        continue
-    print(f"PATCH {fpath}")
-    # _atomic_write_text in skill_manager_tool.py
-    code = code.replace(
-        "        os.replace(temp_path, file_path)",
-        "        if file_path.exists():\n"
-        "            existing_mode = file_path.stat().st_mode\n"
-        "            os.chmod(temp_path, existing_mode)\n"
-        "        os.replace(temp_path, file_path)",
-    )
-    # _write_manifest in skills_sync.py
-    code = code.replace(
-        "            os.replace(tmp_path, MANIFEST_FILE)",
-        "            if MANIFEST_FILE.exists():\n"
-        "                existing_mode = MANIFEST_FILE.stat().st_mode\n"
-        "                os.chmod(tmp_path, existing_mode)\n"
-        "            os.replace(tmp_path, MANIFEST_FILE)",
-    )
-    with open(fpath, 'w') as f:
-        f.write(code)
-    print(f"DONE {fpath}")
-PYEOF
-
-# ---------- Runtime ----------
-ENV HERMES_HOME=/opt/data
-ENV PATH="/opt/data/.local/bin:${PATH}"
-
-VOLUME [ "/opt/data" ]
-
-# Copie du script de réparation des permissions (lancement au démarrage)
-COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
-
-# Le conteneur tourne de manière ultra-sécurisée sous l'utilisateur hermes dès le départ
-# fix-permissions.sh chown les répertoires critiques avant de chaîner vers entrypoint.sh
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]

ai/compose.yml

@@ -1,4 +1,3 @@
-version: "3.8"
 services:
 
   # webui:
@@ -26,13 +25,24 @@ services:
   #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./
+    build:
+      context: ./hermes
+      ssh:
+        - default
     container_name: hermes
+    entrypoint: ["/bin/bash", "-c",
+      "bash /opt/data/hermes-tools/install.sh && bash /usr/local/bin/run-multi-gateways.sh && exec /usr/bin/tini -g -- /opt/hermes/docker/entrypoint.sh \"$@\"",
+      "hermes-entrypoint"]
     restart: always
     # Gateway run enables the internal API server on port 8642
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
+      # Multi-profile: comma-separated list of profiles to run as gateways.
+      # The entrypoint reads this and starts one gateway per profile.
+      # Add profiles here when they exist on disk (e.g. default,researcher,writer)
+      - HERMES_PROFILES=ashley,claire,finn,matt,paul
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -45,8 +55,13 @@ services:
       - HIP_VISIBLE_DEVICES=0,1
       - ROCR_VISIBLE_DEVICES=0,1
       - HSA_ENABLE_SDMA=0
+      - TZ=America/Montreal
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
+      # Syncthing-shared org files — read-only view of user's agenda
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/opt/data/telos-ro:ro
+      # Syncthing-shared inbox — write tasks here, they sync to user's laptop
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/opt/data/telos-rw:rw
     devices:
       - /dev/kfd:/dev/kfd
       - /dev/dri:/dev/dri
@@ -55,11 +70,69 @@ services:
       - "26"
     networks:
       - ai_backend
+      - ai_net
+    depends_on:
+      - honcho
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.hermes-web-http.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-http.entrypoints=web"
+      - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
+      - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
+      - "traefik.http.routers.hermes-web-https.tls=true"
+      - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
+
+      # Service Loadbalancer (dashboard port 9119)
+      - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"
+
+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: syncthing
+    restart: always
+    ports:
+      - "8384:8384"
+      - "22000:22000"
+      - "21027:21027/udp"
+    environment:
+      - TZ=America/Montreal
+    volumes:
+      - /mnt/HoardingCow_docker_data/Syncthing/config:/var/syncthing/config
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-ro:/telos-ro
+      - /mnt/HoardingCow_docker_data/Syncthing/telos-rw:/telos-rw
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.lazyworkhorse.net`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.tls=true"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=njalla"
+      - "traefik.http.services.syncthing.loadbalancer.server.port=8384"
+
 
   ollama:
-    image: ollama/ollama:latest
+    build:
+      context: ./ollama
+      dockerfile: Dockerfile
+    image: ollama/ollama:rocm-gfx906
     container_name: ollama
-    privileged: true
     tty: true
     restart: always 
     ports:
@@ -77,7 +150,7 @@ services:
       - HSA_ENABLE_SDMA=0 
       - OLLAMA_HOST=0.0.0.0
       - OLLAMA_DEBUG=1
-      - OLLAMA_FLASH_ATTENTION=0
+      - OLLAMA_FLASH_ATTENTION=1
       - OLLAMA_NUM_PARALLEL=2
     devices:
       # Map the render nodes and KFD for ROCm to work inside the container
@@ -87,6 +160,92 @@ services:
       - "303"
       - "26"
 
