diff --git a/modules/system/librechat.nix b/modules/system/librechat.nix index 2592adc..8e6a4ec 100644 --- a/modules/system/librechat.nix +++ b/modules/system/librechat.nix @@ -6,6 +6,7 @@ with lib; config = mkIf config.myModules.librechat.enable { environment.systemPackages = [ pkgs.librechat + pkgs.meilisearch ]; services.caddy.virtualHosts."ai.gleipnir.technology".extraConfig = '' reverse_proxy http://localhost:10050 @@ -21,6 +22,14 @@ with lib; restartUnits = ["librechat.service"]; sopsFile = ../../secrets/librechat.env; }; + sops.secrets.meilisearch-env = { + format = "dotenv"; + group = "meilisearch"; + mode = "0440"; + owner = "meilisearch"; + restartUnits = ["meilisearch.service"]; + sopsFile = ../../secrets/meilisearch.env; + }; systemd.services.librechat = { after=["network.target" "network-online.target"]; description="Self-hosted LLM chat frontend"; @@ -38,13 +47,35 @@ with lib; }; wantedBy = ["multi-user.target"]; }; + systemd.services.meilisearch = { + after=["network.target" "network-online.target"]; + description="Self-hosted LLM chat search"; + documentation=["https://www.meilisearch.com/docs/learn/self_hosted/configure_meilisearch_at_launch"]; + requires=["network-online.target"]; + serviceConfig = { + EnvironmentFile="/var/run/secrets/meilisearch-env"; + Type = "simple"; + User = "meilisearch"; + Group = "meilisearch"; + ExecStart = "${pkgs.meilisearch}/bin/meilisearch"; + TimeoutStopSec = "5s"; + PrivateTmp = true; + WorkingDirectory = "/opt/meilisearch"; + }; + wantedBy = ["multi-user.target"]; + }; systemd.tmpfiles.rules = [ "d /opt/librechat 0755 librechat librechat" + "d /opt/meilisearch 0755 meilisearch meilisearch" ]; users.groups.librechat = {}; + users.groups.meilisearch = {}; users.users.librechat = { group = "librechat"; - isNormalUser = false; + isSystemUser = true; + }; + users.users.meilisearch = { + group = "meilisearch"; isSystemUser = true; }; diff --git a/secrets/librechat.env b/secrets/librechat.env index 9c955b7..05b3aa4 100644 --- a/secrets/librechat.env +++ b/secrets/librechat.env @@ -12,6 +12,9 @@ DEBUG_CONSOLE=ENC[AES256_GCM,data:nTfOpYo=,iv:vlHoSAOUO+Cv19Myg9nTmavEJpfiHOglpK