{ lib, config, pkgs, inputs, ... }: {

  imports = [
    ../hardware/logging.nix
    ./headless.nix
    (import ./networking.nix {
        hostname = "r330-logging";
        ip_address = "192.168.100.41";
        open_ports = [];
        inherit lib;
    })
  ];

  users.users.logging = import ./user.nix;
  environment.systemPackages = with pkgs; [
    suricata
  ];

  systemd.services.suricata = {
    description = "Suricata IDS/IPS";
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      type = "simple";
      User = "logging";
      ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s18";
      Restart = "on-failure";
      CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
      AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
    };
  };

  environment.etc."suricata.yaml".source = pkgs.writeTextFile {
    name = "suricata.yaml";
    text = ''
    %YAML 1.1
    ---

    vars:
      address-groups:
        HOME_NET: "[192.168.100.0/24]"
        EXTERNAL_NET: "!$HOME_NET"
        HTTP_SERVERS: "$HOME_NET"
        SMTP_SERVERS: "$HOME_NET"
        SQL_SERVERS: "$HOME_NET"
        DNS_SERVERS: "$HOME_NET"
        TELNET_SERVERS: "$HOME_NET"
        AIM_SERVERS: "$EXTERNAL_NET"
        DC_SERVERS: "$HOME_NET"
        DNP3_SERVER: "$HOME_NET"
        DNP3_CLIENT: "$HOME_NET"
        MODBUS_CLIENT: "$HOME_NET"
        MODBUS_SERVER: "$HOME_NET"
        ENIP_CLIENT: "$HOME_NET"
        ENIP_SERVER: "$HOME_NET"
      port-groups:
        HTTP_PORTS: "80"
        SHELLCODE_PORTS: "!80"
        ORACLE_PORTS: 1521
        SSH_PORTS: 22
        DNP3_PORTS: 20000
        MODBUS_PORTS: 502
        FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
        FTP_PORTS: 21
        GENEVE_PORTS: 6081
        VXLAN_PORTS: 4789
        TEREDO_PORTS: 3544
        SIP_PORTS: "[5060, 5061]"

    default-log-dir: /home/logging/logs
    classification-file: /etc/suricata/classification.config
    reference-config-file: /etc/suricata/reference.config
    default-rule-path: /etc/suricata/rules
    rule-files:
      - suricata.rules

    stats:
      enabled: yes

    af-packet:
      - interface: enp6s18
        use-mmap: yes
        tpacket-v3: yes
        cluster-id: 99
        cluster-type: cluster_flow
        defrag: yes

    outputs:
      - fast:
          enabled: yes
          filename: fast.log
          append: yes

      - eve-log:
          enabled: yes
          filetype: regular
          filename: eve.json
          types:
            - alert:
                tagged-packets: yes
            - http:
                extended: yes
            - http2
            - dns:
                enabled: yes
            - tls:
                extended: yes
            - flow
            - mqtt
            - ssh
            - dhcp:
                enabled: yes
            - arp:
                enabled: yes
            - ldap
            - quic
            - sip
            - rfb
            - snmp
            - bittorrent-dht
            - krb5
            - dcerpc
            - ike
            - tftp
            - smb
            - nfs
            - rdp
            - ftp
            - websocket
            - smtp

      - pcap-log:
          enabled: yes
          filename: log.pcap
          limit: 1gb
          max-files: 20

      - stats:
          enabled: yes
          filename: stats.log
          append: yes
          totals: yes
          threads: no
            
    '';
  };

  environment.etc."suricata/classification.config".text = ''
  '';

  environment.etc."suricata/reference.config".text = ''
  '';

  environment.etc."suricata/threshold.config".text = ''
  '';

  environment.etc."suricata/rules/suricata.rules".text = ''
    alert tcp any any -> any any (msg:"TCP traffic detected"; sid:1000001; rev:1;)
  '';
}