diff --git a/hosts/AZ-CLD-1/secrets.nix b/hosts/AZ-CLD-1/secrets.nix
index e15d8bb..94f20fc 100644
--- a/hosts/AZ-CLD-1/secrets.nix
+++ b/hosts/AZ-CLD-1/secrets.nix
@@ -7,12 +7,18 @@
       baserow-env = {
         file = ../../secrets/baserow-env.age;
       };
+      librechat = {
+        file = ../../secrets/librechat.age;
+      };
       librechat-env = {
         file = ../../secrets/librechat-env.age;
       };
       librechat-env-dev = {
         file = ../../secrets/librechat-env-dev.age;
       };
+      librechat-env-prod = {
+        file = ../../secrets/librechat-env-prod.age;
+      };
       litellm-env = {
         file = ../../secrets/litellm-env.age;
       };
diff --git a/hosts/AZ-CLD-1/services/containers/librechat-dev.nix b/hosts/AZ-CLD-1/services/containers/librechat-dev.nix
index a8b0c01..2db4c41 100644
--- a/hosts/AZ-CLD-1/services/containers/librechat-dev.nix
+++ b/hosts/AZ-CLD-1/services/containers/librechat-dev.nix
@@ -9,6 +9,7 @@
   servicePort = portUtils.getPort serviceName "AZ-CLD-1";
   ragApiDevPort = portUtils.getPort "rag-api-dev" "AZ-CLD-1";
   envFileDev = config.age.secrets.librechat-env-dev.path;
+  envFileCommon = config.age.secrets.librechat.path;
 in {
   virtualisation.oci-containers = {
     containers.meilisearch-dev = {
@@ -19,7 +20,7 @@ in {
         MEILI_HTTP_ADDR = "0.0.0.0:7700";
         MEILI_NO_ANALYTICS = "true";
       };
-      environmentFiles = [envFileDev];
+      environmentFiles = [envFileDev envFileCommon];
       extraOptions = ["--ip=10.89.1.20" "--network=web-dev"];
     };
 
@@ -31,7 +32,7 @@ in {
         DB_HOST = "10.89.1.1";
         DB_PORT = "5432";
       };
-      environmentFiles = [envFileDev];
+      environmentFiles = [envFileDev envFileCommon];
       dependsOn = ["meilisearch-dev"];
       extraOptions = ["--add-host=postgres:10.89.1.1" "--ip=10.89.1.21" "--network=web-dev"];
       ports = ["127.0.0.1:${toString ragApiDevPort}:8000"];
@@ -60,7 +61,7 @@ in {
         RAG_PORT = "8000";
         RAG_API_URL = "http://rag_api-dev:8000";
       };
-      environmentFiles = [envFileDev];
+      environmentFiles = [envFileDev envFileCommon];
       volumes = [
         "/var/lib/librechat-dev/librechat.yaml:/app/librechat.yaml:ro"
         "librechat_dev_images:/app/client/public/images"
diff --git a/hosts/AZ-CLD-1/services/postgres.nix b/hosts/AZ-CLD-1/services/postgres.nix
index a9846b0..70824ec 100644
--- a/hosts/AZ-CLD-1/services/postgres.nix
+++ b/hosts/AZ-CLD-1/services/postgres.nix
@@ -9,42 +9,72 @@
     package = pkgs.postgresql_17;
     settings = {
       ssl = true;
+      max_connections = 180;
+      superuser_reserved_connections = 5;
+
+      idle_in_transaction_session_timeout = "10min";
+      idle_session_timeout = "2h";
+
+      tcp_keepalives_idle = 60;
+      tcp_keepalives_interval = 10;
+      tcp_keepalives_count = 6;
+
+      deadlock_timeout = "1s";
+
+      authentication_timeout = "30s";
+
+      log_connections = true;
+      log_disconnections = true;
+      log_lock_waits = true;
     };
     extensions = with pkgs.postgresql17Packages; [
       pgvector
     ];
     initialScript = pkgs.writeText "backend-initScript" ''
       CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
-      CREATE DATABASE baserow;
-      ALTER DATABASE baserow OWNER to baserow;
+        CREATE DATABASE baserow;
+        ALTER DATABASE baserow OWNER to baserow;
+        ALTER DATABASE baserow CONNECTION LIMIT 20;
 
-      CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra';
-      CREATE DATABASE kestra;
-      ALTER DATABASE kestra OWNER to kestra;
+        CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra';
+        CREATE DATABASE kestra;
+        ALTER DATABASE kestra OWNER to kestra;
+        ALTER DATABASE kestra CONNECTION LIMIT 10;
 
