diff --git a/modules/nixos/server/librechat/default.nix b/modules/nixos/server/librechat/default.nix
index d0c250c..eb4e54d 100644
--- a/modules/nixos/server/librechat/default.nix
+++ b/modules/nixos/server/librechat/default.nix
@@ -25,6 +25,10 @@ in
       type = lib.types.str;
       default = "librechat";
     };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "librechat";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -35,6 +39,12 @@ in
       serviceConfig = {
         Type = "simple"; # FIXME
         User = cfg.user;
+        Group = cfg.group;
+        PermissionsStartOnly = "true"; # run mkdir as root
+        ExecStartPre = [
+          "${pkgs.coreutils}/bin/mkdir -p ${cfg.path}"
+          "${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.path}"
+        ];
         LoadCredential = [
           "CREDS_KEY_FILE:${cfg.creds_key_file}"
           "CREDS_IV_FILE:${cfg.creds_iv_file}"
diff --git a/systems/x86_64-linux/apollo/default.nix b/systems/x86_64-linux/apollo/default.nix
index 6a985de..0f594ec 100644
--- a/systems/x86_64-linux/apollo/default.nix
+++ b/systems/x86_64-linux/apollo/default.nix
@@ -1,4 +1,5 @@
 {
+  config,
   lib,
   ...
 }:
@@ -24,7 +25,24 @@
     enableDDNS = true;
     mountHelios = true;
     databases.mongodb.enable = true;
+    librechat = {
+      enable = true;
+      mongodbURI = "mongodb://apollo:27017";
+      creds_key_file = config.sops.secrets."librechat/creds_key".path;
+      creds_iv_file = config.sops.secrets."librechat/creds_iv".path;
+      jwt_secret_file = config.sops.secrets."librechat/jwt_secret".path;
+      jwt_refresh_secret_file = config.sops.secrets."librechat/jwt_refresh_secret".path;
+      meili_master_key_file = config.sops.secrets."librechat/meili_master_key".path;
+    };
   };
 
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.server.librechat.path;
+      user = config.server.librechat.user;
+      group = config.server.librechat.group;
+    }
+  ];
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
diff --git a/systems/x86_64-linux/nemesis/default.nix b/systems/x86_64-linux/nemesis/default.nix
index 1d0de6c..d3e353f 100644
--- a/systems/x86_64-linux/nemesis/default.nix
+++ b/systems/x86_64-linux/nemesis/default.nix
@@ -49,23 +49,7 @@
         }
       ];
     };
-    librechat = {
-      enable = true;
-      mongodbURI = "mongodb://apollo:27017";
-      creds_key_file = config.sops.secrets."librechat/creds_key".path;
-      creds_iv_file = config.sops.secrets."librechat/creds_iv".path;
-      jwt_secret_file = config.sops.secrets."librechat/jwt_secret".path;
-      jwt_refresh_secret_file = config.sops.secrets."librechat/jwt_refresh_secret".path;
-      meili_master_key_file = config.sops.secrets."librechat/meili_master_key".path;
-    };
   };
 
-  environment.persistence."/persist".directories = [
-    {
-      directory = config.server.librechat.path;
-      user = config.server.librechat.user;
-      group = "librechat";
-    }
-  ];
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }