From bd9c576810f324c8fb4e965c6a4ec452c772d01f Mon Sep 17 00:00:00 2001
From: Adrian Gunnar Lauterer <adrian@lauterer.it>
Date: Wed, 25 Feb 2026 10:23:47 +0100
Subject: [PATCH] galadriel stash

---
 hosts/galadriel/configuration.nix             |  4 +-
 hosts/galadriel/hardware-configuration.nix    |  2 +
 ...0fbeb00e6dda3e0073fa9cb0e57638a-audit.json | 15 ++++
 ...6380d23f0ed6df28f46a1a7ee75e7db-audit.json | 15 ++++
 modules/basePackages.nix                      |  2 +-
 modules/librechat.nix                         | 70 +++++++++++++++++++
 modules/zfs.nix                               |  1 +
 secrets/secrets.yaml                          |  8 ++-
 8 files changed, 112 insertions(+), 5 deletions(-)
 create mode 100644 logs/.3b25ae2de0fbeb00e6dda3e0073fa9cb0e57638a-audit.json
 create mode 100644 logs/.b5209f00e6380d23f0ed6df28f46a1a7ee75e7db-audit.json
 create mode 100644 modules/librechat.nix

diff --git a/hosts/galadriel/configuration.nix b/hosts/galadriel/configuration.nix
index 7f9909b..73631f4 100644
--- a/hosts/galadriel/configuration.nix
+++ b/hosts/galadriel/configuration.nix
@@ -38,16 +38,18 @@
     ../../modules/miniflux.nix
     ../../modules/ollama.nix
     ../../modules/openwebui.nix
+    ../../modules/librechat.nix
     ../../modules/immich.nix
 
   ];
 
   networking.hostId = "1ccccd3a";
 
-  #Load zfs pool
+  ## Load zfs pool
   boot.zfs.extraPools = [
     "lorien"
   ];
+  boot.zfs.requestEncryptionCredentials = true;
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
diff --git a/hosts/galadriel/hardware-configuration.nix b/hosts/galadriel/hardware-configuration.nix
index 6022f46..dba441b 100644
--- a/hosts/galadriel/hardware-configuration.nix
+++ b/hosts/galadriel/hardware-configuration.nix
@@ -22,6 +22,8 @@
     "usbhid"
     "sd_mod"
   ];
+  boot.kernelPackages = pkgs.linuxPackages_6_18;
+  boot.zfs.package = pkgs.zfs_2_4;
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
diff --git a/logs/.3b25ae2de0fbeb00e6dda3e0073fa9cb0e57638a-audit.json b/logs/.3b25ae2de0fbeb00e6dda3e0073fa9cb0e57638a-audit.json
new file mode 100644
index 0000000..0a6d9ac
--- /dev/null
+++ b/logs/.3b25ae2de0fbeb00e6dda3e0073fa9cb0e57638a-audit.json
@@ -0,0 +1,15 @@
+{
+    "keep": {
+        "days": true,
+        "amount": 14
+    },
+    "auditLog": "/root/nix-dotfiles-v2/logs/.3b25ae2de0fbeb00e6dda3e0073fa9cb0e57638a-audit.json",
+    "files": [
+        {
+            "date": 1770986611784,
+            "name": "/root/nix-dotfiles-v2/logs/meiliSync-2026-02-13.log",
+            "hash": "7de8e8f093ec0024291182935955d48e6faa12c30d1281c4c40975ae0cedab3b"
+        }
+    ],
+    "hashType": "sha256"
+}
\ No newline at end of file
diff --git a/logs/.b5209f00e6380d23f0ed6df28f46a1a7ee75e7db-audit.json b/logs/.b5209f00e6380d23f0ed6df28f46a1a7ee75e7db-audit.json
new file mode 100644
index 0000000..b1bde93
--- /dev/null
+++ b/logs/.b5209f00e6380d23f0ed6df28f46a1a7ee75e7db-audit.json
@@ -0,0 +1,15 @@
+{
+    "keep": {
+        "days": true,
+        "amount": 14
+    },
+    "auditLog": "/root/nix-dotfiles-v2/logs/.b5209f00e6380d23f0ed6df28f46a1a7ee75e7db-audit.json",
+    "files": [
+        {
+            "date": 1770986611781,
+            "name": "/root/nix-dotfiles-v2/logs/error-2026-02-13.log",
+            "hash": "2533ea2611b1422793883fd7f9d44dd1322e7376a04debcfbed53c3a3196b26e"
+        }
+    ],
+    "hashType": "sha256"
+}
\ No newline at end of file
diff --git a/modules/basePackages.nix b/modules/basePackages.nix
index e8522d4..5e3b8df 100644
--- a/modules/basePackages.nix
+++ b/modules/basePackages.nix
@@ -12,7 +12,7 @@
     htop
     bottom
     nvtopPackages.full
-    busybox
+    uutils-coreutils
     nixfmt-rfc-style
     nixfmt-tree
 
diff --git a/modules/librechat.nix b/modules/librechat.nix
new file mode 100644
index 0000000..8a9deea
--- /dev/null
+++ b/modules/librechat.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+
+let
+  librechatPort = 3080;
+  mongoUri = "mongodb://127.0.0.1:27017/LibreChat";
+in
+{
+
+
+  sops.secrets."librechat/environmentFile" = {};
+
+
+  # Enable MongoDB
+  services.mongodb = {
+    enable = true;
+    package = pkgs.mongodb-ce;
+    # Optional: enableAuth = true;
+    # initialRootPasswordFile = "/path/to/mongo-root-password-file";
+  };
+
+  # LibreChat systemd service
+  systemd.services.librechat = {
+    # Make enable flagged when built
+    enable = true;
+
+    description = "LibreChat server";
+    
+    # **Native systemd dependency declarations**
+    requires = [ "mongodb.service" ];
+    after    = [ "network.target" "mongodb.service" ];
+
+    serviceConfig = {
+      EnvironmentFile = config.sops.secrets."librechat/environmentFile".path;
+      Restart = "on-failure";
+      User = "librechat";
+      Group = "librechat";
+
+      # ExecStart binds to package binary
+      ExecStart = ''
+        ${pkgs.librechat}/bin/librechat-server \
+          --host 0.0.0.0 \
+          --port ${toString librechatPort} \
+ 	  --config /var/lib/librechat/config.yaml 
+      '';
+      WorkingDirectory = "/var/lib/librechat";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  # Create user
+  users.users.librechat = {
+    isSystemUser = true;
+    description = "LibreChat service user";
+    home = "/var/lib/librechat";
+    createHome = true;
+  };
+
+  users.users.librechat.group = "librechat";
+  users.groups.librechat = {};
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/librechat 0755 librechat librechat -"
+  ];
+
+  networking.firewall.allowedTCPPorts = [
+    librechatPort
+    27017
+  ];
+}
+
diff --git a/modules/zfs.nix b/modules/zfs.nix
index 8fa2f52..05352a3 100644
--- a/modules/zfs.nix
+++ b/modules/zfs.nix
@@ -7,6 +7,7 @@
 {
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.forceImportRoot = lib.mkDefault false;
+  #boot.zfs.package = lib.mkDefault pkgs.zfs_unstable;
   services.zfs.trim.enable = true;
   services.zfs.autoScrub.enable = true;
   services.zfs.autoSnapshot.enable = true;
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 3935378..735f097 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -1,4 +1,4 @@
-#ENC[AES256_GCM,data:iFOJJlRLRz2m7NyHzPhgUg==,iv:cx8HN12ClwwUZxn2/6mc1Q5Eh2XBIRsrhG/ETRf0cnw=,tag:ITcKcojB8Cpk5cICcxV/Hw==,type:comment]
+/open# run to encrypt: null
 #ENC[AES256_GCM,data:kvu25CX2iZURTBGQXYZTkwT00EqhPNF/ORglzJCsDRthR9hwLomlCzsdDCCwBmbEYbUSnyup0/yt6kj5gUA1iTpoGLVJK1EMoAUm7H7Vl4V0XheizUyTUJdfQUzQQXONzB2kTlE2DHuIWKN5Bz8+LKqoDrI=,iv:eBoUwZfMPhBnT2+jWqT/EGh/CVNK5qiYeaspFf1VJxY=,tag:yY+w4rJvDHLo93HgkcKahw==,type:comment]
 github:
