feat(ai): add Dockerfile with curl, poppler-utils, imagemagick

Add Dockerfile for building custom Hermes Agent image.

Packages (PR 1 of 5):
- curl: HTTP client
- poppler-utils: PDF tools
- imagemagick: Image manipulation

ai/Dockerfile

@@ -1,116 +1,43 @@
-# 1. On récupère la version la plus récente d'UV
-FROM ghcr.io/astral-sh/uv:latest AS uv_source
+FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
+FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
+FROM debian:13.4
 
-# 2. Image de base stable
-FROM debian:stable-slim
-
-# Disable Python stdout buffering to ensure logs are printed immediately
 ENV PYTHONUNBUFFERED=1
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
 
-# Install system dependencies in one layer, clear APT cache
-# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        build-essential python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        qemu-user-static binfmt-support qemu-user-binfmt \
-        emacs-nox \
-        libportaudio2 \
-        ca-certificates && \
+        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
+        curl poppler-utils imagemagick && \
     rm -rf /var/lib/apt/lists/*
 
-# Création de l'utilisateur 'hermes' directement avec les bons accès
 RUN useradd -u 10000 -m -d /opt/data hermes
 
-# Copie d'uv (dernière version)
-COPY --chmod=0755 --from=uv_source /uv /usr/local/bin/
+COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
+COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
 
 WORKDIR /opt/hermes
 
-# On donne la propriété du dossier de travail à l'utilisateur hermes
-RUN chown hermes:hermes /opt/hermes
+COPY package.json package-lock.json ./
+COPY web/package.json web/package-lock.json web/
 
-# ---------- Hermes venv ----------
-# Passer immédiatement sous l'utilisateur hermes pour tout le reste du build
-USER hermes
+RUN npm install --prefer-offline --no-audit && \
+    npx playwright install --with-deps chromium --only-shell && \
+    (cd web && npm install --prefer-offline --no-audit) && \
+    npm cache clean --force
 
-# ---------- Source code ----------
-# On copie tout le projet d'un coup sans assumer la présence de fichiers de lock spécifiques
 COPY --chown=hermes:hermes . .
 
-# ---------- Python virtualenv avec Piper TTS ----------
+RUN cd web && npm run build
+
+USER root
+RUN chmod -R a+rX /opt/hermes
+
 RUN uv venv && \
-    uv pip install --no-cache-dir piper-tts sounddevice numpy faster-whisper
+    uv pip install --no-cache-dir -e ".[all]"
 
