From c0f26a47f27cdebf9f190cb8ecb66803b59499ad Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Mon, 19 Jan 2026 12:35:13 +0100
Subject: [PATCH] Add LibreNMS service

---
 hosts/caddy/default.nix         |   6 +++
 hosts/hosts.nix                 |   9 ++++
 hosts/librenms/default.nix      |  33 ++++++++++++
 hosts/parameters.nix            |   1 +
 modules/monitoring/default.nix  |   1 +
 modules/monitoring/librenms.nix |  89 ++++++++++++++++++++++++++++++++
 modules/utils/lxc-standard.nix  |   9 ++++
 secrets.nix                     |   1 +
 secrets/snmpd-config.age        | Bin 0 -> 2335 bytes
 ssh-keys.nix                    |   2 +
 10 files changed, 151 insertions(+)
 create mode 100644 hosts/librenms/default.nix
 create mode 100644 modules/monitoring/librenms.nix
 create mode 100644 secrets/snmpd-config.age

diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix
index e33b1da..e69612b 100644
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@@ -127,6 +127,12 @@ in
         domain = p.domains.public;
         host = p.hosts.portainer;
       };
+
+      librenms.proxy = {
+        enable = true;
+        domain = p.domains.public;
+        host = p.hosts.librenms;
+      };
     };
 
     networking = {
diff --git a/hosts/hosts.nix b/hosts/hosts.nix
index b285d84..dd73b05 100644
--- a/hosts/hosts.nix
+++ b/hosts/hosts.nix
@@ -195,6 +195,15 @@
     ];
   };
 
+  librenms = {
+    module = ./librenms;
+    tags = [
+      "lxc"
+      "bacco"
+      "librenms"
+    ];
+  };
+
   # Special hosts (non-LXC or local deployment)
   # deadbeef = {
   #   module = ./deadbeef;
diff --git a/hosts/librenms/default.nix b/hosts/librenms/default.nix
new file mode 100644
index 0000000..f94eaac
--- /dev/null
+++ b/hosts/librenms/default.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+  my = {
+    utils = {
+      commons.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    monitoring.librenms = {
+      enable = true;
+      hostname = p.hosts.librenms;
+      settings = {
+        "snmp.community" = [ "public" "homelab" ];
+
+      };
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  # Extra packages
+  environment.systemPackages = with pkgs; [ ];
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/parameters.nix b/hosts/parameters.nix
index 16150e0..87949e5 100644
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@@ -32,6 +32,7 @@ in
     forgejo-runner = "forgejo-runner.${private-domain}";
     n8n = "n8n.${private-domain}";
     ilpost-podcast = "ilpost-podcast.${private-domain}";
+    librenms = "librenms.${private-domain}";
   };
   email = "davide@${public-domain}";
 }
diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix
index 3e2e1d1..2353576 100644
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./grafana.nix
+    ./librenms.nix
     ./loki.nix
     ./prometheus.nix
     ./uptime-kuma.nix
diff --git a/modules/monitoring/librenms.nix b/modules/monitoring/librenms.nix
new file mode 100644
index 0000000..b14c40d
--- /dev/null
+++ b/modules/monitoring/librenms.nix
@@ -0,0 +1,89 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.monitoring.librenms;
+in
+{
+
+  options.my.monitoring.librenms = {
+    enable = lib.mkEnableOption "Enable LibreNMS module";
+
+    hostname = lib.mkOption {
+      default = "librenms.home";
+      type = lib.types.str;
+      description = ''
+        The hostname for LibreNMS
+      '';
+    };
+
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = (pkgs.formats.json { }).type;
+      };
+      default = { };
+      description = ''
+        LibreNMS configuration settings (maps to config.php)
+      '';
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "librenms";
+        type = lib.types.str;
+        description = ''
+          The subdomain where LibreNMS is reachable
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          Host name where the service is running
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+
+      services.librenms = {
+        enable = true;
+        hostname = cfg.hostname;
+        database = {
+          createLocally = true;
+          socket = "/run/mysqld/mysqld.sock";
+        };
+        settings = cfg.settings;
+      };
+
+      networking.firewall.allowedTCPPorts = [ 80 ];
+
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:80
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}
diff --git a/modules/utils/lxc-standard.nix b/modules/utils/lxc-standard.nix
index a4f0384..d256adb 100644
--- a/modules/utils/lxc-standard.nix
+++ b/modules/utils/lxc-standard.nix
@@ -9,6 +9,8 @@ in
 
   config = lib.mkIf cfg.enable {
 
+    age.secrets.snmpd-config.file = ../../secrets/snmpd-config.age;
+
     # Enable SSH
     services.openssh = {
       enable = true;
@@ -30,6 +32,13 @@ in
       };
     };
 
