feat(excalidash): fix slow loads — preview-strip patch + R2 storage + zstd

ExcaliDash was painfully slow over the home's asymmetric uplink
(0.5–2 Mbps after r8169 SG/TSO/GSO fix). Three issues found:

1. `/api/drawings` list returned 12.6 MB of inline SVG previews (issue #59).
2. Drawing files column stored 13.9 MB of base64 images in SQLite — every
   open/save shipped 2–18 MB over the tunnel (issue #145).
3. No response compression in Caddy.

Changes:

- caddy/Caddyfile: add `encode zstd gzip` to (common) → 4× smaller JSON.
- excalidash-backend: switch to custom image `excalidash-backend:s3`
  built from PR ZimengXiong/ExcaliDash#163 (S3 image upload). Wired to
  Cloudflare R2 bucket `excalidraw` via `excalidraw-bucket.phanthawas.dev`
  custom domain so images load from CF edge, bypassing the home uplink.
- excalidash/patches/drawings.js: bind-mounted override that drops
  `preview` from `summarySelect` in both `/drawings` list endpoints.
  Frontend lazy-fetches preview per card. List response 12.6 MB → ~2 KB.
- .env.example: document R2/S3 env var schema (values live in box .env).
- .gitignore / glance / hermes / amp / sync / conflux: bundled pre-existing
  local edits made during the same investigation.

Existing 26.6 MB of base64 in SQLite migrated to R2 via one-shot script
(reused backend's processFilesForS3 + rewritePreviewForS3). VACUUM after:
DB 39 MB → 848 KB.

Also fixed on box (config not in repo):
- /etc/systemd/system/nic-offload.service: persistent ethtool -K enp3s0
  sg/tso/gso on (r8169 ships these off, killing TCP uplink → 4× boost).

Author: RawSalmon69

homelab/.env.example

@@ -4,3 +4,48 @@ CLOUDFLARED_TOKEN=
 
 # Beszel agent — paste public key from Beszel hub UI after first login
 BESZEL_KEY=
+
+# ─── Hermes Agent ──────────────────────────────────────────────
+# Upstream LLM API key (Open WebUI / vLLM). Treat as exposed if shared.
+HERMES_LLM_KEY=
+
+# Telegram bot token from @BotFather. Leave empty to disable Telegram.
+HERMES_TELEGRAM_TOKEN=
+# Comma-separated Telegram user IDs allowed to message the bot.
+HERMES_TELEGRAM_USERS=
+
+# Caddy basic_auth bcrypt hashes. Generate with:
+#   docker run --rm caddy:2-alpine caddy hash-password --plaintext 'YOUR_PASS'
+# Escape every $ as $$ when pasting into .env (compose interpolation).
+HERMES_DASHBOARD_BCRYPT=
+SYNCTHING_BCRYPT=
+
+# ─── Conflux API ───────────────────────────────────────────────
+# External app from ghcr.io/conflux-888/conflux-api
+CONFLUX_MONGODB_URI=
+CONFLUX_JWT_SECRET=
+CONFLUX_GEMINI_API_KEY=
+CONFLUX_ADMIN_USER=
+CONFLUX_ADMIN_PASSWORD=
+
+# ─── Cloudflare R2 — Excalidash image storage (PR #163) ────────
+# Create via: CF Dashboard → R2 → Manage R2 API Tokens → Create
+# Permissions: Object Read & Write, scoped to bucket `excalidraw`.
+# Bucket: excalidraw (APAC, Standard)
+# Custom public domain: https://excalidraw-bucket.phanthawas.dev
+# CORS: allow https://draw.phanthawas.dev (PUT/GET/POST/DELETE/HEAD, * headers)
+R2_S3_ENDPOINT=
+R2_ACCESS_KEY_ID=
+R2_SECRET_ACCESS_KEY=
+CF_R2_API_TOKEN=
+CF_ACCOUNT_ID=
+
+# PR #163 backend S3 vars (consumed by excalidash-backend with S3 patch):
+S3_BUCKET=excalidraw
+S3_REGION=auto
+S3_ENDPOINT=
+S3_PUBLIC_URL=https://excalidraw-bucket.phanthawas.dev
+S3_FORCE_PATH_STYLE=true
+S3_KEY_PREFIX=excalidash
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=