-# ---------- Télécharger la voix Piper Ryan (high quality) ----------
-RUN mkdir -p /opt/hermes/.venv/share/piper/voices && \
-    /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import urllib.request
-base = '/opt/hermes/.venv/share/piper/voices'
-url = 'https://huggingface.co/rhasspy/piper-voices/resolve/main/en/en_US/ryan/high/en_US-ryan-high.onnx'
-urllib.request.urlretrieve(url, base + '/en_US-ryan-high.onnx')
-urllib.request.urlretrieve(url + '.json', base + '/en_US-ryan-high.onnx.json')
-PYEOF
- 
-# ---------- Patch atomic writes to preserve file permissions ----------
-# Fixes https://github.com/NousResearch/hermes-agent/issues/14181
-# tempfile.mkstemp() creates files as 0600; os.replace() preserves that mode,
-# so group-readable files silently collapse to owner-private 0600.
-# This affects: skills, sessions, memories, and any file written atomically.
-RUN /opt/hermes/.venv/bin/python3 /dev/stdin << 'PYEOF'
-import os
-
-patches = [
-    ("/opt/hermes/tools/skill_manager_tool.py", [
-        ("# Restore existing file mode if present", True),  # already patched
-    ]),
-    ("/opt/hermes/tools/skills_sync.py", [
-        ("# Restore existing file mode if present", True),  # already patched
-    ]),
-]
-
-for fpath, checks in patches:
-    if not os.path.exists(fpath):
-        print(f"SKIP {fpath} (not found)")
-        continue
-    with open(fpath) as f:
-        code = f.read()
-    all_ok = all(marker in code for marker, _ in checks)
-    if all_ok:
-        print(f"OK {fpath} (already patched)")
-        continue
-    print(f"PATCH {fpath}")
-    # _atomic_write_text in skill_manager_tool.py
-    code = code.replace(
-        "        os.replace(temp_path, file_path)",
-        "        if file_path.exists():\n"
-        "            existing_mode = file_path.stat().st_mode\n"
-        "            os.chmod(temp_path, existing_mode)\n"
-        "        os.replace(temp_path, file_path)",
-    )
-    # _write_manifest in skills_sync.py
-    code = code.replace(
-        "            os.replace(tmp_path, MANIFEST_FILE)",
-        "            if MANIFEST_FILE.exists():\n"
-        "                existing_mode = MANIFEST_FILE.stat().st_mode\n"
-        "                os.chmod(tmp_path, existing_mode)\n"
-        "            os.replace(tmp_path, MANIFEST_FILE)",
-    )
-    with open(fpath, 'w') as f:
-        f.write(code)
-    print(f"DONE {fpath}")
-PYEOF
-
-# ---------- Runtime ----------
+ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
 ENV HERMES_HOME=/opt/data
 ENV PATH="/opt/data/.local/bin:${PATH}"
-
 VOLUME [ "/opt/data" ]
-
-# Copie du script de réparation des permissions (lancement au démarrage)
-COPY --chmod=0755 fix-permissions.sh /opt/hermes/fix-permissions.sh
-
-# Le conteneur tourne de manière ultra-sécurisée sous l'utilisateur hermes dès le départ
-# fix-permissions.sh chown les répertoires critiques avant de chaîner vers entrypoint.sh
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/fix-permissions.sh" ]
+ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]

ai/compose.yml

@@ -1,32 +1,32 @@
 version: "3.8"
 services:
 
-  # webui:
-  #   image: ghcr.io/open-webui/open-webui:main
-  #   volumes:
-  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-  #   restart: always
-  #   environment:
-  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
-  #   networks:
-  #     - ai_net
-  #     - ai_backend
-  #   labels:
-  #     - "traefik.enable=true"
+  webui:
+    image: ghcr.io/open-webui/open-webui:main
+    volumes:
+      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+    restart: always
+    environment:
+      - OLLAMA_API_BASE_URL=http://ollama:11434/api
+    networks:
+      - ai_net
+      - ai_backend
+    labels:
+      - "traefik.enable=true"
 
-  #     # Router for HTTP + redirection to HTTPS
-  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-http.entrypoints=web"
-  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+      # Router for HTTP + redirection to HTTPS
+      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-http.entrypoints=web"
+      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
-  #     # Router for HTTPS with TLS
-  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
-  #     - "traefik.http.routers.webui-https.tls=true"
-  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+      # Router for HTTPS with TLS
+      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+      - "traefik.http.routers.webui-https.entrypoints=websecure"
+      - "traefik.http.routers.webui-https.tls=true"
+      - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    build: ./
+    image: nousresearch/hermes-agent:latest
     container_name: hermes
     restart: always
     # Gateway run enables the internal API server on port 8642
@@ -39,12 +39,6 @@ services:
       - API_SERVER_KEY=hermes_local_key
       - GATEWAY_ALLOW_ALL_USERS=true
       - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
-      # ROCm for GPU-accelerated faster-whisper STT
-      - HSA_OVERRIDE_GFX_VERSION=9.0.6
-      - HCC_AMDGPU_TARGET=gfx906
-      - HIP_VISIBLE_DEVICES=0,1
-      - ROCR_VISIBLE_DEVICES=0,1
-      - HSA_ENABLE_SDMA=0
     volumes:
       - /mnt/HoardingCow_docker_data/Hermes/data:/opt/data
     devices:

