normalized homebox, llama-router and nextcloud

missing Redis doc

Author: romkey

docs/redis-persistence-hackstack.md

@@ -0,0 +1,23 @@
+# Redis persistence in this hackstack
+
+Stacks under `apps/` that run a dedicated Redis container are tuned to **reduce SSD write wear** while staying as safe as practical.
+
+## Policy
+
+| Stack | Redis role | AOF | RDB | Notes |
+|-------|------------|-----|-----|--------|
+| **authentik** | Cache / coordination for server + worker | **off** | **off** (`save ""`) | Accept **re-login** and cold cache after unclean restart. **Removes** the previous `--save 60 1` (very write-heavy). |
+| **glitchtip** | Celery broker + cache | **off** | **`save 900 1`** only | No AOF (big SSD win). At most one snapshot per **15 minutes** if keys changed. Hard crash can still lose in-flight Celery work not yet in Postgres. |
+| **member-manager** | Sidekiq queue | **off** | **`save 900 1`** only | Same tradeoff as GlitchTip for **queued jobs**. |
+| **event-manager** | Sidekiq queue | **off** | **`save 900 1`** only | Same as member-manager. |
+| **sentry** | Queues / internal cache | **off** | **`save 900 1`** only | Same pattern; **requirepass** unchanged. |
+
+## Why not disable RDB everywhere?
+
+For **Celery / Sidekiq / Sentry**, Redis often holds **work not yet reflected in PostgreSQL**. Disabling **all** disk persistence (`save ""`) maximizes wear savings but increases the chance of **lost queued tasks** after a clean shutdown if the last save was stale. A **single** infrequent `save 900 1` keeps **much lower** write volume than Redis defaults (or Authentik’s old `save 60 1`) while still allowing periodic checkpoints.
+
+## Operational notes
+
+- After changing these settings, **restart** the Redis service (or full stack) so the new `command` applies.
+- Existing `dump.rdb` files under each app’s `lib/.../redis` volume are still used on startup until removed; that’s normal.
+- If you need **stronger** queue durability for one app, tighten that stack only (e.g. add `save 300 10` or enable AOF with `appendfsync everysec`) at the cost of more SSD writes.

experiments/homebox/.rsync-exclude

@@ -1 +0,0 @@
-config/confg.yml

experiments/homebox/README.md

@@ -40,6 +40,10 @@ For **`latest-rootless`** or **`latest-hardened`**, see the [HomeBox quick start
 - **`postgres-net`** — database (`postgresql` hostname)
 - **`nginx-proxy-net`** — reverse proxy to container port **7745**
 
+## Healthcheck
+
+`wget` to **`http://127.0.0.1:7745/api/v1/status`** inside the container (no dependency on `localhost` DNS).
+
 ## Usage
 
 ### Start

experiments/homebox/docker-compose.yml

@@ -4,30 +4,25 @@ services:
     container_name: homebox
     hostname: homebox
     restart: unless-stopped
-    env_file:
-      - .env
     volumes:
       - ../../lib/homebox:/data
-#    ports:
-#      - 3100:7745
-    networks:
-      - proxy
-      - db
+    env_file:
+      - .env
     healthcheck:
       test:
         [
-          "CMD",
-          "wget",
-          "--no-verbose",
-          "--tries=1",
-          "-O",
-          "-",
-          "http://localhost:7745/api/v1/status",
+          "CMD-SHELL",
+          "wget -q -O - http://127.0.0.1:7745/api/v1/status >/dev/null || exit 1",
         ]
       interval: 30s
-      timeout: 5s
+      timeout: 10s
       retries: 3
       start_period: 15s
+#   ports:
+#     - 3100:7745
+    networks:
+      - proxy
+      - db
 
 networks:
   proxy:

experiments/llama-router/.env.example

@@ -1,2 +1,5 @@
+# Pin image tag (optional)
+IMAGE_VERSION=latest
+
 LLAMA_ROUTER_DATABASE_PATH=/app/data/llama_router.db
 LLAMA_ROUTER_CACHE_EXTERNAL_HOST=llama-router.ctrlh