+    # SNMP
+    services.snmpd = {
+      enable = true;
+      openFirewall = true;
+      configFile = config.age.secrets.snmpd-config.path;
+    };
+
     networking.nameservers = [ "192.168.1.2" ];
 
   };
diff --git a/secrets.nix b/secrets.nix
index 826e165..9518d43 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -31,6 +31,7 @@ let
       machines.firefly-iii
     ];
     forgejo-runner-token = [ machines.forgejo-runner ];
+    snmpd-config = builtins.attrValues machines;
   };
 in
 builtins.listToAttrs (
diff --git a/secrets/snmpd-config.age b/secrets/snmpd-config.age
new file mode 100644
index 0000000000000000000000000000000000000000..b9d877daf0d28aec37afda9eda1d37ad348b5f66
GIT binary patch
literal 2335
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP%nNrl3{)tM3P=fy
z2rDx-$xiexj<U=!Gtcmi$TKw$N-oV#^eGHBFi$KrkMb`M^W`!M4~{JHD$TR3a&(R~
z$f+_iHcAet%uSCnH#cyO@Jn>9EKBk9FtYG4NJh6U$2`NxH&DSc+bJ!~I58?Y&C4X!
zEYr!<w^(04(6u7MIHJJW*|Si;(%G-j-=w4>#DdE>DLufvFx}k0B%;E|IX~U9I3q2&
z(A}ii$uT1$s-mzmH>D&$C|KL5IFt*`Z%%F{#%}2f!R2OwC2k=>Szacl=AQay$z>r~
zS!qEjIi6)v8Tp3Am6hq<K~7FCK4B(Y{^ibj?!MY)7N+Tr-o6HvMV2MG&H=&Bfqtgx
zMb6sU8TsJ>=_ZxFVQwbqwiPCNB$}oxBpVxPdub<o1^XBpM&ubL`Uh#3W#w4-_$6og
zWhI9tdgXbzRG9izBpGINWml#YI_K->6l#~dc^HJ6dT3jErFc}P=NkEil;kCvm}do6
z7MK;eg@<^e+vetO=95~k;G1e3k(OQ%TvQcUk{Obc9}rqxnHmw`WK<XtSX7#x>g8uq
zVG)?>k`a>6l@#o4WRhl(XY8z<mZ<HTlU(Q*5L{H1lp2-h<*i*3;Tjc@Qso<(o0x?W
zl8Kqg83E-AQ6*)rCFUvqrJ2cr&c-<guI~OtK_!0X-l3_+CZ)d4x!NUVDS=Uj#>V+v
zsfI4*-l^rmX$DcLzLlv-73PU%<zWSB$>sVf;h9k-;g%uZhM@sT9!{?4ehY9eDu{Gc
zNC^%yFUk)v@(zf~FL1T+NlEwA4oj^n_4W0z)D8?RE)NfN4>d5ia5FaGa;kI*aWpCq
z4sr2u^bAW*@-qrCcXY`r@~KG53ol6bHF5RG4K}MX$cwN*w=LT>C#lL&A<e_s%P2U@
z+@i1~q%<qbx3nb7**Cwc)WpEhq_8~It+33zBFI0`E4M0=%fQdj+#@$9Aj2Rj&(qA^
zA~>te+r%p+qbStX+*dm&(8s_v+bAhNFTdOu-L~YwoZOT^h43T;mx5pym%Q|lykZxV
z@W4v*6m3t_qKZIo|6D(hRBhL)po;L)lCVk>uAIyy*T~#7(;y!Up8!vTz~r(-6T^s<
zsEi_iw~$=Je7DpHKbN#9@4zGs+bV*?!&3tlEK?mz!z`mRgHy@^qYOgx1CmlhQi_d3
zlPhvveTq!|%_B`M^Ucje@+%Fv@~Vnm)6A<Z0zAtibA8IwOw+Yp4GPU80*p-~-Fyto
zJyVQ>G6OxMoQyEiWO12mh<>?(XH}S6l8LK9hLdw;QB{_{xp`4el|f~Jc~xLRa9Bie
zWVTmkdTz3NRbVz(VSuH7K}C^QnT58uuSJ@dOM$<>MQCEGS5jz6WMrs`fqsd9SV^vb