ai/fix-permissions.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-# Startup permission fix for the Hermes data volume.
-# Runs as root before the entrypoint drops to the hermes user.
-# Fixes files that were created by root (host agent, cron jobs, etc.)
-# becoming inaccessible to the hermes runtime user.
-set -e
-
-HERMES_HOME="${HERMES_HOME:-/opt/data}"
-
-# Fix ownership on critical writable directories so hermes user can access them
-chown -R hermes:hermes \
-  "$HERMES_HOME/sessions" \
-  "$HERMES_HOME/checkpoints" \
-  "$HERMES_HOME/skills" \
-  "$HERMES_HOME/memories" \
-  "$HERMES_HOME/workspace" \
-  "$HERMES_HOME/pastes" \
-  "$HERMES_HOME/logs" \
-  "$HERMES_HOME/cron" \
-  "$HERMES_HOME/plans" \
-  "$HERMES_HOME/hooks" \
-  "$HERMES_HOME/cache" \
-  2>/dev/null || true
-
-# Also fix the data volume root if it's wrong
-if [ "$(stat -c %u "$HERMES_HOME" 2>/dev/null)" != "$(id -u hermes)" ]; then
-  chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true
-fi
-
-# Now chain to the real entrypoint
-exec /opt/hermes/docker/entrypoint.sh "$@"

ai/patch_tts_tool.py

@@ -1,96 +0,0 @@
-#!/usr/bin/env python3
-"""Patch Hermes TTS tool: remove Edge TTS, replace with Piper as default/fallback."""
-import sys
-
-tts_path = '/opt/hermes/tools/tts_tool.py'
-
-with open(tts_path) as f:
-    code = f.read()
-
-# Replace the Edge fallback with Piper fallback
-old_edge = '''        else:
-            # Default: Edge TTS (free), with NeuTTS as local fallback
-            edge_available = True
-            try:
-                _import_edge_tts()
-            except ImportError:
-                edge_available = False
-
-            if edge_available:
-                logger.info("Generating speech with Edge TTS...")
-                try:
-                    import concurrent.futures
-                    with concurrent.futures.ThreadPoolExecutor(max_workers=1) as pool:
-                        pool.submit(
-                            lambda: asyncio.run(_generate_edge_tts(text, file_str, tts_config))
-                        ).result(timeout=60)
-                except RuntimeError:
-                    asyncio.run(_generate_edge_tts(text, file_str, tts_config))
-            elif _check_neutts_available():
-                logger.info("Edge TTS not available, falling back to NeuTTS (local)...")
-                provider = "neutts"
-                _generate_neutts(text, file_str, tts_config)
-            else:
-                return json.dumps({
-                    "success": False,
-                    "error": "No TTS provider available. Install edge-tts (pip install edge-tts) "
-                             "or set up NeuTTS for local synthesis."
-                }, ensure_ascii=False)'''
-
-new_piper = '''        else:
-            # Default: Piper TTS (local, CPU, no cloud, no Microsoft)
-            piper_available = False
-            try:
-                piper_binary = "/opt/hermes/.venv/bin/piper"
-                piper_config = tts_config.get("piper", {})
-                voice = piper_config.get("voice", "en_US-lessac-medium")
-                model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
-                model_path = os.path.join(model_dir, f"{voice}.onnx")
-                if os.path.exists(model_path):
-                    piper_available = True
-            except Exception:
-                pass
-
-            if piper_available:
-                logger.info("Generating speech with Piper TTS (local, CPU)...")
-                import subprocess
-                piper_binary = "/opt/hermes/.venv/bin/piper"
-                piper_config = tts_config.get("piper", {})
-                voice = piper_config.get("voice", "en_US-lessac-medium")
-                model_dir = piper_config.get("model_dir", "/opt/hermes/.venv/share/piper/voices")
-                model_path = os.path.join(model_dir, f"{voice}.onnx")
-                cmd = [piper_binary, "--model", model_path, "--output-raw"]
-                proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-                raw_audio, stderr = proc.communicate(input=text.encode(), timeout=60)
-                if proc.returncode != 0:
-                    raise RuntimeError(f"Piper TTS failed: {stderr.decode()[:200]}")
-                ffmpeg_cmd = ["ffmpeg", "-f", "s16le", "-ar", "22050", "-ac", "1", "-i", "-", "-y", file_str]
-                subprocess.run(ffmpeg_cmd, input=raw_audio, capture_output=True, timeout=30)
-                logger.info("Piper TTS audio saved: %s", file_str)
-            else:
-                return json.dumps({
-                    "success": False,
-                    "error": "No TTS provider available. Install Piper TTS (pip install piper-tts) "
-                             "and download a voice model."
-                }, ensure_ascii=False)'''
-
-if old_edge in code:
-    code = code.replace(old_edge, new_piper)
-    print("Edge fallback replaced with Piper")
-else:
-    if 'Default: Piper TTS' in code:
-        print("Piper fallback already present")
-    else:
-        print("ERROR: Could not find Edge fallback in tts_tool.py")
-        # Debug output
-        import re
-        for m in re.finditer(r'        else:\n            # Default:', code):
-            start = max(0, m.start() - 100)
-            end = min(len(code), m.end() + 200)
-            print(f"Found else/default at position {m.start()}:")
-            print(code[start:end])
-        sys.exit(1)
-
-with open(tts_path, 'w') as f:
-    f.write(code)
-print("tts_tool.py patched successfully")