+  # --- Honcho + OpenConcho combiné: API + Web UI nginx/FastAPI ---
+  honcho:
+    build:
+      context: ./honcho
+      ssh:
+        - default
+    container_name: honcho
+    restart: unless-stopped
+    environment:
+      - DB_CONNECTION_URI=postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho
+      - CACHE_URL=redis://honcho-redis:6379/0
+      - CACHE_ENABLED=true
+      - EMBEDDING_VECTOR_DIMENSIONS=1024
+      - AUTH_USE_AUTH=true
+      - AUTH_JWT_SECRET=${HONCHO_AUTH_JWT_SECRET}
+      # Needed by deriver/dream to make LLM calls (api_key_env = "HONCHO_OPENAI_API_KEY" in config.toml)
+      - HONCHO_OPENAI_API_KEY=${HONCHO_OPENAI_API_KEY}
+    volumes:
+      - honcho_data:/app/data
+      - /mnt/HoardingCow_docker_data/Honcho/config.toml:/app/config.toml:ro
+    networks:
+      - ai_backend
+      - ai_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=ai_net"
+
+      # Router for HTTP + redirect to HTTPS
+      - "traefik.http.routers.honcho-http.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-http.entrypoints=web"
+      - "traefik.http.routers.honcho-http.middlewares=redirect-to-https"
+
+      # Router for HTTPS with TLS — protected by Authelia
+      - "traefik.http.routers.honcho-https.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-https.entrypoints=websecure"
+      - "traefik.http.routers.honcho-https.tls=true"
+      - "traefik.http.routers.honcho-https.tls.certresolver=njalla"
+      - "traefik.http.routers.honcho-https.middlewares=hermes-auth"
+
+      # Service Loadbalancer (nginx port)
+      - "traefik.http.services.honcho.loadbalancer.server.port=80"
+    depends_on:
+      honcho-db:
+        condition: service_healthy
+      honcho-redis:
+        condition: service_healthy
+
+  honcho-db:
+    image: pgvector/pgvector:pg15
+    container_name: honcho-db
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:5432:5432"
+    command: ["postgres", "-c", "max_connections=200"]
+    environment:
+      - POSTGRES_DB=honcho
+      - POSTGRES_USER=honcho
+      - POSTGRES_PASSWORD=honcho_pass
+      - PGDATA=/var/lib/postgresql/data/pgdata
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/postgres:/var/lib/postgresql/data
+      - ./honcho/init-db.sql:/docker-entrypoint-initdb.d/init.sql:ro
+    networks:
+      - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U honcho -d honcho"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  honcho-redis:
+    image: redis:8
+    container_name: honcho-redis
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:6379:6379"
+    volumes:
+      - /mnt/HoardingCow_docker_data/Honcho/redis:/data
+    networks:
+      - ai_backend
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
 networks:
   ai_net:
     external: true
@@ -95,6 +254,11 @@ networks:
     driver: bridge
     name: ai_backend
 
+volumes:
+  honcho_data:
+    external: true
+    name: honcho_data
+    
   # llama_cpp_devstral:
   #   image: ghcr.io/ggml-org/llama.cpp:server-rocm
   #   container_name: llama_cpp_devstral

ai/fix-permissions.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-# Startup permission fix for the Hermes data volume.
-# Runs as root before the entrypoint drops to the hermes user.
-# Fixes files that were created by root (host agent, cron jobs, etc.)
-# becoming inaccessible to the hermes runtime user.
-set -e
-
-HERMES_HOME="${HERMES_HOME:-/opt/data}"
-
-# Fix ownership on critical writable directories so hermes user can access them
-chown -R hermes:hermes \
-  "$HERMES_HOME/sessions" \
-  "$HERMES_HOME/checkpoints" \
-  "$HERMES_HOME/skills" \
-  "$HERMES_HOME/memories" \
-  "$HERMES_HOME/workspace" \
-  "$HERMES_HOME/pastes" \
-  "$HERMES_HOME/logs" \
-  "$HERMES_HOME/cron" \
-  "$HERMES_HOME/plans" \
-  "$HERMES_HOME/hooks" \
-  "$HERMES_HOME/cache" \
-  2>/dev/null || true
-
-# Also fix the data volume root if it's wrong
-if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
-  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
-fi
-
-# Now chain to the real entrypoint
-exec /opt/hermes/docker/entrypoint.sh "$@"

