ouranos/docs/lobechat.md

LobeChat

Modern AI chat interface with multi-LLM support, deployed on Rosalind with PostgreSQL backend and S3 storage.

Host: rosalind.incus
Port: 22081
External URL: https://lobechat.ouranos.helu.ca/

Quick Deployment

cd ansible
ansible-playbook lobechat/deploy.yml

Architecture

┌──────────┐      ┌────────────┐      ┌──────────┐      ┌───────────┐
│  Client  │─────▶│  HAProxy   │─────▶│ LobeChat │─────▶│PostgreSQL │
│          │      │ (Titania)  │      │(Rosalind)│      │ (Portia)  │
└──────────┘      └────────────┘      └──────────┘      └───────────┘
                                            │
                                            ├─────────▶ Casdoor (SSO)
                                            ├─────────▶ S3 (File Storage)
                                            ├─────────▶ SearXNG (Search)
                                            └─────────▶ AI APIs

Required Vault Secrets

Add secrets to ansible/inventory/group_vars/all/vault.yml:

1. Key Vaults Secret (Encryption Key)

vault_lobechat_key_vaults_secret: "your-generated-secret"

Purpose: Encrypts sensitive data (API keys, credentials) stored in the database.

Generate with:

openssl rand -base64 32

ℹ️ This secret must be at least 32 bytes (base64 encoded). If changed after deployment, previously stored encrypted data will become unreadable.

2. NextAuth Secret

vault_lobechat_next_auth_secret: "your-generated-secret"

Purpose: Signs NextAuth.js JWT tokens for session management.

Generate with:

openssl rand -base64 32

3. Database Password

vault_lobechat_db_password: "your-secure-password"

Purpose: PostgreSQL authentication for the lobechat database user.

4. S3 Secret Key

vault_lobechat_s3_secret_key: "your-s3-secret-key"

Purpose: Authentication for S3 file storage bucket.

Get from Terraform:

cd terraform
terraform output -json lobechat_s3_credentials

5. AI Provider API Keys (Optional)

vault_lobechat_openai_api_key: "sk-proj-..."
vault_lobechat_anthropic_api_key: "sk-ant-api03-..."
vault_lobechat_google_api_key: "AIza..."

Purpose: Server-side AI provider access. Users can also provide their own keys via the UI.

Provider	Get Key From
OpenAI	https://platform.openai.com/api-keys
Anthropic	https://console.anthropic.com/
Google	https://aistudio.google.com/apikey

6. AWS Bedrock Credentials (Optional)

vault_lobechat_aws_access_key_id: "AKIA..."
vault_lobechat_aws_secret_access_key: "wJalr..."
vault_lobechat_aws_region: "us-east-1"

Purpose: Access AWS Bedrock models (Claude, Titan, Llama, etc.)

Requirements:

• IAM user/role with bedrock:InvokeModel permission
• Model access enabled in AWS Bedrock console for the region

Host Variables

Defined in ansible/inventory/host_vars/rosalind.incus.yml:

Variable	Description
lobechat_user	Service user (lobechat)
lobechat_directory	Service directory (/srv/lobechat)
lobechat_port	Container port (22081)
lobechat_db_*	PostgreSQL connection settings
lobechat_auth_casdoor_*	Casdoor SSO configuration
lobechat_s3_*	S3 storage settings
lobechat_syslog_port	Alloy log collection port (51461)

Dependencies

Service	Host	Purpose
PostgreSQL	Portia	Database backend
Casdoor	Titania	SSO authentication
HAProxy	Titania	HTTPS termination
SearXNG	Oberon	Web search
S3 Bucket	Incus	File storage

Ansible Files

File	Purpose
lobechat/deploy.yml	Main deployment playbook
lobechat/docker-compose.yml.j2	Docker Compose template

Operations

Check Status

ssh rosalind.incus
cd /srv/lobechat
docker compose ps
docker compose logs -f

Update Container

ssh rosalind.incus
cd /srv/lobechat
docker compose pull
docker compose up -d

Database Access

psql -h portia.incus -U lobechat -d lobechat

Troubleshooting

Issue	Resolution
Container won't start	Check vault secrets are defined
Database connection failed	Verify PostgreSQL on Portia is running
SSO redirect fails	Check Casdoor application config
File uploads fail	Verify S3 credentials from Terraform

References

• Detailed Service Documentation
• LobeChat Official Docs
• GitHub Repository