rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(librechat): add ability to define config settings in nix way

Browse source
This commit is contained in:
Mohammad Rafiq 2025-05-31 14:41:13 +08:00
parent 9f6f870d6c
commit b2f596e5b1
No known key found for this signature in database
2 changed files with 105 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

183
modules/nixos/server/librechat/default.nix
View file

@ -13,6 +13,18 @@ in
enable = lib.mkEnableOption "Whether to enable the LibreChat server."; enable = lib.mkEnableOption "Whether to enable the LibreChat server.";
openFirewall = lib.mkEnableOption "Whether to open the port in the firewall."; openFirewall = lib.mkEnableOption "Whether to open the port in the firewall.";
settings = lib.mkOption {
type = lib.types.attrs;
default = { };
example = # nix
''
{
}
'';
description = "A free-form attribute set that will be written to librechat.yaml.";
};
path = lib.mkOption { path = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/var/lib/librechat"; default = "/var/lib/librechat";
@ -187,89 +199,98 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable (
let
assertions = [ configFile = pkgs.writeTextFile {
{ name = "librechat.yaml";
assertion = (cfg.credentials.creds_key != "") || (cfg.credentials.creds_key_file != ""); text = lib.generators.toYAML { } cfg.settings;
message = "You must set either credentials.creds_key or credentials.creds_key_file.";
}
{
assertion = (cfg.credentials.creds_iv != "") || (cfg.credentials.creds_iv_file != "");
message = "You must set either credentials.creds_iv or credentials.creds_iv_file.";
}
{
assertion = cfg.mongodbURI != "";
message = "You must set the mongodbURI option.";
}
{
assertion =
cfg.logging.enableDebugLogging
&& (
(cfg.logging.enableConsoleLogging && !cfg.logging.enableConsoleJSONLogging)
|| (!cfg.logging.enableConsoleLogging && cfg.logging.enableConsoleJSONLogging)
|| (!cfg.logging.enableConsoleLogging && !cfg.logging.enableConsoleJSONLogging)
);
message = "DEBUG_LOGGING can be used with either DEBUG_CONSOLE or CONSOLE_JSON but not both.";
}
{
assertion = (cfg.credentials.jwt_secret != "") || (cfg.credentials.jwt_secret_file != "");
message = "You must set either credentials.jwt_secret or credentials.jwt_secret_file.";
}
{
assertion =
(cfg.credentials.jwt_refresh_secret != "") || (cfg.credentials.jwt_refresh_secret_file != "");
message = "You must set either credentials.jwt_refresh_secret or credentials.jwt_refresh_secret_file.";
}
];
networking.firewall.allowedTCPPorts = if cfg.openFirewall then [ cfg.port ] else [ ];
systemd.services.librechat = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Open-source app for all your AI conversations, fully customizable and compatible with any AI provider";
serviceConfig = {
Type = "simple"; # FIXME
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = "true"; # run mkdir as root
ExecStartPre = [
"${pkgs.coreutils}/bin/mkdir -p ${cfg.path}"
"${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.path}"
];
LoadCredential = [
#TODO: Use the creds_* options
"CREDS_KEY_FILE:${cfg.credentials.creds_key_file}"
"CREDS_IV_FILE:${cfg.credentials.creds_iv_file}"
"JWT_SECRET_FILE:${cfg.credentials.jwt_secret_file}"
"JWT_REFRESH_SECRET_FILE:${cfg.credentials.jwt_refresh_secret_file}"
];
}; };
script = # sh in
'' {
# Load the systemd credentials
export CREDS_KEY=$(${pkgs.systemd}/bin/systemd-creds cat CREDS_KEY_FILE)
export CREDS_IV=$(${pkgs.systemd}/bin/systemd-creds cat CREDS_IV_FILE)
export JWT_SECRET=$(${pkgs.systemd}/bin/systemd-creds cat JWT_SECRET_FILE)
export JWT_REFRESH_SECRET=$(${pkgs.systemd}/bin/systemd-creds cat JWT_REFRESH_SECRET_FILE)
export HOST=${cfg.host} assertions = [
export PORT=${builtins.toString cfg.port} {
export MONGO_URI="${cfg.mongodbURI}" assertion = (cfg.credentials.creds_key != "") || (cfg.credentials.creds_key_file != "");