ai/hermes/Dockerfile

@@ -0,0 +1,103 @@
+# syntax=docker/dockerfile:1
+# Hermes Agent -- custom fork build
+# Builds on top of official image + overlays our forked source from Gitea.
+# Requires Docker BuildKit. Pass SSH agent for git clone:
+#   docker compose build hermes
+# Or manually:
+#   DOCKER_BUILDKIT=1 docker build --ssh default -t hermes-agent:custom .
+
+# ---------- Base: official Hermes image (system deps, npm, uv, Playwright) ----------
+FROM nousresearch/hermes-agent:latest
+
+# ---------- Overlay our forked source ----------
+# Uses SSH agent forwarding from the build host (no key baked into image).
+# --exclude node_modules/.venv keeps the base image's pre-built layers intact.
+# Only the Python source, web UI source, and config change.
+RUN --mount=type=ssh \
+    mkdir -p /root/.ssh && \
+    ssh-keyscan -p 2222 code.lazyworkhorse.net >> /root/.ssh/known_hosts 2>/dev/null && \
+    cd /tmp && \
+    GIT_SSH_COMMAND='ssh -p 2222 -o StrictHostKeyChecking=no' \
+    git clone --depth 1 --branch main \
+    git@code.lazyworkhorse.net:gortium/hermes-agent.git fork && \
+    rm -rf fork/node_modules fork/.venv fork/.git && \
+    cp -a fork/. /opt/hermes/ && \
+    rm -rf /tmp/fork /root/.ssh/
+
+# ---------- Reinstall Python package (editable) ----------
+# Picks up source changes from our fork.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir --no-deps -e /opt/hermes
+
+# ---------- Extra system deps ----------
+USER root
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        libportaudio2 ca-certificates poppler-utils imagemagick \
+        libolm-dev \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended \
+        texlive-xetex texlive-science \
+        qemu-user-static binfmt-support emacs-nox && \
+    rm -rf /var/lib/apt/lists/*
+
+# ---------- UV ----------
+COPY --chmod=0755 --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/
+
+# ---------- Matrix bridge + extra pip deps ----------
+# Previously installed inline at container startup and persisted via volume mount.
+# Now baked into the image so the fragile venv volume mount can be removed.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
+
+WORKDIR /opt/hermes
+
+# ---------- Matrix bridge + extra pip deps ----------
+# Previously installed inline at container startup and persisted via volume mount.
+# Now baked into the image so the fragile venv volume mount can be removed.
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir 'mautrix[encryption]' openai
+
+# ---------- Piper TTS ----------
+RUN . /opt/hermes/.venv/bin/activate && \
+    uv pip install --no-cache-dir piper-tts sounddevice numpy && \
+    mkdir -p /opt/hermes/.venv/share/piper/voices
+
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request
+base = '/opt/hermes/.venv/share/piper/voices'
+url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
+urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
+urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
+PYEOF
+
+# ---------- Install Himalaya email CLI ----------
+RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
+import urllib.request, tarfile, os, shutil
+url = 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.x86_64-linux.tgz'
+tgz = '/tmp/himalaya.tgz'
+urllib.request.urlretrieve(url, tgz)
+with tarfile.open(tgz) as t:
+    t.extractall('/tmp')
+shutil.move('/tmp/himalaya', '/usr/local/bin/himalaya')
+os.chmod('/usr/local/bin/himalaya', 0o755)
+os.remove(tgz)
+print('himalaya v1.2.0 installed')
+PYEOF
+
+# ---------- Install multi-gateway launcher ----------
+# Launches one gateway process per profile (HERMES_PROFILES env var)
+COPY --chmod=0755 run-multi-gateways.sh /usr/local/bin/run-multi-gateways.sh
+
+# ---------- Runtime ----------
+USER hermes
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+# Point browser tool to Playwright's Chromium (already in base image)
+ENV CHROME_EXECUTABLE=/opt/hermes/.playwright/chromium/chrome-linux/chrome
+
+# Ensure tools directory and toolsets.py are writable by the hermes runtime user
+# so custom tools can be injected from the persistent volume at startup.
+USER root
+RUN chown -R hermes:hermes /opt/hermes/tools /opt/hermes/toolsets.py
+
+VOLUME [ "/opt/data" ]

