From afb49c74073a597f9a98022068292826fed2ccb4 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Tue, 19 May 2026 20:59:18 +0200
Subject: [PATCH] new librechat api

---
 flake.lock                           |  8 +++----
 hosts/rx4/secrets/secrets.yaml       |  7 ++++--
 hosts/rx4/services/librechat-oci.nix | 34 +++++++++++++++++++++++-----
 3 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index b5376a3..8036d42 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5199,11 +5199,11 @@
         "stylix": "stylix_6"
       },
       "locked": {
-        "lastModified": 1779211946,
-        "narHash": "sha256-PZsNGNnwgiFh8sm8POIEeDf/JVB0+lhGEApp/wS4XCk=",
+        "lastModified": 1779216861,
+        "narHash": "sha256-fmgvPXXlrVJhIRGNjuYbrr5sHNFxFdlU3kdkmmzPirY=",
         "ref": "release-25.11",
-        "rev": "fe6b0d6c47b29b95697c310997f19bf70a29e8a6",
-        "revCount": 89,
+        "rev": "a7daa3b9f33cf266218a04c41f4c45af1c7e5207",
+        "revCount": 92,
         "type": "git",
         "url": "https://git.sid.ovh/sid/synix.git"
       },
diff --git a/hosts/rx4/secrets/secrets.yaml b/hosts/rx4/secrets/secrets.yaml
index 0589c8a..2c01e49 100644
--- a/hosts/rx4/secrets/secrets.yaml
+++ b/hosts/rx4/secrets/secrets.yaml
@@ -20,6 +20,9 @@ hetzner-api-key: ENC[AES256_GCM,data:casjNOXzuQDWgnSFftbBMygA8kGpGiZDqup08faWO9k
 librechat:
     jwt-token: ENC[AES256_GCM,data:/NZfZsvg4mDCgB3prDbyPEXIOuN/WSWP3dmSYlvTn7TRSO6oKtnSz20zC0FLvwDAn5QvBYvBKF+LnYjXJeUNkw==,iv:vgESrSyy6IoCMNHG0eL05c9k7Z+tdNb88u5sz+4cYCI=,tag:/WPi7v3hrgKPgwdV0ZE2Bg==,type:str]
     jwt-refresh-token: ENC[AES256_GCM,data:w/gHj+dXgGk4BcT1ueIdVujjgYWzUGgY8TG/ci8WUDkU12aPcqi6Kuqe55Did0s2AH1Am+1cToy/Q8QiOnt7QQ==,iv:5LJ8ht5yZlql+TayLwU3CNhAd9DUjGw8sRamwbwm7JA=,tag:GJ9zaU7p36oZsOnXeifyyw==,type:str]
+    creds-key: ENC[AES256_GCM,data:EljwEqFByJaOjd8lRFGwo/FyXHUtl5an0xS1EjRe+kmpo5z4P33EUKbMeeIl69rEcziMHZQLiadzSEcS2cb2uA==,iv:sidBN6VTBeFhMUtN67HZuyofiXCeGFG4tuMRckLZv84=,tag:n7vI8LuPgER3J6r6Q6Jkjg==,type:str]
+    creds-iv: ENC[AES256_GCM,data:oc0sPm5RM/7AbH3vdDLJ2m0q6C7eAAME0GPbiojHZUspP8Cto5QX5WKnUjUVLLcvgK+t6pnu7BEmAuD3PLr11A==,iv:Z6XJmlqv0ULFiwqHyRO5v7lb/iyv4g9aSTV4xw9VTXU=,tag:7kptbQwc6lBZ70aXw7wOVA==,type:str]
+    meili-master-key: ENC[AES256_GCM,data:eugFl40a6Ks3ba8hcn83WS76AwA0TXkhu3K4gSrbNHtXRliLQCWhGTEvoaQSeb7whmpszh4zh8cKSxByBdhJiQ==,iv:rrWlcVyBlrE5dnBBFWjheIo6SgQTbkzqskGQvQczR+U=,tag:fjKOSVoPxomA3qUw+baV4w==,type:str]
 sops:
     age:
         - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@@ -40,7 +43,7 @@ sops:
             NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
             f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-19T17:41:34Z"
-    mac: ENC[AES256_GCM,data:UPpz15iUrysYMovpNFLGyAnw1TZ8mmGUo4HDCPlyGI8ADo0v8RfhGjBL/0H0EIA4UX6D+EfRpp4wNacvTdgapQmKHd4H2Q4uDxRUJAHaAkBQVljiuTAEf+8aF/99/U5nEoYrUba15zV8WOONDD7CnzMm+fOosjJuZwKd+akt0KQ=,iv:+nzB0ffdB4PGsnaQ5x9WzWrhfcVQqv1WENUEJOAYbyE=,tag:VvEgvSyBUZixRK3MgCpFvQ==,type:str]
+    lastmodified: "2026-05-19T18:58:47Z"
+    mac: ENC[AES256_GCM,data:UMx1EdkZs4qcnSzGn5V4rbhRTaR8elLbN1nzvnhLOXjjhtLawuVNasJpBQonQi7vDw3X/XlZLgJSCVeCGT0YRjYDpxd00xle72BydH33uUXstJMCg/9atiXCAQhabPdhwhU/srWFh6rxasZFskTI/S+H3/uKIICOapne0TQz7E4=,iv:nxkpQX8ftZEx8gI39wyfJZtvjB4AVQNzmS40fZ/O05g=,tag:ksgNMNv0fzBDp2XhXXjhNQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/rx4/services/librechat-oci.nix b/hosts/rx4/services/librechat-oci.nix
index 80db7a1..6213f50 100644
--- a/hosts/rx4/services/librechat-oci.nix
+++ b/hosts/rx4/services/librechat-oci.nix
@@ -18,7 +18,16 @@ in
     enable = true;
     inherit port;
     externalUrl = "https://${fqdn}";
-    environmentFile = config.sops.templates.librechat-env-file.path;
+
+    # environment = {
+    #   ALLOW_REGISTRATION = "true";
+    # };
+
+    environmentFiles = {
+      librechat = config.sops.templates.librechat-env.path;
+      meilisearch = config.sops.templates.meili-env.path;
+      ragApi = null;
+    };
   };
 