-      CREATE USER librechat_rag WITH ENCRYPTED PASSWORD 'librechat_rag';
-      CREATE DATABASE librechat_rag;
-      ALTER DATABASE librechat_rag OWNER to librechat_rag;
+        CREATE USER librechat_rag WITH ENCRYPTED PASSWORD 'librechat_rag';
+        CREATE DATABASE librechat_rag;
+        ALTER DATABASE librechat_rag OWNER to librechat_rag;
+        ALTER DATABASE librechat_rag CONNECTION LIMIT 20;
 
-      CREATE USER librechat_rag_dev WITH ENCRYPTED PASSWORD 'librechat_rag_dev';
-      CREATE DATABASE librechat_rag_dev;
-      ALTER DATABASE librechat_rag_dev OWNER to librechat_rag_dev;
+        CREATE USER librechat_rag_dev WITH ENCRYPTED PASSWORD 'librechat_rag_dev';
+        CREATE DATABASE librechat_rag_dev;
+        ALTER DATABASE librechat_rag_dev OWNER to librechat_rag_dev;
+        ALTER DATABASE librechat_rag_dev CONNECTION LIMIT 10;
 
-      CREATE USER metabase WITH ENCRYPTED PASSWORD 'metabase';
-      CREATE DATABASE metabase;
-      ALTER DATABASE metabase OWNER to metabase;
+        CREATE USER metabase WITH ENCRYPTED PASSWORD 'metabase';
+        CREATE DATABASE metabase;
+        ALTER DATABASE metabase OWNER to metabase;
+        ALTER DATABASE metabase CONNECTION LIMIT 15;
 
-      CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n';
-      CREATE DATABASE n8n;
-      ALTER DATABASE n8n OWNER to n8n;
+        CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n';
+        CREATE DATABASE n8n;
+        ALTER DATABASE n8n OWNER to n8n;
+        ALTER DATABASE n8n CONNECTION LIMIT 5;
 
-      CREATE USER outline WITH ENCRYPTED PASSWORD 'outline';
-      CREATE DATABASE outline;
-      ALTER DATABASE outline OWNER to outline;
+        CREATE USER outline WITH ENCRYPTED PASSWORD 'outline';
+        CREATE DATABASE outline;
+        ALTER DATABASE outline OWNER to outline;
+        ALTER DATABASE outline CONNECTION LIMIT 5;
 
-      CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'vaultwarden';
-      CREATE DATABASE vaultwarden;
-      ALTER DATABASE vaultwarden OWNER to vaultwarden;
+        CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'vaultwarden';
+        CREATE DATABASE vaultwarden;
+        ALTER DATABASE vaultwarden OWNER to vaultwarden;
+        ALTER DATABASE vaultwarden CONNECTION LIMIT 5;
+
+        CREATE USER zammad WITH ENCRYPTED PASSWORD 'zammad';
+        CREATE DATABASE zammad;
+        ALTER DATABASE zammad OWNER to zammad;
+        ALTER DATABASE zammad CONNECTION LIMIT 50;
     '';
     authentication = pkgs.lib.mkOverride 10 ''
       # Local connections (Unix socket)
diff --git a/secrets.nix b/secrets.nix
index d92ef64..e74e201 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -16,6 +16,8 @@ in {
   "secrets/baserow-env.age".publicKeys = systems ++ users;
   "secrets/kestra-db.age".publicKeys = systems ++ users;
   "secrets/librechat-env.age".publicKeys = systems ++ users;
+  "secrets/librechat.age".publicKeys = systems ++ users;
+  "secrets/librechat-env-prod.age".publicKeys = systems ++ users;
   "secrets/librechat-env-dev.age".publicKeys = systems ++ users;
   "secrets/litellm-env.age".publicKeys = systems ++ users;
   "secrets/metabase-env.age".publicKeys = systems ++ users;
diff --git a/secrets/librechat-env-dev.age b/secrets/librechat-env-dev.age
index 4125579..8aa9be8 100644
Binary files a/secrets/librechat-env-dev.age and b/secrets/librechat-env-dev.age differ
diff --git a/secrets/librechat-env-prod.age b/secrets/librechat-env-prod.age
new file mode 100644
index 0000000..d9ae6cc
Binary files /dev/null and b/secrets/librechat-env-prod.age differ
diff --git a/secrets/librechat.age b/secrets/librechat.age
new file mode 100644
index 0000000..c0d50c5
Binary files /dev/null and b/secrets/librechat.age differ