From a24d727134054aaca9a2ea08bce1fdfac95c3c93 Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Thu, 29 May 2025 22:19:27 +0800
Subject: [PATCH] feat(nixosModules/server): add librechat service

---
 modules/nixos/server/default.nix         | 68 +++++++++++++++++++++++-
 modules/nixos/system/secrets.nix         |  5 --
 systems/x86_64-linux/nemesis/default.nix | 13 ++++-
 3 files changed, 78 insertions(+), 8 deletions(-)

diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
index 63fe478..ddf7a91 100644
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@@ -1,11 +1,77 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
 {
   options.server = {
     mountHelios = lib.mkEnableOption "";
     enableDDNS = lib.mkEnableOption "";
+    librechat = {
+      enable = lib.mkEnableOption "";
+      mongodbURI = lib.mkOption { type = lib.types.str; };
+      creds_key_file = lib.mkOption { type = lib.types.str; };
+      creds_iv_file = lib.mkOption { type = lib.types.str; };
+      jwt_secret_file = lib.mkOption { type = lib.types.str; };
+      jwt_refresh_secret_file = lib.mkOption { type = lib.types.str; };
+      meili_master_key_file = lib.mkOption { type = lib.types.str; };
+      path = lib.mkOption {
+        type = lib.types.str;
+        default = "/var/lib/librechat";
+      };
+      user = lib.mkOption {
+        type = lib.types.str;
+        default = "librechat";
+      };
+    };
   };
 
   config = lib.mkMerge [
+    (lib.mkIf config.server.librechat.enable {
+      environment.persistence."/persist".directories = [
+        {
+          directory = config.server.librechat.path;
+          user = config.server.librechat.user;
+          group = "librechat";
+        }
+      ];
+      systemd.services.librechat = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        description = "Open-source app for all your AI conversations, fully customizable and compatible with any AI provider";
+        serviceConfig = {
+          Type = "simple"; # FIXME
+          User = config.server.librechat.user;
+          LoadCredential = [
+            "CREDS_KEY_FILE:${config.server.librechat.creds_key_file}"
+            "CREDS_IV_FILE:${config.server.librechat.creds_iv_file}"
+            "JWT_SECRET_FILE:${config.server.librechat.jwt_secret_file}"
+            "JWT_REFRESH_SECRET_FILE:${config.server.librechat.jwt_refresh_secret_file}"
+            "MEILI_MASTER_KEY_FILE:${config.server.librechat.meili_master_key_file}"
+          ];
+        };
+        script = # sh
+          ''
+            export MONGO_URI="${config.server.librechat.mongodbURI}"
+            export CREDS_KEY=$(${pkgs.systemd}/bin/systemd-creds cat CREDS_KEY_FILE)
+            export CREDS_IV=$(${pkgs.systemd}/bin/systemd-creds cat CREDS_IV_FILE)
+            export JWT_SECRET=$(${pkgs.systemd}/bin/systemd-creds cat JWT_SECRET_FILE)
+            export JWT_REFRESH_SECRET=$(${pkgs.systemd}/bin/systemd-creds cat JWT_REFRESH_SECRET_FILE)
+            export MEILI_MASTER_KEY=$(${pkgs.systemd}/bin/systemd-creds cat MEILI_MASTER_KEY_FILE)
+            cd ${config.server.librechat.path}
+            ${pkgs.librechat}/bin/librechat-server
+          '';
+      };
+
+      users.users.librechat = lib.mkIf (config.server.librechat.user == "librechat") {
+        name = "librechat";
+        isSystemUser = true;
+        group = "librechat";
+        description = "LibreChat server user";
+      };
+      users.groups.librechat = lib.mkIf (config.server.librechat.user == "librechat") { };
+    })
     (lib.mkIf config.server.enableDDNS {
       services.godns = {
         enable = true;
diff --git a/modules/nixos/system/secrets.nix b/modules/nixos/system/secrets.nix
index 142a07f..1ad952f 100644
--- a/modules/nixos/system/secrets.nix
+++ b/modules/nixos/system/secrets.nix
@@ -23,10 +23,5 @@
       export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
       export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
       export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
-      export CREDS_KEY=$(sudo cat ${config.sops.secrets."librechat/creds_key".path})
-      export CREDS_IV=$(sudo cat ${config.sops.secrets."librechat/creds_iv".path})
-      export JWT_SECRET=$(sudo cat ${config.sops.secrets."librechat/jwt_secret".path})
-      export JWT_REFRESH_SECRET=$(sudo cat ${config.sops.secrets."librechat/jwt_refresh_secret".path})
-      export MEILI_MASTER_KEY=$(sudo cat ${config.sops.secrets."librechat/meili_master_key".path})
     '';
 }
diff --git a/systems/x86_64-linux/nemesis/default.nix b/systems/x86_64-linux/nemesis/default.nix
index 250f7f5..1ec8da8 100644
--- a/systems/x86_64-linux/nemesis/default.nix
+++ b/systems/x86_64-linux/nemesis/default.nix
@@ -1,6 +1,6 @@
-{ lib, pkgs, ... }:
+{ lib, config, ... }:
 {
-  environment.systemPackages = [ pkgs.librechat ];
+
   system = {
     hostname = "nemesis";
     mainUser.name = "rafiq";
@@ -49,6 +49,15 @@
         }
       ];
     };
+    librechat = {
+      enable = true;
+      mongodbURI = "mongodb://apollo:27017";
+      creds_key_file = config.sops.secrets."librechat/creds_key".path;
+      creds_iv_file = config.sops.secrets."librechat/creds_iv".path;
+      jwt_secret_file = config.sops.secrets."librechat/jwt_secret".path;
+      jwt_refresh_secret_file = config.sops.secrets."librechat/jwt_refresh_secret".path;
+      meili_master_key_file = config.sops.secrets."librechat/meili_master_key".path;
+    };
   };
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";