{ lib, config, pkgs, inputs, ... }: { imports = [ ../hardware/logging.nix ./headless.nix (import ./networking.nix { hostname = "r330-logging"; ip_address = "192.168.100.41"; open_ports = [ 3000 9001 9003 ]; inherit lib; }) ]; networking.firewall.enable = false; users.users.logging = import ./user.nix; environment.systemPackages = with pkgs; [ suricata ]; services.grafana = { enable = true; settings.server = { http_addr = "0.0.0.0"; http_port = 3000; domain = "logging.randomctf.local"; }; }; services.prometheus.exporters.blackbox = { enable = true; port = 9003; configFile = assets/blackbox.yml; }; services.prometheus = { enable = true; port = 9001; globalConfig.scrape_interval = "10s"; scrapeConfigs = let node_port = toString config.services.prometheus.exporters.node.port; blackbox_relabel = [ { source_labels = [ "__address__" ]; target_label = "__param_target"; } { target_label = "__address__"; replacement = "127.0.0.1:9003"; } ]; in [ { job_name = "node"; static_configs = [ { targets = [ "127.0.0.1:${node_port}" ]; labels.instance = "r330-logging"; } { targets = [ "192.168.100.40:${node_port}" ]; labels.instance = "r330-media"; } { targets = [ "192.168.100.42:${node_port}" ]; labels.instance = "sampledb-dev"; } { targets = [ "192.168.100.45:${node_port}" ]; labels.instance = "mindforge"; } { targets = [ "192.168.100.1:9100" ]; labels.instance = "GL-MT6000"; } ]; } { job_name = "blackbox_icmp"; metrics_path = "/probe"; params = { module = ["icmp"]; }; static_configs = [ { targets = [ "127.0.0.1" ]; labels.instance = "r330-media"; } { targets = [ "192.168.100.1" ]; labels.instance = "GL-MT6000"; } { targets = [ "192.168.100.11" ]; labels.instance = "r330-idrac"; } { targets = [ "192.168.100.12" ]; labels.instance = "r730xd-idrac"; } { targets = [ "192.168.100.20" ]; labels.instance = "ideapad"; } { targets = [ "192.168.100.21" ]; labels.instance = "r330-proxmox"; } { targets = [ "192.168.100.22" ]; labels.instance = "r730xd-proxmox"; } { targets = [ "192.168.100.40" ]; labels.instance = "r330-media"; } { targets = [ "192.168.100.42" ]; labels.instance = "sampledb-dev"; } { targets = [ "192.168.100.42" ]; labels.instance = "sampledb-dev"; } { targets = [ "192.168.100.45" ]; labels.instance = "mindforge"; } { targets = [ "1.1.1.1" ]; labels.instance = "Cloudflare"; } { targets = [ "8.8.8.8" ]; labels.instance = "Google"; } ]; relabel_configs = blackbox_relabel; } { job_name = "blackbox_http_2xx"; metrics_path = "/probe"; params = { module = ["http_2xx"]; }; static_configs = [ { targets = [ "http://192.168.100.40:6011" ]; labels.instance = "Qbittorrent"; } { targets = [ "http://192.168.100.40:7878" ]; labels.instance = "Radarr"; } { targets = [ "http://192.168.100.40:8989" ]; labels.instance = "Sonarr"; } { targets = [ "http://192.168.100.40:9696" ]; labels.instance = "Prowlarr"; } { targets = [ "https://randomctf.com" ]; labels.instance = "RandomCTF.com"; } { targets = [ "https://git.randomctf.com" ]; labels.instance = "Gitea"; } { targets = [ "https://nextcloud.randomctf.com" ]; labels.instance = "Nextcloud"; } ]; relabel_configs = blackbox_relabel; } { job_name = "blackbox_http_2xx_no_verify"; metrics_path = "/probe"; params = { module = ["http_2xx_tls_no_verify"]; }; static_configs = [ { targets = [ "https://192.168.100.40:5006" ]; labels.instance = "Actual"; } ]; relabel_configs = blackbox_relabel; } ]; }; systemd.services.suricata = { description = "Suricata IDS/IPS"; wantedBy = ["multi-user.target"]; serviceConfig = { type = "simple"; User = "logging"; ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19"; Restart = "on-failure"; CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN"; }; }; environment.etc."suricata.yaml".source = ./assets/suricata.yaml; environment.etc."suricata/classification.config".text = '' ''; environment.etc."suricata/reference.config".text = '' ''; environment.etc."suricata/threshold.config".text = '' ''; environment.etc."suricata/rules/suricata.rules".text = '' ''; }