zK#n7NNCq3GdRsUuBxUB9W`sMMxFm)ZMiwO&2IU(TdYGEzSq7#CR|b1}T2|%cnq(FF
z=Y~0QxkrT*7?+s)>xZZ2I;OdK8&szI8tErnSX4M?`}&ur7&w&}<z|?dg_mLY&7?TJ
zyf9Fqq{O_;Cn+eeDxkb5+1JzA$+a@w(<H^%-6Sk8${;E##InjcJt8Z(IJBHAL)*19
z$ivjx)XcfS(%aj~#my)x-_yV^Am7Z%AjK!IFfqz7+c(jp&<(?H&ZUJp8IB66u5KP7
zZoyfWUYVhx&c#NVNqHGTo<63A1wLh=&Ur4S#a?;lE{+-5?&(~aS(btM$yLFrk<O9%
z<(3BKMMh2rC5gUfCK+DYMu|b;RmKqph5orkQ5dCisB?<HtD}N(m{Dk2p0ReRv3H`U
zqi=Y6zOhH8ae+&ocVb>tRKAa8NkM69n4flNMktq?ca>#sWvG9lzIK{rK~9c#Vn||E
zc~y~Vaiw2zvUh=pL2*D{sfDk9Mmc)Cd6c=i<~k~b=VccbdKLtm8V2QfYiGN9MJ0zC
zCj~nB1(%h&czNh28mE_qXSjzr8bxwhh6g5^Muhp9R2D~A8hQn#rAK*NM*38lr@BOX
z1p4S_YG?aariD5NMq-4drF&$#bGm|iZkDgUMSewwPnkz}zC~nVS-7!hewAaQc2Q_y
zmSd=Ia+JP)xQn4@P&!woxskiJkGXM*m%pidNK~S^NmfXOhjw9EW>s0TVMuPJn?+cG
zg-d=_1V$YYmKNz95~yHo5?17&;almP<(3)fUzrtP?ok@(Xkp@8sqO6@;gy*m8SLe(
zU+9<|;mc)_T<&CPs$E*{Y~+{f>Y7qs=xDBAV&NR=<W>-wk{D2#T3G36P!eFNjZsdP
z7N#3zl`D8<dxmD1nH#$oX=|HhWjW_*>l>y;q&QVrW|$h6I3<TTdl`BJ`8nnq8gLc3
zI$H)97?>2h<~kW98)X?gCY1*o7YF(1J84H)6lWDzMHyIz`$VOhV8mOZfk%dKxk7kJ
zrE5iKxkZjyv71ShQJKGSWolxIv$>0rzh_{DTScUPZh)n$du~yNCzr2wu2X1Lx`&Il
zeuPn_sd>7&rAw+=KuS_hNTo%Vvzv2-X?|&mQGscJ0hg|>u7YQBc$k@gPDO=jnqOgR
zWtMS~vq@xOzIRr+m$6@1l7(}Wk+Yj;rB{`<CztiT=g---1-7$rMSozO@J2>E>^p<Q
yr~6mixXxx~38*a!OW#p_x$J>^#G2?YuYSc$Ij6Ixp^p8|)RNkwtS0xL>NNnt&+4@R

literal 0
HcmV?d00001

diff --git a/ssh-keys.nix b/ssh-keys.nix
index 5850fda..deeca45 100644
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@@ -24,6 +24,7 @@ rec {
     forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0MTOCgMoAFjYDEq1gU+XBSUNNcJenoHXagOgFuP1ZN";
     forgejo-runner = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR3nkxurUTV2BYv+gLmgyCywPeVaWQxAIHomTNp3R85";
     n8n = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP18IdsIxK7EdIOLSONJ4NA6AfLnM/3NkR3+OCDvJWXJ";
+    librenms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/dmfOVzj37ZYwLTs+jjQUQYRIgvW3NrtBDsr8rllss";
   };
 
   # Machines able to provisioning other machines
@@ -43,6 +44,7 @@ rec {
     machines.arr
     machines.auth
     machines.caddy
+    machines.librenms
     machines.metrics
     machines.shadowsocks
   ];