   services.nginx.virtualHosts."${fqdn}" = {
@@ -43,11 +52,24 @@ in
   };
 
   sops = {
-    secrets."librechat/jwt-token" = { }; # openssl rand -hex 32
-    secrets."librechat/jwt-refresh-token" = { }; # openssl rand -hex 32
-    templates.librechat-env-file.content = ''
-      JET_TOKEN=${config.sops.placeholder."librechat/jwt-token"}
-      JET_REFRESH_TOKEN=${config.sops.placeholder."librechat/jwt-refresh-token"}
+    # generate with:
+    # openssl rand -hex 32
+    secrets."librechat/jwt-secret" = { };
+    secrets."librechat/jwt-refresh-secret" = { };
+    secrets."librechat/creds-key" = { };
+    secrets."librechat/creds-iv" = { };
+    secrets."librechat/meili-master-key" = { };
+
+    templates.librechat-env.content = ''
+      JWT_SECRET=${config.sops.placeholder."librechat/jwt-secret"}
+      JWT_REFRESH_SECRET=${config.sops.placeholder."librechat/jwt-refresh-secret"}
+      CREDS_KEY=${config.sops.placeholder."librechat/creds-key"}
+      CREDS_IV=${config.sops.placeholder."librechat/creds-iv"}
+      MEILI_MASTER_KEY=${config.sops.placeholder."librechat/meili-master-key"}
+    '';
+
+    templates.meili-env.content = ''
+      MEILI_MASTER_KEY=${config.sops.placeholder."librechat/meili-master-key"}
     '';
   };
 }