{
  inputs,
  constants,
  config,
  ...
}:

let
  inherit (constants.hosts.rx4) ip;
  inherit (constants.services.librechat-oci) fqdn port;
in
{
  imports = [
    inputs.synix.nixosModules.librechat-oci
  ];

  services.librechat-oci = {
    enable = true;
    inherit port;
    externalUrl = "https://${fqdn}";
    environmentFile = config.sops.templates.librechat-env-file.path;

    # environment = {
    #   ALLOW_REGISTRATION = "true";
    # };
  };

  services.nginx.virtualHosts."${fqdn}" = {
    useACMEHost = fqdn;
    forceSSL = true;
    listen = [
      {
        addr = "${ip}:443";
        ssl = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
      proxyWebsockets = true;
    };
  };

  security.acme.certs."${fqdn}" = {
    domain = fqdn;
    postRun = "systemctl restart podman-librechat.service";
    group = "nginx";
  };

  sops = {
    # generate with:
    # openssl rand -hex 32
    secrets."librechat/jwt-secret" = { };
    secrets."librechat/jwt-refresh-secret" = { };
    secrets."librechat/creds-key" = { };
    secrets."librechat/creds-iv" = { };
    secrets."librechat/meili-master-key" = { };
    secrets."librechat/openrouter-key" = { };

    templates.librechat-env-file.content = ''
      JWT_SECRET=${config.sops.placeholder."librechat/jwt-secret"}
      JWT_REFRESH_SECRET=${config.sops.placeholder."librechat/jwt-refresh-secret"}
      CREDS_KEY=${config.sops.placeholder."librechat/creds-key"}
      CREDS_IV=${config.sops.placeholder."librechat/creds-iv"}
      MEILI_MASTER_KEY=${config.sops.placeholder."librechat/meili-master-key"}
      OPENROUTER_KEY=${config.sops.placeholder}."librechat/openrouter-key"}
    '';
  };
}