{ config, pkgs, ... }:

let
  librechatPort = 3080;
  mongoUri = "mongodb://127.0.0.1:27017/LibreChat";
in
{

  sops.secrets."librechat/environmentFile" = { };

  # Enable MongoDB
  services.mongodb = {
    enable = true;
    package = pkgs.mongodb-ce;
    # Optional: enableAuth = true;
    # initialRootPasswordFile = "/path/to/mongo-root-password-file";
  };

  # LibreChat systemd service
  systemd.services.librechat = {
    # Make enable flagged when built
    enable = true;

    description = "LibreChat server";

    # **Native systemd dependency declarations**
    requires = [ "mongodb.service" ];
    after = [
      "network.target"
      "mongodb.service"
    ];

    serviceConfig = {
      EnvironmentFile = config.sops.secrets."librechat/environmentFile".path;
      Restart = "on-failure";
      User = "librechat";
      Group = "librechat";

      # ExecStart binds to package binary
      ExecStart = ''
               ${pkgs.librechat}/bin/librechat-server \
                 --host 0.0.0.0 \
                 --port ${toString librechatPort} \
        	  --config /var/lib/librechat/config.yaml 
      '';
      WorkingDirectory = "/var/lib/librechat";
    };
    wantedBy = [ "multi-user.target" ];
  };

  # Create user
  users.users.librechat = {
    isSystemUser = true;
    description = "LibreChat service user";
    home = "/var/lib/librechat";
    createHome = true;
  };

  users.users.librechat.group = "librechat";
  users.groups.librechat = { };

  systemd.tmpfiles.rules = [
    "d /var/lib/librechat 0755 librechat librechat -"
  ];

  networking.firewall.allowedTCPPorts = [
    librechatPort
    27017
  ];
}