ai/hermes/patch_tts_tool.py

@@ -0,0 +1,181 @@
+#!/usr/bin/env python3
+"""Patch Hermes TTS tool: add Piper TTS provider, remove Edge TTS as default.
+
+Patches ALL copies of tts_tool.py found (venv site-packages + /opt/hermes/tools/).
+
+Searches multiple paths for tts_tool.py so it works both at build time
+(in the image venv) and at runtime (on the mounted data volume).
+
+Idempotent: if already patched, does nothing.
+"""
+
+import sys
+import os
+
+# ---------------------------------------------------------------------------
+# Search for all copies of tts_tool.py
+# ---------------------------------------------------------------------------
+CANDIDATE_PATHS = [
+    "/opt/hermes/.venv/lib/python3.13/site-packages/tools/tts_tool.py",
+    "/opt/hermes/tools/tts_tool.py",
+]
+
+found_paths = []
+
+for p in CANDIDATE_PATHS:
+    if os.path.exists(p):
+        found_paths.append(p)
+        print(f"Found tts_tool.py at: {p}")
+
+# Also try to find via Python import
+import subprocess
+try:
+    result = subprocess.run(
+        [sys.executable, "-c", "import tools.tts_tool; print(tools.tts_tool.__file__)"],
+        capture_output=True, text=True, timeout=5
+    )
+    if result.returncode == 0:
+        p = result.stdout.strip()
+        if os.path.exists(p) and p not in found_paths:
+            found_paths.append(p)
+            print(f"Found tts_tool.py via import at: {p}")
+except Exception:
+    pass
+
+if not found_paths:
+    print("WARNING: tts_tool.py not found anywhere. Patching deferred to runtime.")
+    print(f"Searched: {CANDIDATE_PATHS}")
+    sys.exit(0)
+
+# ---------------------------------------------------------------------------
+# Old else block: the Edge TTS default fallback to replace
+# ---------------------------------------------------------------------------
+old_else = '''        else:
+            # Default: Edge TTS (free), with NeuTTS as local fallback
+            edge_available = True
+            try:
+                _import_edge_tts()
+            except ImportError:
+                edge_available = False
+
+            if edge_available:
+                logger.info("Generating speech with Edge TTS...")
+                try:
+                    import concurrent.futures
+                    with concurrent.futures.ThreadPoolExecutor(max_workers=1) as pool:
+                        pool.submit(
+                            lambda: asyncio.run(_generate_edge_tts(text, file_str, tts_config))
+                        ).result(timeout=60)
+                except RuntimeError:
+                    asyncio.run(_generate_edge_tts(text, file_str, tts_config))
+            elif _check_neutts_available():
+                logger.info("Edge TTS not available, falling back to NeuTTS (local)...")
+                provider = "neutts"
+                _generate_neutts(text, file_str, tts_config)
+            else:
+                return json.dumps({
+                    "success": False,
+                    "error": "No TTS provider available. Install edge-tts (pip install edge-tts) "
+                             "or set up NeuTTS for local synthesis."
+                }, ensure_ascii=False)'''
+
+# ---------------------------------------------------------------------------
+# New block: elif provider == "piper" + else: fallback with Piper only
+# ---------------------------------------------------------------------------
+new_block = '''        elif provider == "piper":
+            # Piper TTS (local, CPU, no cloud, no Microsoft)
+            piper_binary = "/opt/hermes/.venv/bin/piper"
+            piper_config = tts_config.get("piper", {})
+            voice = piper_config.get("voice", "en_US-lessac-medium")
+            model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
+            model_path = os.path.join(model_dir, f"{voice}.onnx")
+            if not os.path.exists(model_path):
+                return json.dumps({
+                    "success": False,
+                    "error": "Piper TTS voice model not found. "
+                             "Install Piper TTS and download a voice model."
+                }, ensure_ascii=False)
+            logger.info("Generating speech with Piper TTS (local, CPU)...")
+            import subprocess as _sp
+            cmd = [piper_binary, "--model", model_path, "--output-raw"]
+            try:
+                proc = _sp.Popen(cmd, stdin=_sp.PIPE, stdout=_sp.PIPE, stderr=_sp.PIPE)
+                raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
+                if proc.returncode != 0:
+                    raise RuntimeError(f"Piper TTS failed: {stderr.decode()[:200]}")
+                ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
+                _sp.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
+            except Exception as e:
+                return json.dumps({
+                    "success": False,
+                    "error": f"Piper TTS failed: {e}"
+                }, ensure_ascii=False)
+
+        else:
+            # Default: Piper TTS (local, CPU, no cloud, no Microsoft)
+            piper_binary = "/opt/hermes/.venv/bin/piper"
+            piper_config = tts_config.get("piper", {})
+            voice = piper_config.get("voice", "en_US-lessac-medium")
+            model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
+            model_path = os.path.join(model_dir, f"{voice}.onnx")
+            if os.path.exists(model_path) and os.path.exists(piper_binary):
+                logger.info("Generating speech with Piper TTS (local, CPU)...")
+                import subprocess as _sp
+                cmd = [piper_binary, "--model", model_path, "--output-raw"]
+                try:
+                    proc = _sp.Popen(cmd, stdin=_sp.PIPE, stdout=_sp.PIPE, stderr=_sp.PIPE)
+                    raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
+                    if proc.returncode != 0:
+                        raise RuntimeError(stderr.decode()[:200])
+                    ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
+                    _sp.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
+                except Exception:
+                    pass
+            else:
+                return json.dumps({
+                    "success": False,
+                    "error": "Piper TTS not available. Install piper-tts and download a voice model."
+                }, ensure_ascii=False)'''
+
+# ---------------------------------------------------------------------------
+# Apply the patch to all copies found
+# ---------------------------------------------------------------------------
+patched_any = False
+
+for tts_path in found_paths:
+    with open(tts_path) as f:
+        code = f.read()
+
+    if 'provider == "piper"' in code:
+        print(f"ALREADY PATCHED: {tts_path}")
+        continue
+
+    if old_else in code:
+        code = code.replace(old_else, new_block, 1)
+        with open(tts_path, 'w') as f:
+            f.write(code)
+        print(f"PATCHED: {tts_path}")
+        patched_any = True
+    else:
+        print(f"SKIP {tts_path}: Edge fallback pattern not found")
+        import re
+        for m in re.finditer(r'        else:\n            # Default:', code):
+            start = max(0, m.start() - 100)
+            end = min(len(code), m.end() + 300)
+            print(f"  Found 'else:/# Default:' at position {m.start()}:")
+            print(f"  {code[start:end]}")
+            print("  ---")
+        # Don't exit with error — if one copy isn't patchable, try the others
+
+if not patched_any:
+    all_patched = all(
+        'provider == "piper"' in open(p).read()
+        for p in found_paths
+    )
+    if all_patched:
+        print("All copies already patched.")
+        sys.exit(0)
+    print("WARNING: Could not patch any copy of tts_tool.py")
+    sys.exit(1)
+
+print("tts_tool.py patched successfully across all copies.")