homelab/.gitignore

@@ -12,3 +12,7 @@ komodo/mongo/
 komodo/periphery/
 yourls/db/
 excalidash/data/
+hermes/data/
+hermes/vault/
+hermes/skills/*/
+syncthing/config/

homelab/README.md

@@ -26,8 +26,10 @@ ssh root@100.106.13.67 "cd /opt/homelab && docker compose up -d"
 | Vaultwarden | https://vault.phanthawas.dev |
 | Dozzle (Cloudflare Access) | https://logs.phanthawas.dev |
 | Komodo (UI only) | https://komodo.phanthawas.dev |
-| YOURLS | https://yo.phanthawas.dev/admin/ |
+| YOURLS | https://link.phanthawas.dev/admin/ |
 | ExcaliDash | https://draw.phanthawas.dev |
+| Hermes Agent (dashboard + TUI chat) | https://hermes.phanthawas.dev |
+| Syncthing | https://sync.phanthawas.dev |
 
 ## Config Sync to Box
 
@@ -36,6 +38,7 @@ When editing `homelab/` files locally, sync via:
 ```bash
 rsync -av --inplace --exclude='.env' --exclude='cloudflared/credentials.json' \
   --exclude='*/data/' --exclude='*/work/' --exclude='*/conf/' --exclude='*/db/' \
+  --exclude='hermes/data/' --exclude='hermes/vault/' --exclude='syncthing/config/' \
   --exclude='komodo/' \
   ./homelab/ root@100.106.13.67:/opt/homelab/
 
@@ -56,5 +59,22 @@ homelab/
 │   ├── glance.yml            ← dashboard config
 │   └── custom.css            ← (unused, kept for future)
 ├── dozzle/data/users.yml     ← bcrypt'd creds
+├── hermes/
+│   ├── config.yaml           ← Hermes Agent config (committed)
+│   ├── skills/               ← agent skills (committed, RW)
+│   ├── data/                 ← gitignored runtime: sessions, memories, .env
+│   ├── vault/                ← gitignored Obsidian vault, synced via Syncthing
+│   └── SETUP.md              ← bootstrap order
+├── syncthing/config/         ← gitignored Syncthing state
 └── <service>/data            ← per-service runtime data (gitignored)
 ```
+
+## Hermes Agent (virtual assistant)
+
+Self-hosted AI assistant + Obsidian "second brain". See `hermes/SETUP.md` for bootstrap order. Key bits:
+
+- Upstream LLM: Open WebUI proxy at `ai.devops.nipa.cloud` → Gemma 4 31B AWQ-8bit (64K ctx)
+- Vault on box at `/opt/homelab/hermes/vault`, synced to Mac via Syncthing
+- Telegram bot, morning brief 07:00 Asia/Bangkok
+- Skills: `ingest-url`, `wiki-compile`, `wiki-lint`, `process-inbox`, `daily-brief`
+- Karpathy LLM-wiki pattern: agent owns `wiki/`, `Daily/`, `sources/`, `inbox/`. User edits `Work/`, `Personal/`, `People/`.

homelab/caddy/Caddyfile

@@ -6,6 +6,7 @@
 }
 
 (common) {
+	encode zstd gzip
 	header {
 		Strict-Transport-Security "max-age=31536000; includeSubDomains"
 		X-Content-Type-Options nosniff
@@ -19,10 +20,10 @@ http://glance.phanthawas.dev {
 	reverse_proxy localhost:8888
 }
 
-# AdGuard Home admin UI
+# AdGuard Home admin UI (port 3030 — 3000 reserved for Hermes WhatsApp bridge)
 http://adguard.phanthawas.dev {
 	import common
-	reverse_proxy localhost:3000
+	reverse_proxy localhost:3030
 }
 
 # Beszel monitoring
@@ -43,14 +44,8 @@ http://logs.phanthawas.dev {
 	reverse_proxy localhost:8095
 }
 
-# Komodo — GitOps docker stack manager
-http://komodo.phanthawas.dev {
-	import common
-	reverse_proxy localhost:9120
-}
-
 # YOURLS — short URL service
-http://yo.phanthawas.dev {
+http://link.phanthawas.dev {
 	import common
 	reverse_proxy localhost:8081
 }
@@ -61,6 +56,36 @@ http://draw.phanthawas.dev {
 	reverse_proxy localhost:6767
 }
 
