From d038353260d1e384ef63b8efa0f3f638563b4ca7 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Tue, 19 May 2026 19:43:48 +0200
Subject: [PATCH] librechat: add jwt tokens

---
 hosts/rx4/secrets/secrets.yaml       |  7 +++++--
 hosts/rx4/services/librechat-oci.nix | 11 ++++++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/hosts/rx4/secrets/secrets.yaml b/hosts/rx4/secrets/secrets.yaml
index eaa951b..0589c8a 100644
--- a/hosts/rx4/secrets/secrets.yaml
+++ b/hosts/rx4/secrets/secrets.yaml
@@ -17,6 +17,9 @@ vaultwarden:
     admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str]
     smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str]
 hetzner-api-key: ENC[AES256_GCM,data:casjNOXzuQDWgnSFftbBMygA8kGpGiZDqup08faWO9kfjvgOyWOXeqPd2VA1ND8yfM2LvoLYvPs6gUWtni2ldQ==,iv:p2W24uhJgBvpi3g4+cHw0/XbbTM5oYCPHreMBUR4CNs=,tag:lpwjZGoJe/91+CHX/hAkKA==,type:str]
+librechat:
+    jwt-token: ENC[AES256_GCM,data:/NZfZsvg4mDCgB3prDbyPEXIOuN/WSWP3dmSYlvTn7TRSO6oKtnSz20zC0FLvwDAn5QvBYvBKF+LnYjXJeUNkw==,iv:vgESrSyy6IoCMNHG0eL05c9k7Z+tdNb88u5sz+4cYCI=,tag:/WPi7v3hrgKPgwdV0ZE2Bg==,type:str]
+    jwt-refresh-token: ENC[AES256_GCM,data:w/gHj+dXgGk4BcT1ueIdVujjgYWzUGgY8TG/ci8WUDkU12aPcqi6Kuqe55Did0s2AH1Am+1cToy/Q8QiOnt7QQ==,iv:5LJ8ht5yZlql+TayLwU3CNhAd9DUjGw8sRamwbwm7JA=,tag:GJ9zaU7p36oZsOnXeifyyw==,type:str]
 sops:
     age:
         - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@@ -37,7 +40,7 @@ sops:
             NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
             f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-17T20:34:39Z"
-    mac: ENC[AES256_GCM,data:lSSotIfDcS6oJpSDSe2hLx1M9L8a+bjkPstcPv1h2ohSiOu8WGAwTy4lsKD1n9rnhTzFmMqi2Xgh4K0n3WiqWFBeNcA6UeM7+a6PcDtUeCC3JKsP/XZvCoPq5uBwUWcovRSm4UElaL5MteZkV3e+qZWeUpZCTWWWEjYBYnHPLpQ=,iv:t4Up4DuTuQyQQNa7lmZK6kt5O0/aShXSF2XBj9Y6/z8=,tag:oNmP8e7jEZ3ttPkwXkWSZw==,type:str]
+    lastmodified: "2026-05-19T17:41:34Z"
+    mac: ENC[AES256_GCM,data:UPpz15iUrysYMovpNFLGyAnw1TZ8mmGUo4HDCPlyGI8ADo0v8RfhGjBL/0H0EIA4UX6D+EfRpp4wNacvTdgapQmKHd4H2Q4uDxRUJAHaAkBQVljiuTAEf+8aF/99/U5nEoYrUba15zV8WOONDD7CnzMm+fOosjJuZwKd+akt0KQ=,iv:+nzB0ffdB4PGsnaQ5x9WzWrhfcVQqv1WENUEJOAYbyE=,tag:VvEgvSyBUZixRK3MgCpFvQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/rx4/services/librechat-oci.nix b/hosts/rx4/services/librechat-oci.nix
index 07ab8d3..80db7a1 100644
--- a/hosts/rx4/services/librechat-oci.nix
+++ b/hosts/rx4/services/librechat-oci.nix
@@ -6,7 +6,6 @@
 }:
 
 let
-  inherit (constants) domain;
   inherit (constants.hosts.rx4) ip;
   inherit (constants.services.librechat-oci) fqdn port;
 in
@@ -19,6 +18,7 @@ in
     enable = true;
     inherit port;
     externalUrl = "https://${fqdn}";
+    environmentFile = config.sops.templates.librechat-env-file.path;
   };
 
   services.nginx.virtualHosts."${fqdn}" = {
@@ -41,4 +41,13 @@ in
     postRun = "systemctl restart podman-librechat.service";
     group = "nginx";
   };
+
+  sops = {
+    secrets."librechat/jwt-token" = { }; # openssl rand -hex 32
+    secrets."librechat/jwt-refresh-token" = { }; # openssl rand -hex 32
+    templates.librechat-env-file.content = ''
+      JET_TOKEN=${config.sops.placeholder."librechat/jwt-token"}
+      JET_REFRESH_TOKEN=${config.sops.placeholder."librechat/jwt-refresh-token"}
+    '';
+  };
 }
-- 
2.51.2