ai/hermes/run-multi-gateways.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Multi-gateway launcher for HERMES_PROFILES env var.
+# Reads comma-separated profile names, spawns one gateway per profile.
+# Designed to run before the main entrypoint — gateways run in background.
+set -e
+
+if [ -z "${HERMES_PROFILES}" ]; then
+  echo "HERMES_PROFILES not set — skipping multi-gateway launch"
+  exit 0
+fi
+
+# Source venv to make 'hermes' available (entrypoint.sh sources it later,
+# but we need it NOW for the background gateways)
+HERMES_BIN="/opt/hermes/.venv/bin/hermes"
+if [ ! -x "$HERMES_BIN" ]; then
+  echo "ERROR: hermes binary not found at $HERMES_BIN"
+  exit 1
+fi
+
+mkdir -p /opt/data/logs
+
+IFS=',' read -ra PROFILES <<< "${HERMES_PROFILES}"
+for profile in "${PROFILES[@]}"; do
+  profile="$(echo "${profile}" | xargs)"  # trim whitespace
+  [ -z "${profile}" ] && continue
+
+  echo "Starting gateway for profile: ${profile}"
+  nohup env API_SERVER_ENABLED=false API_SERVER_KEY= gosu hermes "$HERMES_BIN" --profile "${profile}" gateway run \
+      >> "/opt/data/logs/gateway-${profile}.log" 2>&1 &
+done
+
+echo "All gateways launched: ${HERMES_PROFILES}"