export ALLOW_EMAIL_LOGIN=${if cfg.auth.allowEmailLogin then "true" else "false"} message = "You must set either credentials.creds_key or credentials.creds_key_file.";
export ALLOW_REGISTRATION=${if cfg.auth.allowEmailRegistration then "true" else "false"} }
{
assertion = (cfg.credentials.creds_iv != "") || (cfg.credentials.creds_iv_file != "");
message = "You must set either credentials.creds_iv or credentials.creds_iv_file.";
}
{
assertion = cfg.mongodbURI != "";
message = "You must set the mongodbURI option.";
}
{
assertion =
cfg.logging.enableDebugLogging
&& (
(cfg.logging.enableConsoleLogging && !cfg.logging.enableConsoleJSONLogging)
|| (!cfg.logging.enableConsoleLogging && cfg.logging.enableConsoleJSONLogging)
|| (!cfg.logging.enableConsoleLogging && !cfg.logging.enableConsoleJSONLogging)
);
message = "DEBUG_LOGGING can be used with either DEBUG_CONSOLE or CONSOLE_JSON but not both.";
}
{
assertion = (cfg.credentials.jwt_secret != "") || (cfg.credentials.jwt_secret_file != "");
message = "You must set either credentials.jwt_secret or credentials.jwt_secret_file.";
}
{
assertion =
(cfg.credentials.jwt_refresh_secret != "") || (cfg.credentials.jwt_refresh_secret_file != "");
message = "You must set either credentials.jwt_refresh_secret or credentials.jwt_refresh_secret_file.";
}
];
cd ${cfg.path} networking.firewall.allowedTCPPorts = if cfg.openFirewall then [ cfg.port ] else [ ];
${pkgs.librechat}/bin/librechat-server systemd.services.librechat = {
''; wantedBy = [ "multi-user.target" ];
}; after = [ "network.target" ];
description = "Open-source app for all your AI conversations, fully customizable and compatible with any AI provider";
serviceConfig = {
Type = "simple"; # FIXME
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = "true"; # run mkdir as root
ExecStartPre = [
"${pkgs.coreutils}/bin/mkdir -p ${cfg.path}"
"${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.path}"
];
LoadCredential = [
#TODO: Use the creds_* options
"CREDS_KEY_FILE:${cfg.credentials.creds_key_file}"
"CREDS_IV_FILE:${cfg.credentials.creds_iv_file}"
"JWT_SECRET_FILE:${cfg.credentials.jwt_secret_file}"
"JWT_REFRESH_SECRET_FILE:${cfg.credentials.jwt_refresh_secret_file}"
];
};
script = # sh
''
# Load the systemd credentials
export CREDS_KEY=$(${pkgs.systemd}/bin/systemd-creds cat CREDS_KEY_FILE)
export CREDS_IV=$(${pkgs.systemd}/bin/systemd-creds cat CREDS_IV_FILE)
export JWT_SECRET=$(${pkgs.systemd}/bin/systemd-creds cat JWT_SECRET_FILE)
export JWT_REFRESH_SECRET=$(${pkgs.systemd}/bin/systemd-creds cat JWT_REFRESH_SECRET_FILE)
users.users.librechat = lib.mkIf (cfg.user == "librechat") { export CONFIG_PATH=${configFile}
name = "librechat"; export HOST=${cfg.host}
isSystemUser = true; export PORT=${builtins.toString cfg.port}
group = "librechat"; export MONGO_URI="${cfg.mongodbURI}"
description = "LibreChat server user"; export ALLOW_EMAIL_LOGIN=${if cfg.auth.allowEmailLogin then "true" else "false"}
}; export ALLOW_REGISTRATION=${if cfg.auth.allowEmailRegistration then "true" else "false"}
users.groups.librechat = lib.mkIf (cfg.user == "librechat") { };
}; cd ${cfg.path}
${pkgs.librechat}/bin/librechat-server
'';
};
users.users.librechat = lib.mkIf (cfg.user == "librechat") {
name = "librechat";
isSystemUser = true;
group = "librechat";
description = "LibreChat server user";
};
users.groups.librechat = lib.mkIf (cfg.user == "librechat") { };
}
);
} }

3
systems/x86_64-linux/apollo/default.nix
View file

@ -30,6 +30,9 @@
openFirewall = true; openFirewall = true;
host = "0.0.0.0"; host = "0.0.0.0";
mongodbURI = "mongodb://apollo:27017"; mongodbURI = "mongodb://apollo:27017";
settings = {
version = "1.0.8";
};
auth = { auth = {
allowEmailLogin = true; allowEmailLogin = true;
allowEmailRegistration = true; allowEmailRegistration = true;