random936/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved prometheus and suricata config to separate files

Browse Source
This commit is contained in:
Random936 2025-09-02 19:24:01 -07:00
parent 2973862f44
commit 6e3ff222ad
3 changed files with 195 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
config/logging.nix
View File

@ -1,6 +1,8 @@
{ lib, config, pkgs, inputs, ... }: { { lib, config, pkgs, inputs, ... }: {
imports = [ imports = [
./logging/prometheus.nix
./logging/suricata.nix
../hardware/logging.nix ../hardware/logging.nix
./headless.nix ./headless.nix
(import ./networking.nix { (import ./networking.nix {
@ -9,16 +11,13 @@
open_ports = [ 3000 9001 9003 ]; open_ports = [ 3000 9001 9003 ];
inherit lib; inherit lib;
}) })
]; ];
networking.firewall.enable = false; networking.firewall.enable = false;
users.users.logging = import ./user.nix; users.users.logging = import ./user.nix;
environment.systemPackages = with pkgs; [
suricata
];
services.grafana = { services.grafana = {
enable = true; enable = true;
settings.server = { settings.server = {
@ -29,188 +28,8 @@
}; };
services.nginx = {
# Grafana
services.prometheus.exporters.blackbox = {
enable = true;
port = 9003;
configFile = assets/blackbox.yml;
}; };
services.prometheus = {
enable = true;
port = 9001;
globalConfig.scrape_interval = "10s";
scrapeConfigs = let
node_port = toString config.services.prometheus.exporters.node.port;
blackbox_relabel = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
target_label = "__address__";
replacement = "127.0.0.1:9003";
}
];
in [
{
job_name = "node";
static_configs = [
{
targets = [ "127.0.0.1:${node_port}" ];
labels.instance = "r330-logging";
}
{
targets = [ "192.168.100.40:${node_port}" ];
labels.instance = "r330-media";
}
{
targets = [ "192.168.100.42:${node_port}" ];
labels.instance = "sampledb-dev";
}
{
targets = [ "192.168.100.45:${node_port}" ];
labels.instance = "mindforge";
}
{
targets = [ "192.168.100.1:9100" ];
labels.instance = "GL-MT6000";
}
];
}
{
job_name = "blackbox_icmp";
metrics_path = "/probe";
params = { module = ["icmp"]; };
static_configs = [
{
targets = [ "127.0.0.1" ];
labels.instance = "r330-media";
}
{
targets = [ "192.168.100.1" ];
labels.instance = "GL-MT6000";
}
{
targets = [ "192.168.100.11" ];
labels.instance = "r330-idrac";
}
{
targets = [ "192.168.100.12" ];
labels.instance = "r730xd-idrac";
}
{
targets = [ "192.168.100.21" ];
labels.instance = "r330-proxmox";
}
{
targets = [ "192.168.100.22" ];
labels.instance = "r730xd-proxmox";
}
{
targets = [ "192.168.100.40" ];
labels.instance = "r330-media";
}
{
targets = [ "192.168.100.42" ];
labels.instance = "sampledb-dev";
}
{
targets = [ "192.168.100.42" ];
labels.instance = "sampledb-dev";
}
{
targets = [ "192.168.100.45" ];
labels.instance = "mindforge";
}
{
targets = [ "1.1.1.1" ];
labels.instance = "Cloudflare";
}
{
targets = [ "8.8.8.8" ];
labels.instance = "Google";
}
];
relabel_configs = blackbox_relabel;
}
{
job_name = "blackbox_http_2xx";
metrics_path = "/probe";
params = { module = ["http_2xx"]; };
static_configs = [
{
targets = [ "http://192.168.100.40:6011" ];
labels.instance = "Qbittorrent";
}
{
targets = [ "http://192.168.100.40:7878" ];
labels.instance = "Radarr";
}
{
targets = [ "http://192.168.100.40:8989" ];
labels.instance = "Sonarr";
}
{
targets = [ "http://192.168.100.40:9696" ];
labels.instance = "Prowlarr";
}
{
targets = [ "https://randomctf.com" ];
labels.instance = "RandomCTF.com";
}
{
targets = [ "https://git.randomctf.com" ];
labels.instance = "Gitea";
}
{
targets = [ "https://nextcloud.randomctf.com" ];
labels.instance = "Nextcloud";
}
];
relabel_configs = blackbox_relabel;
}
{
job_name = "blackbox_http_2xx_no_verify";
metrics_path = "/probe";
params = { module = ["http_2xx_tls_no_verify"]; };
static_configs = [
{
targets = [ "https://192.168.100.40:5006" ];
labels.instance = "Actual";
}
];
relabel_configs = blackbox_relabel;
}
];
};
systemd.services.suricata = {
description = "Suricata IDS/IPS";
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "simple";
User = "logging";
ExecStartPre = "/run/current-system/sw/bin/ip link set enp6s19 up";
ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19";
Restart = "on-failure";
CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
};
};
environment.etc."suricata.yaml".source = ./assets/suricata.yaml;
environment.etc."suricata/classification.config".text = ''
'';
environment.etc."suricata/reference.config".text = ''
'';
environment.etc."suricata/threshold.config".text = ''
'';
environment.etc."suricata/rules/suricata.rules".text = ''
'';
} }