+# Hermes Agent — dashboard (memory inspector, sessions, skills, TUI chat)
+http://hermes.phanthawas.dev {
+	import common
+	basic_auth {
+		raws {$HERMES_DASHBOARD_BCRYPT}
+	}
+	reverse_proxy localhost:9119
+}
+
+# AMP — game server panel (CubeCoders)
+http://amp.phanthawas.dev {
+	import common
+	reverse_proxy localhost:8080
+}
+
+# Syncthing — vault sync UI
+http://sync.phanthawas.dev {
+	import common
+	basic_auth {
+		raws {$SYNCTHING_BCRYPT}
+	}
+	reverse_proxy localhost:8384
+}
+
+# Conflux API — external app deployed from ghcr
+http://conflux-api.phanthawas.dev {
+	import common
+	reverse_proxy localhost:8083
+}
+
 # Add new services here:
 # http://<name>.phanthawas.dev {
 #     import common

homelab/compose.yaml

@@ -17,6 +17,9 @@ services:
       - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
       - ./caddy/data:/data
       - ./caddy/config:/config
+    environment:
+      HERMES_DASHBOARD_BCRYPT: ${HERMES_DASHBOARD_BCRYPT}
+      SYNCTHING_BCRYPT: ${SYNCTHING_BCRYPT}
     restart: unless-stopped
 
   cloudflared:
@@ -126,51 +129,6 @@ services:
       DOZZLE_AUTH_PROVIDER: simple
     restart: unless-stopped
 
-  komodo-mongo:
-    image: mongo:7.0
-    container_name: komodo-mongo
-    restart: unless-stopped
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: komodo
-      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_PASS}
-    volumes:
-      - ./komodo/mongo:/data/db
-    command: ["--quiet", "--wiredTigerCacheSizeGB", "0.25"]
-
-  komodo-core:
-    image: ghcr.io/mbecker20/komodo:latest
-    container_name: komodo-core
-    restart: unless-stopped
-    depends_on:
-      - komodo-mongo
-    ports:
-      - "9120:9120"
-    environment:
-      KOMODO_DATABASE_ADDRESS: komodo-mongo:27017
-      KOMODO_DATABASE_USERNAME: komodo
-      KOMODO_DATABASE_PASSWORD: ${MONGO_PASS}
-      KOMODO_PASSKEY: ${KOMODO_PASSKEY}
-      KOMODO_WEBHOOK_SECRET: ${KOMODO_WEBHOOK_SECRET}
-      KOMODO_HOST: https://komodo.phanthawas.dev
-      KOMODO_TITLE: raws-homelab
-      KOMODO_FIRST_SERVER: http://komodo-periphery:8120
-      KOMODO_DISABLE_CONFIRM_DIALOG: "false"
-      KOMODO_LOCAL_AUTH: "true"
-      KOMODO_DISABLE_USER_REGISTRATION: "true"
-      KOMODO_ENABLE_NEW_USERS: "true"
-
-  komodo-periphery:
-    image: ghcr.io/mbecker20/periphery:latest
-    container_name: komodo-periphery
-    restart: unless-stopped
-    environment:
-      PERIPHERY_PASSKEYS: ${KOMODO_PASSKEY}
-      PERIPHERY_ROOT_DIRECTORY: /etc/komodo
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./komodo/periphery:/etc/komodo
-      - /proc:/proc:ro
-
   yourls-db:
     image: mariadb:10
     container_name: yourls-db
@@ -196,24 +154,42 @@ services:
       YOURLS_DB_USER: yourls
       YOURLS_DB_PASS: ${YOURLS_DB_PASS}
       YOURLS_DB_NAME: yourls
-      YOURLS_SITE: https://yo.phanthawas.dev
+      YOURLS_SITE: https://link.phanthawas.dev
       YOURLS_USER: raws
       YOURLS_PASS: ${YOURLS_ADMIN_PASS}
 