experiments/llama-router/.gitignore

@@ -0,0 +1 @@
+.env

experiments/llama-router/README.md

@@ -0,0 +1,29 @@
+# llama-router (experiment)
+
+[llama-router](https://github.com/romkey/llama-router) routes requests across multiple Ollama and llama.cpp backends and optional OCI model cache.
+
+## Configuration
+
+Copy **`.env.example`** to **`.env`**. Set **`LLAMA_ROUTER_CACHE_EXTERNAL_HOST`** to a hostname or IP your Ollama backends use to reach the cache (see upstream README). Use **`IMAGE_VERSION`** to pin the image tag.
+
+Persistent data: **`../../lib/llama-router`** (mounted at **`/app/data`**).
+
+## Networks
+
+- **`nginx-proxy-net`** — reverse proxy to dashboard (**`:80`**) and/or APIs if you publish ports or use a proxy container.
+
+## Healthcheck
+
+**`GET /health`** on **`127.0.0.1:80`** (dashboard), then **`:11434`**, then **`:8080`**, via **`python3`** (the image is `python:3.12-slim` and does not include `curl`). Port **9200** is the OCI cache registry only—not used for liveness.
+
+## Usage
+
+```bash
+docker compose up -d
+docker compose down
+docker compose logs -f
+```
+
+## Ports (optional)
+
+Uncomment **`ports`** in **`docker-compose.yml`** only if needed. Defaults inside the image: dashboard **80**, llama.cpp/OpenAI API **8080**, Ollama API **11434**, registry cache **9200**.

experiments/llama-router/docker-compose.yml

@@ -1,20 +1,45 @@
 services:
   llama-router:
-    image: ghcr.io/romkey/llama-router:latest
+    image: ghcr.io/romkey/llama-router:${IMAGE_VERSION:-latest}
     container_name: llama-router
     hostname: llama-router
-    ports:
-#      - "80:80"
-#      - "11434:11434"
-       - 9200:9200
+    restart: unless-stopped
     volumes:
       - ../../lib/llama-router:/app/data
     env_file:
       - .env
-    restart: unless-stopped
+    # GET /health on dashboard (80), Ollama API (11434), or llama.cpp API (8080). Uses python3 — slim image has no curl.
+    healthcheck:
+      test:
+        - CMD
+        - python3
+        - -c
+        - |
+            import urllib.request
+            for u in (
+                "http://127.0.0.1:80/health",
+                "http://127.0.0.1:11434/health",
+                "http://127.0.0.1:8080/health",
+            ):
+                try:
+                    urllib.request.urlopen(u, timeout=5)
+                    raise SystemExit(0)
+                except Exception:
+                    pass
+            raise SystemExit(1)
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+#   ports:
+#     - 80:80
+#     - 8080:8080
+#     - 11434:11434
+#     - 9200:9200
     networks:
       - proxy
+
 networks:
   proxy:
-    name: nginx-proxy-net
     external: true
+    name: nginx-proxy-net

experiments/nextcloud/.env.example

@@ -1,5 +1,5 @@
-# Optional: pin Nextcloud image (see docker-compose)
-#IMAGE_VERSION=latest
+# Pin Nextcloud image tag (optional)
+IMAGE_VERSION=latest
 
 POSTGRES_DB=nextcloud_db
 POSTGRES_USER=nextcloud_user

experiments/nextcloud/README.md

@@ -13,6 +13,10 @@ Configuration reference: [Nextcloud Docker environment variables](https://github
 - **`nginx-proxy-net`** — reverse proxy to the web container (port **80** inside the container unless you change it)
 - **`postgres-net`** — PostgreSQL as `postgresql:5432`
 
+## Healthcheck
+
+`curl` to **`http://127.0.0.1/status.php`** inside the container. **HTTP 503** usually means maintenance mode, upgrade in progress, or DB/config issues—not a bad healthcheck definition.
+
 ## Usage
 
 ```bash