coms/compose.yml

@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  # nomadnet:
-  #   image: ghcr.io/markqvist/nomadnet:master
-  #   container_name: nomadnet
-  #   restart: always
-  #   volumes:
-  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-  #   # Reticulum transport must be reachable directly (NOT through Traefik)
-  #   ports:
-  #     - "4242:4242"
+  nomadnet:
+    image: ghcr.io/markqvist/nomadnet:master
+    container_name: nomadnet
+    restart: always
+    volumes:
+      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+    # Reticulum transport must be reachable directly (NOT through Traefik)
+    ports:
+      - "4242:4242"
 
   synapse:
     image: ghcr.io/element-hq/synapse:latest

network/compose.yml

@@ -13,20 +13,17 @@ services:
       - "--certificatesresolvers.njalla.acme.storage=/letsencrypt/acme.json"
       - "--certificatesresolvers.njalla.acme.httpchallenge.entrypoint=web"
 
-      - "--log.level=INFO"
-      - "--log.filepath=/var/log/traefik/traefik.log"
-      - "--accesslog.filepath=/var/log/traefik/access.log"
+      - "--log.level=DEBUG"
       - "--providers.docker=true"
       - "--providers.docker.exposedByDefault=false"
     ports:
       - "80:80"
       - "443:443"
     environment:
-      - NJALLA_TOKEN=***
+      - NJALLA_TOKEN=${NJALLA_TOKEN}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /mnt/HoardingCow_docker_data/Traefik:/letsencrypt
-      - /var/log/traefik:/var/log/traefik
     restart: unless-stopped
     networks:
       - traefik_backend

vpn/Dockerfile

@@ -1,16 +0,0 @@
-# Custom wg-easy with iptables-nft (nftables-backed iptables)
-# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM weejewel/wg-easy:latest
-
-# Alpine's iptables-nft provides iptables that uses nftables kernel API
-# instead of the legacy iptable_nat module. This works on kernels
-# where only nftables netfilter modules are available.
-RUN apk add --no-cache iptables-nft
-
-# Ensure iptables-nft takes priority over legacy iptables
-RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
-    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
-    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
-    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
-    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
-    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore

vpn/compose.yml

@@ -1,38 +0,0 @@
-version: "3.8"
-
-services:
-  wireguard:
-    build:
-      context: ./vpn
-      dockerfile: Dockerfile
-    image: wg-easy-iptables-nft:latest
-    container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - WG_HOST=vpn.lazyworkhorse.net
-      - PASSWORD=${WG_PASSWORD}
-      - WG_PORT=51820
-      - WG_DEFAULT_ADDRESS=10.8.0.x
-      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
-      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
-      - WG_PERSISTENT_KEEPALIVE=25
-      - UI_TRAFFIC_STATS=true
-      - UI_CHART_TYPE=0
-    ports:
-      - "51820:51820/udp"
-      - "51821:51821/tcp"
-    volumes:
-      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv4.ip_forward=1
-    restart: unless-stopped
-    networks:
-      - vpn_net
-
-networks:
-  vpn_net:
-    external: true
-    name: vpn_net