   excalidash-backend:
-    image: zimengxiong/excalidash-backend:latest
+    # Custom image built from PR #163 (S3 image upload) on box:
+    #   git clone -b feat/s3-image-upload https://github.com/OhYee/ExcaliDash.git /opt/build/excalidash-s3
+    #   cd /opt/build/excalidash-s3/backend && docker build -t excalidash-backend:s3 .
+    # Rebuild on upstream merge: switch back to zimengxiong/excalidash-backend:<tag>
+    image: excalidash-backend:s3
     container_name: excalidash-backend
     restart: unless-stopped
     environment:
       DATABASE_URL: file:/app/prisma/dev.db
       PORT: 8000
       NODE_ENV: production
       AUTH_MODE: local
-      TRUST_PROXY: "false"
+      TRUST_PROXY: "true"
+      FRONTEND_URL: https://draw.phanthawas.dev
       JWT_SECRET: ${EXCALIDASH_JWT_SECRET}
       CSRF_SECRET: ${EXCALIDASH_CSRF_SECRET}
+      # ─── S3 image storage (Cloudflare R2 via PR #163) ─────────
+      S3_BUCKET: ${S3_BUCKET}
+      S3_REGION: ${S3_REGION}
+      S3_ENDPOINT: ${S3_ENDPOINT}
+      S3_PUBLIC_URL: ${S3_PUBLIC_URL}
+      S3_FORCE_PATH_STYLE: ${S3_FORCE_PATH_STYLE}
+      S3_KEY_PREFIX: ${S3_KEY_PREFIX}
+      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
     volumes:
       - ./excalidash/data:/app/prisma
+      # Patch: drop `preview` field from /drawings list summary (issue #59).
+      # Preview is ~2-8 MB base64 SVG per drawing → 12 MB list responses.
+      # Frontend lazy-fetches preview via DrawingCard. Re-apply on image upgrade.
+      - ./excalidash/patches/drawings.js:/app/dist/routes/dashboard/drawings.js:ro
 
   excalidash:
     image: zimengxiong/excalidash-frontend:latest
@@ -225,3 +201,61 @@ services:
       BACKEND_URL: excalidash-backend:8000
     ports:
       - "6767:80"
+
+  # ─── Hermes Agent ───
+  # Hermes runs NATIVELY on the box, installed via the official script:
+  #   curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash
+  # Managed by systemd: hermes-gateway.service + hermes-dashboard.service.
+  # Caddy proxies hermes.phanthawas.dev → localhost:9119.
+  # See hermes/SETUP.md for install / migration steps.
+  #
+  # systemd drop-ins mirror stdout/stderr to /var/log/hermes-*.log so the
+  # tail container below makes the logs visible in Dozzle. The drop-ins live
+  # at /etc/systemd/system/hermes-{gateway,dashboard}.service.d/log-to-file.conf
+  hermes-logs:
+    image: alpine:latest
+    container_name: hermes-logs
+    command: tail -F /var/log/hermes-gateway.log /var/log/hermes-dashboard.log
+    volumes:
+      - /var/log/hermes-gateway.log:/var/log/hermes-gateway.log:ro
+      - /var/log/hermes-dashboard.log:/var/log/hermes-dashboard.log:ro
+    restart: unless-stopped
+
+  # ─── Conflux API — external app, ghcr image ───
+  conflux-api:
+    image: ghcr.io/conflux-888/conflux-api:dev-1.0.0.35
+    container_name: conflux-api
+    restart: unless-stopped
+    ports:
+      - "8083:8080"
+    environment:
+      OG_LEVEL: debug
+      PORT: 8080
+      MONGODB_URI: ${CONFLUX_MONGODB_URI}
+      MONGODB_DATABASE: conflux
+      JWT_SECRET: ${CONFLUX_JWT_SECRET}
+      SYNC_INTERVAL_MINUTES: 15
+      SYNC_INITIAL_DAYS_BACK: 30
+      SYNC_MIN_FATALITIES: 1
+      GEMINI_API_KEY: ${CONFLUX_GEMINI_API_KEY}
+      SUMMARY_CHECK_INTERVAL_MIN: 30
+      SUMMARY_BACKFILL_DAYS: 7
+      CORS_ALLOW_LOCALHOST: "false"
+      ADMIN_UI_ENABLED: "true"
+      ADMIN_USER: ${CONFLUX_ADMIN_USER}
+      ADMIN_PASSWORD: ${CONFLUX_ADMIN_PASSWORD}
+
+  # ─── Syncthing — vault sync between Mac and homelab ───
+  syncthing:
+    image: syncthing/syncthing:latest
+    container_name: syncthing
+    hostname: homelab
+    network_mode: host  # 8384 GUI, 22000 sync, 21027 discovery
+    environment:
+      PUID: "1000"
+      PGID: "1000"
+      TZ: Asia/Bangkok
+    volumes:
+      - ./syncthing/config:/var/syncthing/config
+      - ./hermes/vault:/var/syncthing/Sync/hermes-vault
+    restart: unless-stopped