ai/honcho/Dockerfile

@@ -0,0 +1,75 @@
+# build stage — fetches and builds Honcho from source
+FROM python:3.13-slim-bookworm AS honcho-builder
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git openssh-client && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=ghcr.io/astral-sh/uv:0.9.24 /uv /bin/uv
+
+ARG HONCHO_REPO=ssh://git@code.lazyworkhorse.net:2222/Hermes/honcho.git
+ARG HONCHO_REF=main
+RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan -p 2222 code.lazyworkhorse.net >> ~/.ssh/known_hosts 2>/dev/null
+RUN --mount=type=ssh git clone --depth 1 --branch ${HONCHO_REF} ${HONCHO_REPO} /app
+
+WORKDIR /app
+
+ENV UV_COMPILE_BYTECODE=1
+ENV UV_LINK_MODE=copy
+ENV UV_PYTHON=/usr/local/bin/python3.13
+
+RUN uv sync --frozen
+
+# build stage — builds OpenConcho SPA
+FROM node:22-bookworm AS openconcho-builder
+
+ENV PNPM_HOME=/pnpm
+ENV PATH=$PNPM_HOME:$PATH
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /app
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+
+ARG OPENCONCHO_SHA=3b5c3293fc18d768dbe85285264a8d66c896bd81
+RUN --mount=type=ssh git clone --depth 1 ssh://git@code.lazyworkhorse.net:2222/gortium/openconcho.git /app && \
+    git -C /app fetch --depth 1 origin ${OPENCONCHO_SHA} && \
+    git -C /app checkout ${OPENCONCHO_SHA}
+
+RUN pnpm install --frozen-lockfile
+RUN pnpm --filter @openconcho/web build
+
+# runtime stage — nginx + Honcho FastAPI
+FROM python:3.13-slim-bookworm
+
+# Install nginx and create runtime dirs before dropping permissions
+RUN apt-get update && apt-get install -y --no-install-recommends nginx && \
+    rm -rf /var/log/nginx/* && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -f /etc/nginx/sites-enabled/default
+
+# Patch nginx.conf: comment out "user www-data;" so nginx master stays as root
+# (workers inherit root inside a container — fine for single-service isolation)
+RUN sed -i 's/^user /# user /' /etc/nginx/nginx.conf
+
+# Pre-create nginx runtime directories with proper ownership
+RUN mkdir -p /var/lib/nginx/body /var/lib/nginx/proxy /var/lib/nginx/fastcgi \
+             /var/lib/nginx/uwsgi /var/lib/nginx/scgi /var/lib/nginx/proxy_temp \
+             /var/cache/nginx && \
+    chown -R root:root /var/lib/nginx /var/cache/nginx
+
+# Honcho
+COPY --from=honcho-builder /app /app
+WORKDIR /app
+ENV PATH="/app/.venv/bin:$PATH"
+ENV HOME=/app
+COPY config.toml /app/config.toml
+
+# OpenConcho SPA
+COPY --from=openconcho-builder /app/packages/web/dist /usr/share/nginx/html
+
+# nginx config (proxies /v3/, /v2/ to Honcho on localhost:8000)
+COPY honcho-nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+
+CMD ["bash", "-c", "nginx -g 'daemon off;' & fastapi run --host 127.0.0.1 --port 8000 src/main.py & python3 -m src.deriver & wait -n"]

ai/honcho/config.toml

@@ -0,0 +1,132 @@
+[app]
+LOG_LEVEL = "INFO"
+MAX_MESSAGE_SIZE = 25000
+EMBED_MESSAGES = true
+NAMESPACE = "honcho"
+
+[db]
+CONNECTION_URI = "postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho"
+SCHEMA = "public"
+POOL_SIZE = 10
+MAX_OVERFLOW = 20
+
+[auth]
+USE_AUTH = false
+
+[sentry]
+ENABLED = false
+
+[telemetry]
+ENABLED = false
+
+[webhook]
+ENABLED = false
+
+[cache]
+ENABLED = true
+URL = "redis://honcho-redis:6379/0"
+
+[llm]
+DEFAULT_MAX_TOKENS = 4096
+
+# Embeddings via Ollama — bge-m3 provides 1024-dim
+[embedding]
+VECTOR_DIMENSIONS = 1024
+MAX_INPUT_TOKENS = 8192
+
+[embedding.model_config]
+transport = "openai"
+model = "bge-m3"
+overrides = {base_url = "http://ollama:11434/v1", api_key = "ollama"}
+
+# --- Deriver ---
+[deriver]
+ENABLED = true
+WORKERS = 1
+POLLING_SLEEP_INTERVAL_SECONDS = 5.0
+FLUSH_ENABLED = true
+
+[deriver.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Dialectic ---
+[dialectic]
+MAX_INPUT_TOKENS = 4096
+SESSION_HISTORY_MAX_TOKENS = 8192
+
+[dialectic.levels.minimal]
+MAX_TOOL_ITERATIONS = 1
+MAX_OUTPUT_TOKENS = 512
+[dialectic.levels.minimal.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.low]
+MAX_TOOL_ITERATIONS = 3
+[dialectic.levels.low.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.medium]
+MAX_TOOL_ITERATIONS = 2
+[dialectic.levels.medium.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.high]
+MAX_TOOL_ITERATIONS = 4
+[dialectic.levels.high.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dialectic.levels.max]
+MAX_TOOL_ITERATIONS = 10
+[dialectic.levels.max.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Summary ---
+[summary]
+ENABLED = true
+MESSAGES_PER_SHORT_SUMMARY = 20
+MESSAGES_PER_LONG_SUMMARY = 60
+
+[summary.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Dream ---
+[dream]
+ENABLED = true
+
+[dream.model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dream.deduction_model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+[dream.induction_model_config]
+overrides = {base_url = "https://opencode.ai/zen/go/v1", api_key_env = "HONCHO_OPENAI_API_KEY"}
+transport = "openai"
+model = "deepseek-v4-flash"
+
+# --- Peer Card ---
+[peer_card]
+ENABLED = true
+
+# --- Vector Store ---
+[vector_store]
+TYPE = "pgvector"
+# DIMENSIONS is deprecated — EMBEDDING.VECTOR_DIMENSIONS is authoritative

