diff --git a/configuration/devices/headless/router/default.nix b/configuration/devices/headless/router/default.nix
index 1ff4649d..6ec8321c 100644
--- a/configuration/devices/headless/router/default.nix
+++ b/configuration/devices/headless/router/default.nix
@@ -6,7 +6,9 @@ in {
 
     ./adguardhome.nix
     ./firewall.nix
+    ./librenms.nix
     ./routing.nix
+    ./snmp.nix
     ./web-proxy.nix
 
     ./hardware-configuration.nix
diff --git a/configuration/devices/headless/router/librenms.nix b/configuration/devices/headless/router/librenms.nix
new file mode 100644
index 00000000..90513205
--- /dev/null
+++ b/configuration/devices/headless/router/librenms.nix
@@ -0,0 +1,62 @@
+{ config, lib, secrets, ... }: {
+  services = {
+    infomaniak = {
+      enable = true;
+
+      username = secrets.infomaniak.username;
+      password = secrets.infomaniak.password;
+      hostnames = [ "librenms.00a.ch" ];
+    };
+
+    librenms = {
+      enable = true;
+
+      hostname = "librenms.00a.ch";
+
+      settings = {
+        autodiscovery.nets-exclude = [ ];
+        nets = [ "127.0.0.1" "192.168.1.0/24" ];
+        discovery_by_ip = true;
+      };
+
+      database = {
+        createLocally = true;
+        socket = "/run/mysqld/mysqld.sock";
+      };
+
+      nginx = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  systemd.services.librenms-create-admin-user = {
+    after = [ "librenms-setup.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      User = config.services.librenms.user;
+      Group = config.services.librenms.group;
+    };
+
+    script = let
+      pkg = builtins.head (builtins.filter (pkg: pkg.name == "lnms") config.environment.systemPackages);
+      lnms = "${pkg}/bin/lnms";
+    in ''
+      ${lnms} db:seed --force
+
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (key: value:
+        "${lnms} user:add ${
+          lib.concatStringsSep " " [
+            ''--password "${value.password}"''
+            "--role admin"
+            ''--email "${config.security.acme.defaults.email}"''
+            "--no-interaction"
+          ]
+        } ${key} || true") secrets.librenms.users)}
+    '';
+  };
+}
diff --git a/configuration/devices/headless/router/snmp.nix b/configuration/devices/headless/router/snmp.nix
new file mode 100644
index 00000000..f951cbb4
--- /dev/null
+++ b/configuration/devices/headless/router/snmp.nix
@@ -0,0 +1,15 @@
+{ config, ... }: {
+  services.snmpd = {
+    enable = true;
+
+    listenAddress = "127.0.0.1";
+    configText = ''
+      rocommunity public
+
+      sysLocation Cabinet
+      sysContact "${config.security.acme.defaults.email}"
+
+      deny write all
+    '';
+  };
+}
diff --git a/modules/default/librenms.nix b/modules/default/librenms.nix
new file mode 100644
index 00000000..4e2fa615
--- /dev/null
+++ b/modules/default/librenms.nix
@@ -0,0 +1,19 @@
+# TODO remove when merged https://nixpk.gs/pr-tracker.html?pr=359182
+
+{ modulesPath, ... }:
+let
+  src = let
+    owner = "NixOS";
+    repo = "nixpkgs";
+    rev = "d288f8679b6767758391b51cd4b0bf918e56f243";
+    sha256 = "sha256:0fnwag40a33dvcpaz4bbl2sz38b7fslhcnpl2336lb7w27ahbqqb";
+  in builtins.fetchTarball {
+    name = "nixpkgs";
+    url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz";
+    inherit sha256;
+  };
+in {
+  disabledModules = [ "${modulesPath}/services/monitoring/librenms.nix" ];
+
+  imports = [ "${src}/nixos/modules/services/monitoring/librenms.nix" ];
+}
diff --git a/secrets.nix b/secrets.nix
index 20939d6c..9556f56a 100755
Binary files a/secrets.nix and b/secrets.nix differ