     api: ENC[AES256_GCM,data:PcalL0rNd0nfNPMlWP05FWh3ff6rp5eQUmu3NzKmuSPcS5w6zSKCLsoCegltENjTWomGAJDoJF8rYfE3tTo4xQBAzFsK7v3GFXfefB+Ec7/FrUT6jjcHK4+c0e1u3cAgUkFpKq+IzS0yDBgMtXuC5oRzw0u0cEjXT4akiyO9Hg==,iv:GVPXrS9gwpw5JgsO6+YAMT96CsX7dz0NAcaq/IxXzec=,tag:Vxb4LOf0mm52W7Ege7mi6A==,type:str]
@@ -20,6 +20,8 @@ ai:
     groq: ENC[AES256_GCM,data:63HBVYQEXCqG/xN7zluZl3yledOlqxou09Lvgh585LnZAvIFUN+eSDn44mT5mgpqMsRL8Wbqjq8=,iv:taiWwphOVhbLuO5ygf5iDIvhEoAxncTEQ8CFNKOObP4=,tag:1j7wCg9tFuP36mBr5yN0dA==,type:str]
     mistral: ENC[AES256_GCM,data:z7qUyaJBaLF+fe3DFMRjkUEXiXGZwtFeC189fuEGjEo=,iv:r9QSqstFiR9QrLehHrQu09iaF0PYroz/p1ENChch/I0=,tag:XN7jcXv6TftbXaFBsZYVmw==,type:str]
     zai: ENC[AES256_GCM,data:rVzqXuEFvdAR+GgETgRFvbDzVjvQ3hVD0s8jDxMCjZ2ri+Tob8Fsp55qA4ZKe85Uhw==,iv:YpaTe+3ZGONoAHCkQCVcvassQqr2ReSyBgiEcwxJOlA=,tag:HFE4af3gVrp6FJnBiwGClg==,type:str]
+librechat:
+    environmentFile: ENC[AES256_GCM,data:oAEWPYxLdphwMvmRWpEgJnumpYxrlCbb2FQ2ugbVKqoA2TP3srof0eTwAFO/6jl7vzgfsP956BZ7lm6kwg4spEQ6EgfXWc7oa/zQrJKDofUpPLwyxLJhzyfDM3NbDcVKAQS7HdMinG3A5lSkVVHCfIuoaqml1W9DIExzjj+3cNKee8SfgQSpy3TOs2ngxkAVfycViw2cQv3MYeQ6CoaR4BQgraenm/sU9Vzjh+KWYdhD91Qx8UQRWKjhiZAQ+aspofTmFoUfct4Ds/Q+Z3KwWicSCZyvjm5GkP9oEmiK6ODEj2gLw/1bV/Pv/qH9D0ApN2m+mVMB3W7bnAE+4rb8oMb5SW6tgs2ttbefKE3jYl0jqNbu17xALBX3lqYEr9kAO4uF2+96uO0YFAAGgaWjAzhzgkCm/Gl2KML2OYX4uG/ynN5m8YkFB8qkfXg0Dv0IrvzbiE/YYRBmHzrlu5rD2SVTdc83GkePAn/ZMpB5HU6z6cSkjOn2RyixDTROIZeOMICdMYU/1dBvgUGZgLWD,iv:15NFJizf02389RnIFeezzFL2X9oz/CpmG/vmgDp1h2g=,tag:X+SBK584hJD/v+LeDSJd6A==,type:str]
 authelia:
     storageEncryptionKeyFile: ENC[AES256_GCM,data:zP2i8Ni6MqHpAJeVdcxr6V0eCXobcgbTyu6cDxsi4x4eG2HIFv7waxsCsa+erQgOf5g8+T5c7kIOa99Z5+Zq3kLAhGrIMqtZxn44oemw5Wl2U4ION2yZTdo/C8otpZMqu9rC9l+k4K3XiKN1Aqhyglx9TXNG6FgS8ygx5aBIBwUM,iv:spQdJ3otiZynCleiCG+u3mk/K3axKrfNtSOCzCGnnWQ=,tag:bMbjwOMCxi/+t+x0Xy0jnQ==,type:str]
     jwtSecretFile: ENC[AES256_GCM,data:gVRyazB5RZ0fVrZ5/8eUuvJjdPBxjQg0vOrhXvgnv07sawti5Wj350UPBlBKthlvya8V6gZdBSl+Aj1nllP1Fl1tC8hDYb93ZmJdHo6CTicsu9lkMvWWfLe112Dhuptbg5AQAlWLu5TpjSGMT4UfXpLlKYdrzaDnIcWBAVn8k9lN,iv:hcHrAK/squwRyXQCx8pJXxVpq+KtcRwCqJ1NQpHpnL0=,tag:eQdM0gzYNw3/TfDBJYrkdg==,type:str]
@@ -53,7 +55,7 @@ sops:
             TEhuRFBFQUppVjFKL3JKa0ozNmRLcTAKDrrS8mpHoQoZ54VkY+SYbjoE6AS0fLjc
             uHuFCrUWqQIwfqHXGlXn7EPUweTfwQ7Od+4JeVp1GbgNLIyH5xNN1g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-03T11:56:50Z"
-    mac: ENC[AES256_GCM,data:cQuN3XRdN34ZH0VJ6j5JtqgQGJq9r7WqcemaHCLx3tCFnaXU0tOjjDB5ICfJPS+K6E1+noydmEeJqeTrVInsxeK/8QQDibKTragiY9Awk6rz3lY/xmaBQJ0sz2O8YO9M7/eqekJ3Vc58eol/mknDXYfSSbfQBnMV3aLBSqXnL7g=,iv:gfrgZi0CU+M6xLHEAFPYE8yc4nyd33Yjo+xUDCYkhnQ=,tag:xu5jjIuVtYnMiR5ivEPigQ==,type:str]
+    lastmodified: "2026-02-13T12:56:54Z"
+    mac: ENC[AES256_GCM,data:9lOwVBwSeWr6q8SLcDUrQi42XaTEKe40a9MfCZZl3q8Dy+P6bbKAHsRv4GxYmodJvYvQxHGbojTejN3jmUTOF+N614ydJzPP4oeBC5Gto5NZ1SPJQV25X/dEk1wXC3LlC5ZsmRhUuZL9uoRuOiKV9+C7nRgVObUd2rKR/4QzHvg=,iv:iCmlAu6a9XQOlQ2/SPGA0Lo8HFwxweT6g5/qOiqUVIQ=,tag:mfEto5hA5ysPhN2rEBwQsg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0