{
  inputs,
  constants,
  config,
  ...
}:

let
  inherit (constants.hosts.rx4) ip;
  inherit (constants.services.librechat-oci) fqdn port;
in
{
  imports = [
    inputs.synix.nixosModules.librechat-oci
  ];

  services.librechat-oci = {
    enable = true;
    inherit port;
    externalUrl = "https://${fqdn}";
    environmentFile = config.sops.templates.librechat-env-file.path;
  };

  services.nginx.virtualHosts."${fqdn}" = {
    useACMEHost = fqdn;
    forceSSL = true;
    listen = [
      {
        addr = "${ip}:443";
        ssl = true;
      }
    ];
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
      proxyWebsockets = true;
    };
  };

  security.acme.certs."${fqdn}" = {
    domain = fqdn;
    postRun = "systemctl restart podman-librechat.service";
    group = "nginx";
  };

  sops = {
    secrets."librechat/jwt-token" = { }; # openssl rand -hex 32
    secrets."librechat/jwt-refresh-token" = { }; # openssl rand -hex 32
    templates.librechat-env-file.content = ''
      JET_TOKEN=${config.sops.placeholder."librechat/jwt-token"}
      JET_REFRESH_TOKEN=${config.sops.placeholder."librechat/jwt-refresh-token"}
    '';
  };
}