diff --git a/configuration/devices/headless/router/default.nix b/configuration/devices/headless/router/default.nix index 1ff4649d..7632be1c 100644 --- a/configuration/devices/headless/router/default.nix +++ b/configuration/devices/headless/router/default.nix @@ -6,6 +6,7 @@ in { ./adguardhome.nix ./firewall.nix + ./librenms.nix ./routing.nix ./web-proxy.nix @@ -35,5 +36,17 @@ in { username = secrets.infomaniak.username; password = secrets.infomaniak.password; }; + + snmpd = { + enable = true; + + listenAddress = "127.0.0.1"; + configText = '' + rocommunity public + + sysLocation Cabinet + sysContact ${config.security.acme.defaults.email} + ''; + }; }; } diff --git a/configuration/devices/headless/router/librenms.nix b/configuration/devices/headless/router/librenms.nix new file mode 100644 index 00000000..bb34ebd5 --- /dev/null +++ b/configuration/devices/headless/router/librenms.nix @@ -0,0 +1,100 @@ +{ pkgs, config, lib, secrets, ... }: +let defaultUser = "admin"; +in { + services = { + infomaniak = { + enable = true; + + username = secrets.infomaniak.username; + password = secrets.infomaniak.password; + hostnames = [ "librenms.00a.ch" ]; + }; + + # workaround for the nginx attributes since lib.mkMerge fails + nginx.virtualHosts."${config.services.librenms.hostname}".locations."/" = { + basicAuth = secrets.nginx.basicAuth."librenms.00a.ch"; + + extraConfig = '' + fastcgi_param REMOTE_USER ${defaultUser}; + + satisfy any; + + allow 192.168.1.0/24; + deny all; + ''; + }; + + librenms = { + enable = true; + + hostname = "librenms.00a.ch"; + + settings = { + auth_mechanism = "http-auth"; + + autodiscovery.nets-exclude = [ ]; + nets = [ "127.0.0.1" "192.168.1.0/24" ]; + + prometheus = let basicAuth = secrets.nginx.basicAuth."pushgateway.00a.ch"; + in { + enable = true; + url = "https://pushgateway.00a.ch"; + user = builtins.head (lib.attrNames basicAuth); + password = builtins.head (lib.attrValues basicAuth); + job = "librenms"; + prefix = "librenms"; + }; + }; + + database = { + createLocally = true; + socket = "/run/mysqld/mysqld.sock"; + }; + + nginx = { + enableACME = true; + forceSSL = true; + }; + }; + }; + + systemd.services.librenms-add-admin-user = { + after = [ "librenms-setup.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = config.services.librenms.user; + Group = config.services.librenms.group; + }; + + script = let + pkg = builtins.head (builtins.filter (pkg: pkg.name == "lnms") config.environment.systemPackages); + lnms = "${pkg}/bin/lnms"; + in '' + ${lnms} db:seed --force + + ${lnms} user:add ${ + lib.concatStringsSep " " [ + ''--email "${config.security.acme.defaults.email}"'' + ''--password "$(${pkgs.openssl}/bin/openssl rand --hex 16)"'' + "--role admin" + "--no-interaction" + ] + } ${defaultUser} || true + + echo "${ + lib.concatStringsSep " " [ + "UPDATE ${config.services.librenms.database.database}.users" + "SET auth_type = '${config.services.librenms.settings.auth_mechanism}'" + "WHERE username = '${defaultUser}'" + ] + };" | ${pkgs.mariadb}/bin/mysql --socket='${config.services.librenms.database.socket}' || true + ''; + }; + + services.cron.systemCronJobs = [ + "27 * * * * ${config.services.librenms.user} ${pkgs.python3}/bin/python /${config.services.librenms.package}/snmp-scan.py >> /dev/null 2>&1" + ]; +} diff --git a/modules/default/librenms.nix b/modules/default/librenms.nix new file mode 100644 index 00000000..6d722ac3 --- /dev/null +++ b/modules/default/librenms.nix @@ -0,0 +1,19 @@ +# TODO remove when merged https://nixpk.gs/pr-tracker.html?pr=359182 + +{ modulesPath, ... }: +let + src = let + owner = "NixOS"; + repo = "nixpkgs"; + rev = "cf4d89e473867d68587cfe098e0725194eddf149"; + sha256 = "sha256:0an0xa61wpgympk391kyn6pdmx4jnbiyapcr193kc9qk9r3x3iaz"; + in builtins.fetchTarball { + name = "nixpkgs"; + url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; + inherit sha256; + }; +in { + disabledModules = [ "${modulesPath}/services/monitoring/librenms.nix" ]; + + imports = [ "${src}/nixos/modules/services/monitoring/librenms.nix" ]; +} diff --git a/secrets.nix b/secrets.nix index a0dbe4e8..317a0f6e 100755 Binary files a/secrets.nix and b/secrets.nix differ