diff --git a/config/headless.nix b/config/headless.nix index 4b7c70a..1dbd599 100644 --- a/config/headless.nix +++ b/config/headless.nix @@ -9,5 +9,12 @@ # Qemu guest services.qemuGuest.enable = true; + # Install Prometheus for Grafana + services.prometheus.exporters.node = { + enable = true; + port = 9002; + enabledCollectors = [ "systemd" ]; + }; + system.stateVersion = "24.05"; } diff --git a/config/logging.nix b/config/logging.nix index 65b4f39..611461a 100644 --- a/config/logging.nix +++ b/config/logging.nix @@ -6,16 +6,46 @@ (import ./networking.nix { hostname = "r330-logging"; ip_address = "192.168.100.41"; - open_ports = []; + open_ports = [ 3000 9001 ]; inherit lib; }) ]; users.users.logging = import ./user.nix; + environment.systemPackages = with pkgs; [ suricata ]; + services.grafana = { + enable = true; + settings.server = { + http_addr = "0.0.0.0"; + http_port = 3000; + domain = "logging.randomctf.local"; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ + { + job_name = "r330-logging"; + static_configs = [{ + targets = let + port = toString config.services.prometheus.exporters.node.port; + in [ + "127.0.0.1:${port}" + "192.168.100.40:${port}" + "192.168.100.42:${port}" + "192.168.100.43:${port}" + ]; + }]; + } + ]; + }; + systemd.services.suricata = { description = "Suricata IDS/IPS"; wantedBy = ["multi-user.target"]; @@ -154,6 +184,5 @@ ''; environment.etc."suricata/rules/suricata.rules".text = '' - alert tcp any any -> any any (msg:"TCP traffic detected"; sid:1000001; rev:1;) ''; } diff --git a/config/networking.nix b/config/networking.nix index 6520311..b34c388 100644 --- a/config/networking.nix +++ b/config/networking.nix @@ -17,7 +17,7 @@ in { }; networking.nameservers = [ gateway_ip ]; - networking.firewall.allowedTCPPorts = open_ports; + networking.firewall.allowedTCPPorts = open_ports ++ [9002]; networking.interfaces.enp6s18.ipv4.addresses = [ { address = ip_address;