156
config/logging/prometheus.nix Normal file
View File

@ -0,0 +1,156 @@
{ lib, config, pkgs, inputs, ... }: {
services.prometheus.exporters.blackbox = {
enable = true;
port = 9003;
configFile = ../assets/blackbox.yml;
};
services.prometheus = {
enable = true;
port = 9001;
globalConfig.scrape_interval = "10s";
scrapeConfigs = let
node_port = toString config.services.prometheus.exporters.node.port;
blackbox_relabel = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
target_label = "__address__";
replacement = "127.0.0.1:9003";
}
];
in [
{
job_name = "node";
static_configs = [
{
targets = [ "127.0.0.1:${node_port}" ];
labels.instance = "r330-logging";
}
{
targets = [ "192.168.100.40:${node_port}" ];
labels.instance = "r330-media";
}
{
targets = [ "192.168.100.42:${node_port}" ];
labels.instance = "sampledb-dev";
}
{
targets = [ "192.168.100.45:${node_port}" ];
labels.instance = "mindforge";
}
{
targets = [ "192.168.100.1:9100" ];
labels.instance = "GL-MT6000";
}
];
}
{
job_name = "blackbox_icmp";
metrics_path = "/probe";
params = { module = ["icmp"]; };
static_configs = [
{
targets = [ "127.0.0.1" ];
labels.instance = "r330-media";
}
{
targets = [ "192.168.100.1" ];
labels.instance = "GL-MT6000";
}
{
targets = [ "192.168.100.11" ];
labels.instance = "r330-idrac";
}
{
targets = [ "192.168.100.12" ];
labels.instance = "r730xd-idrac";
}
{
targets = [ "192.168.100.21" ];
labels.instance = "r330-proxmox";
}
{
targets = [ "192.168.100.22" ];
labels.instance = "r730xd-proxmox";
}
{
targets = [ "192.168.100.40" ];
labels.instance = "r330-media";
}
{
targets = [ "192.168.100.42" ];
labels.instance = "sampledb-dev";
}
{
targets = [ "192.168.100.42" ];
labels.instance = "sampledb-dev";
}
{
targets = [ "192.168.100.45" ];
labels.instance = "mindforge";
}
{
targets = [ "1.1.1.1" ];
labels.instance = "Cloudflare";
}
{
targets = [ "8.8.8.8" ];
labels.instance = "Google";
}
];
relabel_configs = blackbox_relabel;
}
{
job_name = "blackbox_http_2xx";
metrics_path = "/probe";
params = { module = ["http_2xx"]; };
static_configs = [
{
targets = [ "http://192.168.100.40:6011" ];
labels.instance = "Qbittorrent";
}
{
targets = [ "http://192.168.100.40:7878" ];
labels.instance = "Radarr";
}
{
targets = [ "http://192.168.100.40:8989" ];
labels.instance = "Sonarr";
}
{
targets = [ "http://192.168.100.40:9696" ];
labels.instance = "Prowlarr";
}
{
targets = [ "https://randomctf.com" ];
labels.instance = "RandomCTF.com";
}
{
targets = [ "https://git.randomctf.com" ];
labels.instance = "Gitea";
}
{
targets = [ "https://nextcloud.randomctf.com" ];
labels.instance = "Nextcloud";
}
];
relabel_configs = blackbox_relabel;
}
{
job_name = "blackbox_http_2xx_no_verify";
metrics_path = "/probe";
params = { module = ["http_2xx_tls_no_verify"]; };
static_configs = [
{
targets = [ "https://192.168.100.40:5006" ];
labels.instance = "Actual";
}
];
relabel_configs = blackbox_relabel;
}
];
};
}

34
config/logging/suricata.nix Normal file
View File

@ -0,0 +1,34 @@
{ lib, config, pkgs, inputs, ... }: {
environment.systemPackages = with pkgs; [
suricata
];
systemd.services.suricata = {
description = "Suricata IDS/IPS";
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "simple";
User = "logging";
ExecStartPre = "/run/current-system/sw/bin/ip link set enp6s19 up";
ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19";
Restart = "on-failure";
CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
};
};
environment.etc."suricata.yaml".source = ../assets/suricata.yaml;
environment.etc."suricata/classification.config".text = ''
'';
environment.etc."suricata/reference.config".text = ''
'';
environment.etc."suricata/threshold.config".text = ''
'';
environment.etc."suricata/rules/suricata.rules".text = ''
'';
}