ai/honcho/honcho-nginx.conf

@@ -0,0 +1,52 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Honcho API proxy
+    location /v3/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /v2/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Honcho health
+    location /health {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OpenAPI docs
+    location /openapi.json {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # SPA: fallback to index.html for client-side routing
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}

ai/honcho/init-db.sql

@@ -0,0 +1 @@
+CREATE EXTENSION IF NOT EXISTS vector;

ai/ollama/Dockerfile

@@ -0,0 +1,106 @@
+# ollama-gfx906/Dockerfile
+#
+# Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
+# The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
+# This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
+#
+# Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
+
+FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
+
+# Build dependencies (CMake, Ninja, Go)
+ARG CMAKEVERSION=3.31.2
+ARG NINJAVERSION=1.12.1
+ARG GOLANG_VERSION=1.22.0
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    curl git ccache build-essential pkg-config unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install CMake from official binaries
+RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
+    | tar xz -C /usr/local --strip-components 1
+
+# Install Ninja
+RUN curl -fsSL -o /tmp/ninja.zip \
+    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
+    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
+
+# Install Go
+RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
+    | tar xz -C /usr/local
+ENV PATH=/usr/local/go/bin:$PATH
+
+ARG OLLAMA_VERSION=v0.23.2
+RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
+WORKDIR /build
+
+# ROCm paths
+ENV HIP_PATH=/opt/rocm
+ENV ROCM_PATH=/opt/rocm
+ENV CMAKE_GENERATOR=Ninja
+ENV LDFLAGS=-s
+
+# Step 1: Build CPU backends with GCC (no ROCm preset)
+# Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
+# finding a HIP compiler (it searches /opt/rocm even without PATH).
+# Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
+RUN mkdir -p build-cpu && \
+    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
+      -DCMAKE_HIP_COMPILER="" \
+      -DCMAKE_INSTALL_PREFIX=/build/dist && \
+    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
+    cmake --install build-cpu --component CPU --strip && \
+    echo "=== CPU install ===" && \
+    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
+
+# Step 2: Build HIP backend with ROCm preset + gfx906 target only
+# The ROCm 6 preset enables HIP language detection (enable_language(HIP))
+# which ensures GPU kernels are properly compiled for gfx906.
+# OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
+# Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
+# at /opt/rocm/lib/cmake/hip/hip-config.cmake.
+RUN mkdir -p build-hip && \
+    cmake -B build-hip \
+      --preset 'ROCm 6' \
+      -DAMDGPU_TARGETS="gfx906:xnack-" \
+      -DCMAKE_BUILD_TYPE=Release \
+      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
+    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
+    cmake --install build-hip --component HIP --strip && \
+    echo "=== HIP install ===" && \
+    find /build/dist/lib/ollama -type f -o -type l | head -20
+
+# Step 3: Build Go binary (GCC for CGo linking)
+ENV CGO_ENABLED=1
+RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
+
+# ---------- Runtime image ----------
+FROM ubuntu:24.04
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy ROCm 6.1 runtime libraries
+# These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
+COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
+COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
+
+# Copy ollama binary + all backends (CPU + HIP)
+# CPU install:  /build/dist/lib/ollama/libggml-*.so
+# HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
+COPY --from=builder /build/dist/ollama /usr/bin/ollama
+COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
+
+RUN ldconfig
+
+ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
+ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
+ENV HCC_AMDGPU_TARGET=gfx906
+ENV HSA_ENABLE_SDMA=0
+
+EXPOSE 11434
+ENTRYPOINT ["/bin/ollama"]
+CMD ["serve"]

