diff --git a/config/logging.nix b/config/logging.nix index a3cdf55..99cb109 100644 --- a/config/logging.nix +++ b/config/logging.nix @@ -1,6 +1,8 @@ { lib, config, pkgs, inputs, ... }: { imports = [ + ./logging/prometheus.nix + ./logging/suricata.nix ../hardware/logging.nix ./headless.nix (import ./networking.nix { @@ -9,16 +11,13 @@ open_ports = [ 3000 9001 9003 ]; inherit lib; }) + ]; networking.firewall.enable = false; users.users.logging = import ./user.nix; - environment.systemPackages = with pkgs; [ - suricata - ]; - services.grafana = { enable = true; settings.server = { @@ -29,188 +28,8 @@ }; + services.nginx = { + # Grafana - services.prometheus.exporters.blackbox = { - enable = true; - port = 9003; - configFile = assets/blackbox.yml; }; - - services.prometheus = { - enable = true; - port = 9001; - globalConfig.scrape_interval = "10s"; - scrapeConfigs = let - node_port = toString config.services.prometheus.exporters.node.port; - blackbox_relabel = [ - { - source_labels = [ "__address__" ]; - target_label = "__param_target"; - } - { - target_label = "__address__"; - replacement = "127.0.0.1:9003"; - } - ]; - in [ - { - job_name = "node"; - static_configs = [ - { - targets = [ "127.0.0.1:${node_port}" ]; - labels.instance = "r330-logging"; - } - { - targets = [ "192.168.100.40:${node_port}" ]; - labels.instance = "r330-media"; - } - { - targets = [ "192.168.100.42:${node_port}" ]; - labels.instance = "sampledb-dev"; - } - { - targets = [ "192.168.100.45:${node_port}" ]; - labels.instance = "mindforge"; - } - { - targets = [ "192.168.100.1:9100" ]; - labels.instance = "GL-MT6000"; - } - ]; - } - { - job_name = "blackbox_icmp"; - metrics_path = "/probe"; - params = { module = ["icmp"]; }; - static_configs = [ - { - targets = [ "127.0.0.1" ]; - labels.instance = "r330-media"; - } - { - targets = [ "192.168.100.1" ]; - labels.instance = "GL-MT6000"; - } - { - targets = [ "192.168.100.11" ]; - labels.instance = "r330-idrac"; - } - { - targets = [ "192.168.100.12" ]; - labels.instance = "r730xd-idrac"; - } - { - targets = [ "192.168.100.21" ]; - labels.instance = "r330-proxmox"; - } - { - targets = [ "192.168.100.22" ]; - labels.instance = "r730xd-proxmox"; - } - { - targets = [ "192.168.100.40" ]; - labels.instance = "r330-media"; - } - { - targets = [ "192.168.100.42" ]; - labels.instance = "sampledb-dev"; - } - { - targets = [ "192.168.100.42" ]; - labels.instance = "sampledb-dev"; - } - { - targets = [ "192.168.100.45" ]; - labels.instance = "mindforge"; - } - { - targets = [ "1.1.1.1" ]; - labels.instance = "Cloudflare"; - } - { - targets = [ "8.8.8.8" ]; - labels.instance = "Google"; - } - ]; - relabel_configs = blackbox_relabel; - } - { - job_name = "blackbox_http_2xx"; - metrics_path = "/probe"; - params = { module = ["http_2xx"]; }; - static_configs = [ - { - targets = [ "http://192.168.100.40:6011" ]; - labels.instance = "Qbittorrent"; - } - { - targets = [ "http://192.168.100.40:7878" ]; - labels.instance = "Radarr"; - } - { - targets = [ "http://192.168.100.40:8989" ]; - labels.instance = "Sonarr"; - } - { - targets = [ "http://192.168.100.40:9696" ]; - labels.instance = "Prowlarr"; - } - { - targets = [ "https://randomctf.com" ]; - labels.instance = "RandomCTF.com"; - } - { - targets = [ "https://git.randomctf.com" ]; - labels.instance = "Gitea"; - } - { - targets = [ "https://nextcloud.randomctf.com" ]; - labels.instance = "Nextcloud"; - } - ]; - relabel_configs = blackbox_relabel; - } - { - job_name = "blackbox_http_2xx_no_verify"; - metrics_path = "/probe"; - params = { module = ["http_2xx_tls_no_verify"]; }; - static_configs = [ - { - targets = [ "https://192.168.100.40:5006" ]; - labels.instance = "Actual"; - } - ]; - relabel_configs = blackbox_relabel; - } - ]; - }; - - - systemd.services.suricata = { - description = "Suricata IDS/IPS"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - type = "simple"; - User = "logging"; - ExecStartPre = "/run/current-system/sw/bin/ip link set enp6s19 up"; - ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19"; - Restart = "on-failure"; - CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; - AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN"; - }; - }; - - environment.etc."suricata.yaml".source = ./assets/suricata.yaml; - - environment.etc."suricata/classification.config".text = '' - ''; - - environment.etc."suricata/reference.config".text = '' - ''; - - environment.etc."suricata/threshold.config".text = '' - ''; - - environment.etc."suricata/rules/suricata.rules".text = '' - ''; } diff --git a/config/logging/prometheus.nix b/config/logging/prometheus.nix new file mode 100644 index 0000000..edbed6b --- /dev/null +++ b/config/logging/prometheus.nix @@ -0,0 +1,156 @@ +{ lib, config, pkgs, inputs, ... }: { + services.prometheus.exporters.blackbox = { + enable = true; + port = 9003; + configFile = ../assets/blackbox.yml; + }; + + services.prometheus = { + enable = true; + port = 9001; + globalConfig.scrape_interval = "10s"; + scrapeConfigs = let + node_port = toString config.services.prometheus.exporters.node.port; + blackbox_relabel = [ + { + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + target_label = "__address__"; + replacement = "127.0.0.1:9003"; + } + ]; + in [ + { + job_name = "node"; + static_configs = [ + { + targets = [ "127.0.0.1:${node_port}" ]; + labels.instance = "r330-logging"; + } + { + targets = [ "192.168.100.40:${node_port}" ]; + labels.instance = "r330-media"; + } + { + targets = [ "192.168.100.42:${node_port}" ]; + labels.instance = "sampledb-dev"; + } + { + targets = [ "192.168.100.45:${node_port}" ]; + labels.instance = "mindforge"; + } + { + targets = [ "192.168.100.1:9100" ]; + labels.instance = "GL-MT6000"; + } + ]; + } + { + job_name = "blackbox_icmp"; + metrics_path = "/probe"; + params = { module = ["icmp"]; }; + static_configs = [ + { + targets = [ "127.0.0.1" ]; + labels.instance = "r330-media"; + } + { + targets = [ "192.168.100.1" ]; + labels.instance = "GL-MT6000"; + } + { + targets = [ "192.168.100.11" ]; + labels.instance = "r330-idrac"; + } + { + targets = [ "192.168.100.12" ]; + labels.instance = "r730xd-idrac"; + } + { + targets = [ "192.168.100.21" ]; + labels.instance = "r330-proxmox"; + } + { + targets = [ "192.168.100.22" ]; + labels.instance = "r730xd-proxmox"; + } + { + targets = [ "192.168.100.40" ]; + labels.instance = "r330-media"; + } + { + targets = [ "192.168.100.42" ]; + labels.instance = "sampledb-dev"; + } + { + targets = [ "192.168.100.42" ]; + labels.instance = "sampledb-dev"; + } + { + targets = [ "192.168.100.45" ]; + labels.instance = "mindforge"; + } + { + targets = [ "1.1.1.1" ]; + labels.instance = "Cloudflare"; + } + { + targets = [ "8.8.8.8" ]; + labels.instance = "Google"; + } + ]; + relabel_configs = blackbox_relabel; + } + { + job_name = "blackbox_http_2xx"; + metrics_path = "/probe"; + params = { module = ["http_2xx"]; }; + static_configs = [ + { + targets = [ "http://192.168.100.40:6011" ]; + labels.instance = "Qbittorrent"; + } + { + targets = [ "http://192.168.100.40:7878" ]; + labels.instance = "Radarr"; + } + { + targets = [ "http://192.168.100.40:8989" ]; + labels.instance = "Sonarr"; + } + { + targets = [ "http://192.168.100.40:9696" ]; + labels.instance = "Prowlarr"; + } + { + targets = [ "https://randomctf.com" ]; + labels.instance = "RandomCTF.com"; + } + { + targets = [ "https://git.randomctf.com" ]; + labels.instance = "Gitea"; + } + { + targets = [ "https://nextcloud.randomctf.com" ]; + labels.instance = "Nextcloud"; + } + ]; + relabel_configs = blackbox_relabel; + } + { + job_name = "blackbox_http_2xx_no_verify"; + metrics_path = "/probe"; + params = { module = ["http_2xx_tls_no_verify"]; }; + static_configs = [ + { + targets = [ "https://192.168.100.40:5006" ]; + labels.instance = "Actual"; + } + ]; + relabel_configs = blackbox_relabel; + } + ]; + }; +} diff --git a/config/logging/suricata.nix b/config/logging/suricata.nix new file mode 100644 index 0000000..61bf231 --- /dev/null +++ b/config/logging/suricata.nix @@ -0,0 +1,34 @@ +{ lib, config, pkgs, inputs, ... }: { + + environment.systemPackages = with pkgs; [ + suricata + ]; + + systemd.services.suricata = { + description = "Suricata IDS/IPS"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + type = "simple"; + User = "logging"; + ExecStartPre = "/run/current-system/sw/bin/ip link set enp6s19 up"; + ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19"; + Restart = "on-failure"; + CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; + AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN"; + }; + }; + + environment.etc."suricata.yaml".source = ../assets/suricata.yaml; + + environment.etc."suricata/classification.config".text = '' + ''; + + environment.etc."suricata/reference.config".text = '' + ''; + + environment.etc."suricata/threshold.config".text = '' + ''; + + environment.etc."suricata/rules/suricata.rules".text = '' + ''; +}