DOMAIN_CLIENT=ENC[AES256_GCM,data:K7OLRb4xP70aQ/zItSbxsCtLIjxLnRT/PkA0SjdW,iv:AJjLIU12cMY4R1pUaxfnLyEcppy335Oym+gdIWWcMck=,tag:BlZ1UaipeZhg2QnaSSEYrA==,type:str] DOMAIN_SERVER=ENC[AES256_GCM,data:/yXEdixU7Pq0jx22cw/sz3pgbWXfWem1BHmLJ1LI,iv:WXFPLVZ+LMdLkk4px8HUhZrsg0T1ORnAjlWdi3af5+M=,tag:39gV5ZjDux0XhvkaKuZXiw==,type:str] GOOGLE_KEY=ENC[AES256_GCM,data:Umtw0l9wC9vpyXB0j2jW7pZQ7WuiyXvtb8SYEWEg5+Y/29Nrl3cD,iv:E4HLfbgDv6kAwU/I+vkIueCs64UR49e5FUqWxRhcRaA=,tag:tozwpeUtbCa+HYqsn2DSyA==,type:str] +MEILI_HOST=ENC[AES256_GCM,data:8z/plovj6rMbcIRQT/e8aV4Z+Ivg,iv:943cViFux5LCYoX4yNim4vja/YrT5gBYgaoJOJIU4SA=,tag:tIkX/zt2vRgOe8d0x02l2g==,type:str] +MEILI_MASTER_KEY=ENC[AES256_GCM,data:SIpThigO0nB/PcMutdoRl1C06zknLWN5EU80P4e1vCoOkQi/zMIjW0c/Tw==,iv:MovJUwwFJg8hJse5smeM17ul+Vc7wVuvxlZLZ99bMjU=,tag:NFZ+IpCMApqDtCxTNwV+Tg==,type:str] +MEILI_NO_ANALYTICS=ENC[AES256_GCM,data:86v9zw==,iv:kV3HIHvrgrS+rOdfN3LetUejSm/gaiGtdK5FUULX1Gk=,tag:5BNCaagXPJY8j51gGDwXxQ==,type:str] NO_INDEX=ENC[AES256_GCM,data:4ALRXw==,iv:he85VQ/H7NXhQmshYIZME3lN3hkO49fnYT8Qh9QO2lw=,tag:3mNaTa/7uVMWTB0IyDxezw==,type:str] ANTHROPIC_API_KEY=ENC[AES256_GCM,data:h5tkW5xzvXxLYm7Gi1AaOjA4RE2wsPmA7ALtvCCSB9nEQe/Z4xJ9/MbzqjWJeZ3HVPgiV99hPrlY0L2Gr18Bx5OcB6PHYkuRXphOh95vSePi4YKHmaEJdqbiEYRVxsLErriRRay3FkZjGQy+,iv:D9DA98NSSUqWZDXEHhyQYK7cq4RqY8hM8qjPeTJ/7bc=,tag:apDdMhXIGxYgn2ZgNQJ4IA==,type:str] OPENAI_API_KEY=ENC[AES256_GCM,data:SeXTD4RabP7Nh4d5JXDr72XMqHfFrkbNhm4Pb5EeBKwBxh1BK3i3nO8ruQpLbs/0HsQsN36NzEb/yD//VGBbJaODimNIp7XyPLa5HlC+3HJWr5ZD5zDgizQTRQII41Xl7ESJ5tD2QsVbHnDa27308XLLSJHZ8wUlaKCq363T9oNQlTUadx8ak4a2xZR0055Qpw00QpUjW+Un7PCIUtpfMhUE/As=,iv:UGDMg0sR6KH9efYr8vnMZRkNiU3vtXiVutH+KFRUmkA=,tag:JTr2FjBnjqsR0937ay3xOw==,type:str] @@ -28,6 +31,7 @@ ALLOW_EMAIL_LOGIN=ENC[AES256_GCM,data:6PJHWN8=,iv:tymbx2Db45F3VRlgg/PjFYz4zYDciI ALLOW_REGISTRATION=ENC[AES256_GCM,data:pDIew/s=,iv:NzTl+HQx/lk6ex0rPrOVPmudZnrajBKuogzsrwe/E/E=,tag:Xcmmc+/gvqHSUJNB62ebNw==,type:str] ALLOW_SOCIAL_LOGIN=ENC[AES256_GCM,data:JMv8lw==,iv:BYDg4+qnsuQl+zNB3e2DNkvHWAEVM2rd485nQkY0nRc=,tag:oQ25zkkOMz9pJWfbrc1+Sw==,type:str] ALLOW_SOCIAL_REGISTRATION=ENC[AES256_GCM,data:ZgYLwUI=,iv:MlTloXbKexOdk2I/Jj/viE+mQ/11kXdJgtcZ77dlWmo=,tag:GNDr122ZiA0wG62DfwfWbA==,type:str] +SEARCH=ENC[AES256_GCM,data:moIKYw==,iv:TN323MCmkOPzyhTANqCInEbpcifEOWhh7qQMtIQn6JE=,tag:cJEoqAxBodV0iXGzt7w2pA==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFR082Qy9vRklRSHRTZkh1\nSWlIUTM1ekxrWHpwVG9yWXhqVHFUc0lOVEFFCjlOTnVESWNDdWRkVVVhUzV0dHhk\ndGNhUWI0YmV6RmZmY0djK1Y5WXZmY0EKLS0tIDVUcENxcU9EclBuMmVscmpsMmxK\nQ21rUU0yZEJJbHhzYVMvWGJrU1c1dU0KYsELNDno+hnBq8h4uKkt0R32VwLONXss\ngVZxWkAmNiCwPyu7VIUA+jKMtvcDz0mIuW0gBiDQc61ys+TZSPzqkg==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1x704pjnueguchkl54ly8w4w26ltys5900v7xnl7w3zlgasus09jszz45t8 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQldnUFNxMEkxaGRDRG9P\nME5XN2JjZ21uaUVSVXFDSnZzdGxHaWdZeW44CmQ2Q0Vud3g3Zmd4VGdtSUxyOHZs\nMllTRERrd20ydG5LMFl3OVYyaHBiaTAKLS0tIExMb0t5RTBuSENlaERnUFJzSUNE\nODAzQy9ZazFQdk0zRG5FZ1JzSFFLQkkKpKCVSRxaNrmInm4FZagZUBnpjEfWXjup\n+OZc+sKfrTj2NElj7XVOTJcxXClkTP5Rp9apOG4sKiLtHd0rPrQfWQ==\n-----END AGE ENCRYPTED FILE-----\n @@ -36,7 +40,7 @@ sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2 sops_age__list_2__map_recipient=age1kgwk20cc6t68kqj5nhem6swvx6k4e7zjx2xdwy382360h8tdyqrq0nn3gf sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWkhmQ3NmYUVybzl5b3d2\ncGRBb2dHdDhiUEw2eU0welVmRXk2ak1nMVJVCnNnemR3ckFIYWtqSHV3VXZkWjZZ\nSXY3MGhQSkNQdy9lY21LTFFicEFsejQKLS0tIC8vckx1SmxnWCtNMTBlYjlmUUNm\ncHNJNlJMWkQ5YTlURDZRZUFrZ1BHdTgKLjxOPzdSKxbtO6o+fyzEfr1huOyQydH+\nSq+KO0ua6u2wGFylPkAzZ8MyH6JHEjpTYj4vIXrXMLBHWckEGuQFiQ==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_3__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge -sops_lastmodified=2025-07-21T23:45:18Z -sops_mac=ENC[AES256_GCM,data:oVGCnd6StIuiuv6B/UNlMiLHgZPbP4/9ZuNjVOuVbzW4ijgOxu1exQb0T+0SMw/M+9UBjuRkINCqkzDUx8IIbdgUS5i9LqlfCek4vnjSRr1R5yDhFsH1vLlITUZCpe8keADYfbUiPkCRlC8EtmV72K4GSa/uHheE3GtmrBHd154=,iv:r70vqwgRhzRGomqxufGnfAT3/SqsmCul3S8LWVStgDI=,tag:2KMP+rG1NjvRfT6X/OpnGQ==,type:str] +sops_lastmodified=2025-07-22T00:08:05Z +sops_mac=ENC[AES256_GCM,data:K3RaUkfpVUCfLpk/ak225f3CZxyHLJklysR1h7//kjdSgBbdGWkUJGgBswg6OlRT8tzqx7s/UM37odKzD42TNWfZLsadX3IsxsnnocN1RNBiXDbmRtOhCuhTkIpMpHkD/3AMZWesz6c8TORiTSqlwBl7+aStbGKP92dCvvEIPF4=,iv:4dIAtCkOmTE6vNFJWV1/4VPlp79FfWVJtELVtRS0E4o=,tag:/ok4WQH42VcwcotaoRRxrw==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.10.2 diff --git a/secrets/meilisearch.env b/secrets/meilisearch.env new file mode 100644 index 0000000..53803e0 --- /dev/null +++ b/secrets/meilisearch.env @@ -0,0 +1,13 @@ +MEILI_MASTER_KEY=ENC[AES256_GCM,data:02BtWE+a0cXSjiV/95xXuREONUdEfu2ZTTXnGjC+nf9n42riNdppd3LgNg==,iv:DHnQTREbabYJWfpw8kmPhMdMXjvwHF3XUJMOHWep2r4=,tag:jImqQHwgzu7q8SDzVsog/Q==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdUh0TXBTWWdHa1kwL0xY\nLzloektMRjZrTyt6b2o3c2V3QjUxNnZwRFJVCjBZbElkRFZKWWZwMVpKOU5lWExr\nQ3IvaVl5MFJTbTBUQTRlNjJIcVZiM3MKLS0tIDdWWXZUUllHTzdSYzVLcDFhcUNi\nSzRSVXZzZHJwTlFrdlVuaHMxelNvOVkKHiw+yFg8gOpW+MD5AvW/tdXYpo8M1O7J\nQDRCYygiAI9Lawevg6VJ2GCQxCGPyRBpORNTtUh1ImsffdTWgl+lDg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1x704pjnueguchkl54ly8w4w26ltys5900v7xnl7w3zlgasus09jszz45t8 +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvODhwRmJUTFd5UlBUdXFj\nc240TktxVjZQZGs0SGVXTU9mQzlYcUJTaFhnCnEzTk5obXBYZVJLNXRIV1diMHhU\nYXlvMU1pTUp5MFBweWZTaFJvVUNMNDAKLS0tICtrQWVzTnk5dXQ1TVpZTjJZQ0hJ\nN2QrZ1VuclZDZW10VFQ1VWhYUnVXUTgKL+pXsWu15nvmgyUZB6le+LMvZCu050xG\n4oDLJsQ0e7jezqvjdcC/KuzHIB7apYXGLyq0acUySotHUSEyvrS9Ow==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age15y4k929zaj9fdg3vd40pa40tgvrgv9mn22xfummn5zxfmkcw5d0st6prjx +sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Q3RGN3dmU2RqTGVvN0Ji\nZjA5ZThXemZFNHpOL3lOQkEvWHR1MEJvcDFnCldXSFl0MU5uY0pQaDVFaERvd1hz\ndGhQbEhJSENwSWRZQlpoVU1CT3FheGMKLS0tIDFMbWZvRzNEbW5KcUh3TFNvaEVG\ncXNsQkc4RDZrb016L0d4NHJ4VnJtem8KXgCDl42gN3Lg8MaWOtfNo/jV2Ft3wz08\netBxj5ZENjZKsXhbE344w0ShZBt9tyKqPDaIaju643NRGAcdBRTXUg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_2__map_recipient=age1kgwk20cc6t68kqj5nhem6swvx6k4e7zjx2xdwy382360h8tdyqrq0nn3gf +sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBd1o3ejBzamdkZ2xqMmE3\nOVo5ZU5Ob3NRU2xNYi93ZWFaYkhVNmI4MVRzCjE1K1lVcWgwbmRnU2xvZDdvYWZE\nV0Q2bVZqWXk3ZkIrN1dhUURGV3NYL0EKLS0tIFFHLzNtSHFVdVlubnBjaFBxdnpr\nbzFCRVhNck8zUnV2R1NNdFZJTFE1c0EKA78aKnj1Q9cdn2MYMXmsnhx603jl/trZ\nlCLSHLNVTe54uF7DJt/u5HCrkpXBQ6s271s4Mzg5ltj71wb6Wmvokg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_3__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge +sops_lastmodified=2025-07-22T00:07:10Z +sops_mac=ENC[AES256_GCM,data:N173K4qe3PKIoiXGEo0N71+52Qj6jGyulKNCEM8fbKD5+txTwTXU6E3mJfatBPf70phDRODKYCTD7KO0UuXj3mXx0yzmHzSl7dFXWagI/j33yQke4zYmET17YVFlDb7u8Cu0jY+k+yMd42T6rIsWrf6S0nRQODS6ZPKZN/gIbf8=,iv:q+3NnAFmr9zCUCWUpEGSON2BI4rNxQT2ZRy6F1n8NKo=,tag:RvOCP42QVfEIA10IdvSkaQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.10.2