ai/patch_tts_tool.py

@@ -1,96 +0,0 @@
-#!/usr/bin/env python3
-"""Patch Hermes TTS tool: remove Edge TTS, replace with Piper as default/fallback."""
-import sys
-
-tts_path = '/opt/hermes/tools/tts_tool.py'
-
-with open(tts_path) as f:
-    code = f.read()
-
-# Replace the Edge fallback with Piper fallback
-old_edge = '''        else:
-            # Default: Edge TTS (free), with NeuTTS as local fallback
-            edge_available = True
-            try:
-                _import_edge_tts()
-            except ImportError:
-                edge_available = False
-
-            if edge_available:
-                logger.info("Generating speech with Edge TTS...")
-                try:
-                    import concurrent.futures
-                    with concurrent.futures.ThreadPoolExecutor(max_workers=1) as pool:
-                        pool.submit(
-                            lambda: asyncio.run(_generate_edge_tts(text, file_str, tts_config))
-                        ).result(timeout=60)
-                except RuntimeError:
-                    asyncio.run(_generate_edge_tts(text, file_str, tts_config))
-            elif _check_neutts_available():
-                logger.info("Edge TTS not available, falling back to NeuTTS (local)...")
-                provider = "neutts"
-                _generate_neutts(text, file_str, tts_config)
-            else:
-                return json.dumps({
-                    "success": False,
-                    "error": "No TTS provider available. Install edge-tts (pip install edge-tts) "
-                             "or set up NeuTTS for local synthesis."
-                }, ensure_ascii=False)'''
-
-new_piper = '''        else:
-            # Default: Piper TTS (local, CPU, no cloud, no Microsoft)
-            piper_available = False
-            try:
-                piper_binary = "/opt/hermes/.venv/bin/piper"
-                piper_config = tts_config.get("piper", {})
-                voice = piper_config.get("voice", "en_US-lessac-medium")
-                model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
-                model_path = os.path.join(model_dir, f"{voice}.onnx")
-                if os.path.exists(model_path):
-                    piper_available = True
-            except Exception:
-                pass
-
-            if piper_available:
-                logger.info("Generating speech with Piper TTS (local, CPU)...")
-                import subprocess
-                piper_binary = "/opt/hermes/.venv/bin/piper"
-                piper_config = tts_config.get("piper", {})
-                voice = piper_config.get("voice", "en_US-lessac-medium")
-                model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
-                model_path = os.path.join(model_dir, f"{voice}.onnx")
-                cmd = [piper_binary, "--model", model_path, "--output-raw"]
-                proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-                raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
-                if proc.returncode != 0:
-                    raise RuntimeError(f"Piper TTS failed: {stderr.decode()[:200]}")
-                ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
-                subprocess.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
-                logger.info("Piper TTS audio saved: %s", file_str)
-            else:
-                return json.dumps({
-                    "success": False,
-                    "error": "No TTS provider available. Install Piper TTS (pip install piper-tts) "
-                             "and download a voice model."
-                }, ensure_ascii=False)'''
-
-if old_edge in code:
-    code = code.replace(old_edge, new_piper)
-    print("Edge fallback replaced with Piper")
-else:
-    if 'Default: Piper TTS' in code:
-        print("Piper fallback already present")
-    else:
-        print("ERROR: Could not find Edge fallback in tts_tool.py")
-        # Debug output
-        import re
-        for m in re.finditer(r'        else:\n            # Default:', code):
-            start = max(0, m.start() - 100)
-            end = min(len(code), m.end() + 200)
-            print(f"Found else/default at position {m.start()}:")
-            print(code[start:end])
-        sys.exit(1)
-
-with open(tts_path, 'w') as f:
-    f.write(code)
-print("tts_tool.py patched successfully")

versioncontrol/compose.yml

@@ -7,8 +7,11 @@ services:
       - USER_UID=1000
       - USER_GID=1000
       - GITEA__server__ROOT_URL=https://code.lazyworkhorse.net
+      - GITEA__actions__ENABLED=true
       - SSH_PORT=2222
       - SSH_LISTEN_PORT=2222
+      # Enable Gitea Actions (act_runner required on host)
+      - GITEA__actions__ENABLED=true
     volumes:
       - /mnt/HoardingCow_docker_data/Gitea:/data
     networks:
@@ -40,6 +43,22 @@ services:
       # Internal Routing
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"
 
+  act_runner:
+    image: gitea/act_runner:latest
+    container_name: act_runner
+    environment:
+      - GITEA_INSTANCE_URL=https://code.lazyworkhorse.net
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
+      - GITEA_RUNNER_NAME=ai-host-runner
+      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:full-22.04,nixos-builder:docker://nixos/nix
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - vc_net
+    restart: always
+    depends_on:
+      - gitea
+
 networks:
   vc_net:
     external: true

vpn/Dockerfile

@@ -1,16 +1,9 @@
 # Custom wg-easy with iptables-nft (nftables-backed iptables)
 # Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM weejewel/wg-easy:latest
+FROM ghcr.io/wg-easy/wg-easy:latest
 
-# Alpine's iptables-nft provides iptables that uses nftables kernel API
+# The upstream image registers only iptables-legacy with update-alternatives.
-# instead of the legacy iptable_nat module. This works on kernels
+# iptables-nft binary exists but isn't registered as an alternative key.
-# where only nftables netfilter modules are available.
+# Override the alternatives-managed symlinks directly.
-RUN apk add --no-cache iptables-nft
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
-
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
-# Ensure iptables-nft takes priority over legacy iptables
-RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
-    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
-    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
-    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
-    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
-    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore

vpn/compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 services:
   wireguard:
     build:
-      context: ./vpn
+      context: .
       dockerfile: Dockerfile
     image: wg-easy-iptables-nft:latest
     container_name: wireguard