diff --git a/ai/Dockerfile b/ai/Dockerfile
new file mode 100644
index 0000000..1edd524
--- /dev/null
+++ b/ai/Dockerfile
@@ -0,0 +1,71 @@
+FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
+FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
+FROM debian:13.4
+
+# Disable Python stdout buffering to ensure logs are printed immediately
+ENV PYTHONUNBUFFERED=1
+
+# Store Playwright browsers outside the volume mount so the build-time
+# install survives the /opt/data volume overlay at runtime.
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
+
+# Install system dependencies in one layer, clear APT cache
+# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
+# that would otherwise accumulate when hermes runs as PID 1. See #15012.
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
+        curl poppler-utils imagemagick \
+        chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
+        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
+        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
+        qemu-user-static binfmt-support qemu-user-binfmt \
+        emacs-nox \
+        libportaudio2 && \
+    rm -rf /var/lib/apt/lists/*
+
+# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
+RUN useradd -u 10000 -m -d /opt/data hermes
+
+COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
+COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
+
+WORKDIR /opt/hermes
+
+# ---------- Layer-cached dependency install ----------
+# Copy only package manifests first so npm install + Playwright are cached
+# unless the lockfiles themselves change.
+COPY package.json package-lock.json ./
+COPY web/package.json web/package-lock.json web/
+
+RUN npm install --prefer-offline --no-audit && \
+    npx playwright install --with-deps chromium --only-shell && \
+    (cd web && npm install --prefer-offline --no-audit) && \
+    npm cache clean --force
+
+# ---------- Source code ----------
+# .dockerignore excludes node_modules, so the installs above survive.
+COPY --chown=hermes:hermes . .
+
+# Build web dashboard (Vite outputs to hermes_cli/web_dist/)
+RUN cd web && npm run build
+
+# ---------- Permissions ----------
+# Make install dir world-readable so any HERMES_UID can read it at runtime.
+# The venv needs to be traversable too.
+USER root
+RUN chmod -R a+rX /opt/hermes
+# Start as root so the entrypoint can usermod/groupmod + gosu.
+# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).
+
+# ---------- Python virtualenv ----------
+RUN uv venv && \
+    uv pip install --no-cache-dir -e ".[all]" && \
+    uv pip install --no-cache-dir sounddevice numpy faster-whisper
+
+# ---------- Runtime ----------
+ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
+ENV HERMES_HOME=/opt/data
+ENV PATH="/opt/data/.local/bin:${PATH}"
+VOLUME [ "/opt/data" ]
+ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]
diff --git a/ai/compose.yml b/ai/compose.yml
index 460d44d..5780324 100644
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -1,32 +1,32 @@
 version: "3.8"
 services:
 
-  webui:
-    image: ghcr.io/open-webui/open-webui:main
-    volumes:
-      - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
-    restart: always
-    environment:
-      - OLLAMA_API_BASE_URL=http://ollama:11434/api
-    networks:
-      - ai_net
-      - ai_backend
-    labels:
-      - "traefik.enable=true"
+  # webui:
+  #   image: ghcr.io/open-webui/open-webui:main
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Ollama/open-webui:/app/backend/data
+  #   restart: always
+  #   environment:
+  #     - OLLAMA_API_BASE_URL=http://ollama:11434/api
+  #   networks:
+  #     - ai_net
+  #     - ai_backend
+  #   labels:
+  #     - "traefik.enable=true"
 
-      # Router for HTTP + redirection to HTTPS
-      - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
-      - "traefik.http.routers.webui-http.entrypoints=web"
-      - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
+  #     # Router for HTTP + redirection to HTTPS
+  #     - "traefik.http.routers.webui-http.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-http.entrypoints=web"
+  #     - "traefik.http.routers.webui-http.middlewares=redirect-to-https"
 
-      # Router for HTTPS with TLS
-      - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
-      - "traefik.http.routers.webui-https.entrypoints=websecure"
-      - "traefik.http.routers.webui-https.tls=true"
-      - "traefik.http.routers.webui-https.tls.certresolver=njalla"
+  #     # Router for HTTPS with TLS
+  #     - "traefik.http.routers.webui-https.rule=Host(`ai.lazyworkhorse.net`)"
+  #     - "traefik.http.routers.webui-https.entrypoints=websecure"
+  #     - "traefik.http.routers.webui-https.tls=true"
+  #     - "traefik.http.routers.webui-https.tls.certresolver=njalla"
 
   hermes:
-    image: nousresearch/hermes-agent:latest
+    build: ./
     container_name: hermes
     restart: always
     # Gateway run enables the internal API server on port 8642
diff --git a/coms/compose.yml b/coms/compose.yml
index 1036a7a..34897c0 100644
--- a/coms/compose.yml
+++ b/coms/compose.yml
@@ -1,15 +1,15 @@
 version: "3.9"
 services:
-  nomadnet:
-    image: ghcr.io/markqvist/nomadnet:master
-    container_name: nomadnet
-    restart: always
-    volumes:
-      - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
-      - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
-    # Reticulum transport must be reachable directly (NOT through Traefik)
-    ports:
-      - "4242:4242"
+  # nomadnet:
+  #   image: ghcr.io/markqvist/nomadnet:master
+  #   container_name: nomadnet
+  #   restart: always
+  #   volumes:
+  #     - /mnt/HoardingCow_docker_data/Nomadnet:/root/.nomadnetwork
+  #     - /mnt/HoardingCow_docker_data/Reticulum:/root/.reticulum
+  #   # Reticulum transport must be reachable directly (NOT through Traefik)
+  #   ports:
+  #     - "4242:4242"
 
   synapse:
     image: ghcr.io/element-hq/synapse:latest
diff --git a/vpn/compose.yml b/vpn/compose.yml
new file mode 100644
index 0000000..ceb4f35
--- /dev/null
+++ b/vpn/compose.yml
@@ -0,0 +1,35 @@
+version: "3.8"
+
+services:
+  wireguard:
+    image: weejewel/wg-easy:latest
+    container_name: wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - WG_HOST=vpn.lazyworkhorse.net
+      - PASSWORD=${WG_PASSWORD}
+      - WG_PORT=51820
+      - WG_DEFAULT_ADDRESS=10.8.0.x
+      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
+      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
+      - WG_PERSISTENT_KEEPALIVE=25
+      - UI_TRAFFIC_STATS=true
+      - UI_CHART_TYPE=0
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    volumes:
+      - /mnt/HoardingCow_docker_data/WireGuard:/etc/wireguard:rw
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    restart: unless-stopped
+    networks:
+      - vpn_net
+
+networks:
+  vpn_net:
+    external: true
+    name: vpn_net