WIP

rhoriguchi · Nov 25, 2024 · 1dec475 · 1dec475
1 parent c2e901b
commit 1dec475
Show file tree

Hide file tree

Showing 5 changed files with 107 additions and 0 deletions.
diff --git a/configuration/devices/headless/router/default.nix b/configuration/devices/headless/router/default.nix
@@ -6,7 +6,9 @@ in {
 
     ./adguardhome.nix
     ./firewall.nix
+    ./librenms.nix
     ./routing.nix
+    ./snmp.nix
     ./web-proxy.nix
 
     ./hardware-configuration.nix

diff --git a/configuration/devices/headless/router/librenms.nix b/configuration/devices/headless/router/librenms.nix
@@ -0,0 +1,71 @@
+{ pkgs, config, lib, secrets, ... }:
+let defaultUser = "admin";
+in {
+  services = {
+    infomaniak = {
+      enable = true;
+
+      username = secrets.infomaniak.username;
+      password = secrets.infomaniak.password;
+      hostnames = [ "librenms.00a.ch" ];
+    };
+
+    librenms = {
+      enable = true;
+
+      hostname = "librenms.00a.ch";
+
+      settings.auth_mechanism = "http-auth";
+
+      database = {
+        createLocally = true;
+        socket = "/run/mysqld/mysqld.sock";
+      };
+
+      nginx = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."~ .php$" = {
+          basicAuth = secrets.nginx.basicAuth."librenms.00a.ch";
+
+          extraConfig = ''
+            fastcgi_param REMOTE_USER ${defaultUser};
+
+            satisfy any;
+
+            allow 192.168.1.0/24;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+
+  systemd.services.librenms-create-admin-user = {
+    after = [ "librenms-setup.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      User = config.services.librenms.user;
+      Group = config.services.librenms.group;
+    };
+
+    script = let
+      pkg = builtins.head (builtins.filter (pkg: pkg.name == "lnms") config.environment.systemPackages);
+      lnms = "${pkg}/bin/lnms";
+    in ''
+      ${lnms} db:seed --force
+      ${lnms} user:add ${
+        lib.concatStringsSep " " [
+          ''--password "$(${pkgs.openssl}/bin/openssl rand --hex 16)"''
+          "--role admin"
+          ''--email "${config.security.acme.defaults.email}"''
+          "--no-interaction"
+        ]
+      } ${defaultUser} || true
+    '';
+  };
+}
diff --git a/configuration/devices/headless/router/snmp.nix b/configuration/devices/headless/router/snmp.nix
@@ -0,0 +1,15 @@
+{ config, ... }: {
+  services.snmpd = {
+    enable = true;
+
+    listenAddress = "127.0.0.1";
+    configText = ''
+      rocommunity public
+
+      sysLocation "${config.networking.hostName}"
+      sysContact "${config.security.acme.defaults.email}"
+
+      deny write all
+    '';
+  };
+}
diff --git a/modules/default/librenms.nix b/modules/default/librenms.nix
@@ -0,0 +1,19 @@
+# TODO remove when merged https://nixpk.gs/pr-tracker.html?pr=XXXXXXXXXXXXXXXX
+
+{ modulesPath, ... }:
+let
+  src = let
+    owner = "NixOS";
+    repo = "nixpkgs";
+    rev = "d2767c43d72169b68e6f89a80eafbe9385638eb1";
+    sha256 = "sha256:0dr36p8wd8fshq4wdyk8l5c03j97215k5v85cqai1m8jl0zx8z0g";
+  in builtins.fetchTarball {
+    name = "nixpkgs";
+    url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz";
+    inherit sha256;
+  };
+in {
+  disabledModules = [ "${modulesPath}/services/monitoring/librenms.nix" ];
+
+  imports = [ "${src}/nixos/modules/services/monitoring/librenms.nix" ];
+}
diff --git a/secrets.nix b/secrets.nix