feat(nixos): move smb credentials to server module and add librechat secrets

modules/nixos/default.nix

@@ -1,8 +1,7 @@
 {
-  inputs,
   lib,
   config,
-  pkgs,
+  system,
   ...
 }:
 let
@@ -56,22 +55,21 @@ in
       "/var/lib/systemd"
       "/var/lib/nixos"
     ];
-    stylix = {
-      enable = true;
-      base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml";
-    };
-    nixpkgs.config.allowUnfree = true;
-    nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
 
+    stylix.enable = true;
+    nixpkgs = {
+      hostPlatform = system;
+      config.allowUnfree = true;
+    };
     nix.settings = {
       experimental-features = [
         "nix-command"
         "flakes"
         "pipe-operators"
       ];
-
       trusted-users = [ "@wheel" ];
     };
+    system.stateVersion = "25.05"; # Did you read the comment?
     time.timeZone = "Asia/Singapore";
     i18n.defaultLocale = "en_US.UTF-8";
     users = {
@@ -106,18 +104,6 @@ in
         "rafiq/hashedPassword".neededForUsers = true;
         "rafiq/personalEmailPassword" = { };
         "rafiq/workEmailPassword" = { };
-        "rafiq/oldSMBCredentials" = { };
-        "librechat/creds_key" = { };
-        "librechat/creds_iv" = { };
-        "librechat/jwt_secret" = { };
-        "librechat/jwt_refresh_secret" = { };
-        "librechat/meili_master_key" = { };
-      };
-      templates = {
-        "smb-credentials".content = ''
-          username=rafiq
-          password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
-        '';
       };
     };
     environment.shellInit = # sh
@@ -126,6 +112,5 @@ in
         export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
         export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
       '';
-    system.stateVersion = "25.05"; # Did you read the comment?
   };
 }

modules/nixos/server/default.nix

@@ -1,16 +1,15 @@
+{ lib, config, ... }:
 {
-  lib,
+  options.server.mountHelios = lib.mkEnableOption "";
-  config,
-  ...
-}:
-{
-  options.server = {
-    mountHelios = lib.mkEnableOption "";
-  };
 
-  config = lib.mkMerge [
+  config = lib.mkIf config.server.mountHelios {
-    (lib.mkIf config.server.mountHelios {
+    sops.secrets."rafiq/oldSMBCredentials" = { };
-      fileSystems."/media/helios/data" = {
+    sops.templates."smb-credentials".content = ''
+      username=rafiq
+      password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
+    '';
+    fileSystems = {
+      "/media/helios/data" = {
         device = "//helios/data";
         fsType = "cifs";
         options = [
@@ -19,7 +18,7 @@
           "x-systemd.mount-timeout=0"
         ];
       };
-      fileSystems."/media/helios/rafiqcloud" = {
+      "/media/helios/rafiqcloud" = {
         device = "//helios/rafiqcloud";
         fsType = "cifs";
         options = [
@@ -29,7 +28,7 @@
           "credentials=${config.sops.templates."smb-credentials".path}"
         ];
       };
-      fileSystems."/media/helios/rafiqmedia" = {
+      "/media/helios/rafiqmedia" = {
         device = "//helios/rafiqmedia";
         fsType = "cifs";
         options = [
@@ -39,6 +38,6 @@
           "credentials=${config.sops.templates."smb-credentials".path}"
         ];
       };
-    })
+    };
-  ];
+  };
 }

modules/nixos/server/web-apps/librechat/default.nix

@@ -23,6 +23,12 @@ mkWebApp {
     default = "mongodb://${config.hostname}:27017/LibreChat";
   };
   extraConfig = {
+    sops.secrets = {
+      "librechat/creds_key" = { };
+      "librechat/creds_iv" = { };
+      "librechat/jwt_secret" = { };
+      "librechat/jwt_refresh_secret" = { };
+    };
     services.librechat = {
       enable = true;
       openFirewall = true;

secrets/secrets.yaml

@@ -17,7 +17,6 @@ librechat:
     creds_iv: ENC[AES256_GCM,data:fbBD9RsuEHwDETwiYtAS9kBxgTy6zubrxHWpcuoEsR0=,iv:uZcwIfDPPn4XUf8IZkI29VH9CiKvEOlWuUaWgSjl1Kc=,tag:qbgiQU7bWSFjoGEwoptCpg==,type:str]
     jwt_secret: ENC[AES256_GCM,data:ZhDNIXrCaRWWfrlPxpBfnmeUluW0z72KGpQv9mGyf1kCCnfx3V2lPMm6QS6biajC+4oPVfgwqcXc4Lvs8OqU9g==,iv:1Ecj8fh+M5kw8cmVD96U6QgE7fNy9cbQV9v2Q305puc=,tag:U1ZglGWdTH1TGfcIIORMHQ==,type:str]
     jwt_refresh_secret: ENC[AES256_GCM,data:/4X6h51oRRaOg7UZ/zUcS1L8QyFnhsTYrz8D6R3ZP/tFAEMO/IfYJHHQQ8UtgKjAEwIVYcpIco8lUDhm06folw==,iv:02/LgoiMZ6MzBSd+JAi+iuF3dzqsVyqX6gQfWPY8sIc=,tag:5VrCh7ZKNJD3ynjcyQpVyg==,type:str]
-    meili_master_key: ENC[AES256_GCM,data:SFBALLqK1Gi5nvh5NyQF6Sr+BQdln4/SUSUGevK04eM=,iv:fElBxrcOCgi3ZO9Jtz2aA6q/S4liHjRpfxSg+LmSu+4=,tag:kx4k2DDm8Kt0KkQl63UMIQ==,type:str]
 sops:
     age:
         - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
@@ -29,7 +28,7 @@ sops:
             WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY
             M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-07T06:11:21Z"
+    lastmodified: "2025-06-17T02:15:21Z"
-    mac: ENC[AES256_GCM,data:ntsLgImSp1j4a1D3KxnjxKJW7DHbel1PmuDlDUeMm3zPvqkzo5Hm/sAW/BlcPYsrZPRci1xfxTs2SqUClwgEBvewbrxvP0ELWH+Aq6IC6ckRQe1OUJKHpq+/BnPRyJOXmjjlxNPYoNxmnShDlbI/AaiNLupdNNpgyaobHyRZBUw=,iv:EW/ag6o8UhZbBGhr32VoKkZbM5a43rDbZTmRO2hshQ8=,tag:h4KYFxOQToNQ+hCH+q1Cgg==,type:str]
+    mac: ENC[AES256_GCM,data:rFjFrXeRo5sMGQBR1UjLhJOGs0K/GVhKjhrbnyDq5JiUZRKnDns5JJfhBTwCZXcFXg8shDgj6P+vox+4Tl8PhadWV+s9OZVulvGGahZF39Msb7au7p+S77xVFw35QSB/d9LLEncO2WRyIm8tds18eJ8z3PBvGoad3DGcuLkYdlU=,iv:lUItY1Drr2e1rWLUw8JwdA42UVF1KZL+YMXZRSBIWtU=,tag:esr6v/lkHPcSkY/CP4g88Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

systems/x86_64-linux/common.nix

@@ -9,12 +9,10 @@ in
     email = "rafiq@rrv.sh";
   };
   server.mountHelios = true;
-
+  stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml";
   users.defaultUserShell = zsh;
   programs = {
     zsh.enable = true;
     zsh.enableCompletion = true;
   };
-
-  nixpkgs.hostPlatform = "x86_64-linux";
 }