feat: use librechat instead of own chat (#14)

Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #14
2026-02-24 10:45:41 +00:00
parent d814e22f9d
commit 208450e618
33 changed files with 968 additions and 2124 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,13 +1,12 @@
-version: '3.8'
-
 services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.0
    container_name: certifai-keycloak
    environment:
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: admin
      KC_DB: dev-mem
+      KC_HEALTH_ENABLED: "true"
    ports:
      - "8080:8080"
    command:
@@ -17,10 +16,11 @@ services:
      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
      - ./keycloak/themes/certifai:/opt/keycloak/themes/certifai:ro
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"]
+      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /realms/master HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && head -1 <&3 | grep -q '200 OK'"]
      interval: 10s
      timeout: 5s
-      retries: 5
+      retries: 10
+      start_period: 30s

  mongo:
    image: mongo:latest
@@ -40,4 +40,59 @@ services:
    environment:
      - SEARXNG_BASE_URL=http://localhost:8888
    volumes:
-      - ./searxng:/etc/searxng:rw
+      - ./searxng:/etc/searxng:rw
+
+  librechat:
+    image: ghcr.io/danny-avila/librechat:latest
+    container_name: certifai-librechat
+    restart: unless-stopped
+    # Use host networking so localhost:8080 (Keycloak) is reachable for
+    # OIDC discovery, and the browser redirect URLs match the issuer.
+    network_mode: host
+    depends_on:
+      keycloak:
+        condition: service_healthy
+      mongo:
+        condition: service_started
+    environment:
+      # MongoDB (use localhost since we're on host network)
+      MONGO_URI: mongodb://root:example@localhost:27017/librechat?authSource=admin
+      DOMAIN_CLIENT: http://localhost:3080
+      DOMAIN_SERVER: http://localhost:3080
+      # Allow HTTP for local dev OIDC (Keycloak on localhost without TLS)
+      NODE_TLS_REJECT_UNAUTHORIZED: "0"
+      NODE_ENV: development
+      # Keycloak OIDC SSO
+      OPENID_ISSUER: http://localhost:8080/realms/certifai
+      OPENID_CLIENT_ID: certifai-librechat
+      OPENID_CLIENT_SECRET: certifai-librechat-secret
+      OPENID_SESSION_SECRET: "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6"
+      OPENID_CALLBACK_URL: /oauth/openid/callback
+      OPENID_SCOPE: openid profile email
+      OPENID_BUTTON_LABEL: Login with CERTifAI
+      OPENID_AUTH_EXTRA_PARAMS: prompt=none
+      # Disable local auth (SSO only)
+      ALLOW_EMAIL_LOGIN: "false"
+      ALLOW_REGISTRATION: "false"
+      ALLOW_SOCIAL_LOGIN: "true"
+      ALLOW_SOCIAL_REGISTRATION: "true"
+      # JWT / encryption secrets (required by LibreChat)
+      CREDS_KEY: "97e95d72cdda06774a264f9fb7768097a6815dc1e930898d2e39c9a3a253b157"
+      CREDS_IV: "2ea456ab25279089b0ff9e7aca1df6e6"
+      JWT_SECRET: "767b962176666eab56e180e6f2d3fe95145dc6b978e37d4eb8d1da5421c5fb26"
+      JWT_REFRESH_SECRET: "51a43a1fca4b7b501b37e226a638645d962066e0686b82248921f3160e96501e"
+      # App settings
+      APP_TITLE: CERTifAI Chat
+      CUSTOM_FOOTER: CERTifAI - Sovereign GenAI Infrastructure
+      HOST: 0.0.0.0
+      PORT: "3080"
+      NO_INDEX: "true"
+    volumes:
+      - ./librechat/librechat.yaml:/app/librechat.yaml:ro
+      - ./librechat/logo.svg:/app/client/public/assets/logo.svg:ro
+      # Patch: allow HTTP issuer for local dev (openid-client v6 enforces HTTPS)
+      - ./librechat/openidStrategy.js:/app/api/strategies/openidStrategy.js:ro
+      - librechat-data:/app/data
+
+volumes:
+  librechat-data: