diff --git a/config/logging.nix b/config/logging.nix
index 1356ac3..65b4f39 100644
--- a/config/logging.nix
+++ b/config/logging.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }: {
+{ lib, config, pkgs, inputs, ... }: {
 
   imports = [
     ../hardware/logging.nix
@@ -12,19 +12,148 @@
   ];
 
   users.users.logging = import ./user.nix;
-
   environment.systemPackages = with pkgs; [
     suricata
   ];
 
   systemd.services.suricata = {
-    enable = true;
     description = "Suricata IDS/IPS";
     wantedBy = ["multi-user.target"];
     serviceConfig = {
       type = "simple";
-      ExecStart = "${pkgs.suricata}/bin/suricata -c '/home/logging/suricata.yaml' -i ens18";
+      User = "logging";
+      ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s18";
       Restart = "on-failure";
+      CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
+      AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
     };
   };
+
+  environment.etc."suricata.yaml".source = pkgs.writeTextFile {
+    name = "suricata.yaml";
+    text = ''
+    %YAML 1.1
+    ---
+
+    vars:
+      address-groups:
+        HOME_NET: "[192.168.100.0/24]"
+        EXTERNAL_NET: "!$HOME_NET"
+        HTTP_SERVERS: "$HOME_NET"
+        SMTP_SERVERS: "$HOME_NET"
+        SQL_SERVERS: "$HOME_NET"
+        DNS_SERVERS: "$HOME_NET"
+        TELNET_SERVERS: "$HOME_NET"
+        AIM_SERVERS: "$EXTERNAL_NET"
+        DC_SERVERS: "$HOME_NET"
+        DNP3_SERVER: "$HOME_NET"
+        DNP3_CLIENT: "$HOME_NET"
+        MODBUS_CLIENT: "$HOME_NET"
+        MODBUS_SERVER: "$HOME_NET"
+        ENIP_CLIENT: "$HOME_NET"
+        ENIP_SERVER: "$HOME_NET"
+      port-groups:
+        HTTP_PORTS: "80"
+        SHELLCODE_PORTS: "!80"
+        ORACLE_PORTS: 1521
+        SSH_PORTS: 22
+        DNP3_PORTS: 20000
+        MODBUS_PORTS: 502
+        FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+        FTP_PORTS: 21
+        GENEVE_PORTS: 6081
+        VXLAN_PORTS: 4789
+        TEREDO_PORTS: 3544
+        SIP_PORTS: "[5060, 5061]"
+
+    default-log-dir: /home/logging/logs
+    classification-file: /etc/suricata/classification.config
+    reference-config-file: /etc/suricata/reference.config
+    default-rule-path: /etc/suricata/rules
+    rule-files:
+      - suricata.rules
+
+    stats:
+      enabled: yes
+
+    af-packet:
+      - interface: enp6s18
+        use-mmap: yes
+        tpacket-v3: yes
+        cluster-id: 99
+        cluster-type: cluster_flow
+        defrag: yes
+
+    outputs:
+      - fast:
+          enabled: yes
+          filename: fast.log
+          append: yes
+
+      - eve-log:
+          enabled: yes
+          filetype: regular
+          filename: eve.json
+          types:
+            - alert:
+                tagged-packets: yes
+            - http:
+                extended: yes
+            - http2
+            - dns:
+                enabled: yes
+            - tls:
+                extended: yes
+            - flow
+            - mqtt
+            - ssh
+            - dhcp:
+                enabled: yes
+            - arp:
+                enabled: yes
+            - ldap
+            - quic
+            - sip
+            - rfb
+            - snmp
+            - bittorrent-dht
+            - krb5
+            - dcerpc
+            - ike
+            - tftp
+            - smb
+            - nfs
+            - rdp
+            - ftp
+            - websocket
+            - smtp
+
+      - pcap-log:
+          enabled: yes
+          filename: log.pcap
+          limit: 1gb
+          max-files: 20
+
+      - stats:
+          enabled: yes
+          filename: stats.log
+          append: yes
+          totals: yes
+          threads: no
+            
+    '';
+  };
+
+  environment.etc."suricata/classification.config".text = ''
+  '';
+
+  environment.etc."suricata/reference.config".text = ''
+  '';
+
+  environment.etc."suricata/threshold.config".text = ''
+  '';
+
+  environment.etc."suricata/rules/suricata.rules".text = ''
+    alert tcp any any -> any any (msg:"TCP traffic detected"; sid:1000001; rev:1;)
+  '';
 }
diff --git a/hardware/logging.nix b/hardware/logging.nix
index 394f3bb..4d7588e 100644
--- a/hardware/logging.nix
+++ b/hardware/logging.nix
@@ -8,16 +8,22 @@
     [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4b91f41b-e619-41e1-a602-c60862cd6fb9";
+    { device = "/dev/disk/by-uuid/d8ec7c7e-ce95-432c-932d-663dc261c623";
       fsType = "ext4";
     };
 
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1842-1672";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -25,7 +31,7 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }