{ lib, config, pkgs, inputs, ... }: { imports = [ ../hardware/logging.nix ./headless.nix (import ./networking.nix { hostname = "r330-logging"; ip_address = "192.168.100.41"; open_ports = [ 3000 9001 ]; inherit lib; }) ]; users.users.logging = import ./user.nix; environment.systemPackages = with pkgs; [ suricata ]; services.grafana = { enable = true; settings.server = { http_addr = "0.0.0.0"; http_port = 3000; domain = "logging.randomctf.local"; }; }; services.prometheus = { enable = true; port = 9001; globalConfig.scrape_interval = "10s"; scrapeConfigs = [ { job_name = "r330-logging"; static_configs = [{ targets = let node_port = toString config.services.prometheus.exporters.node.port; in [ "127.0.0.1:${node_port}" "192.168.100.40:${node_port}" "192.168.100.42:${node_port}" "192.168.100.45:${node_port}" ]; }]; } ]; }; systemd.services.suricata = { description = "Suricata IDS/IPS"; wantedBy = ["multi-user.target"]; serviceConfig = { type = "simple"; User = "logging"; ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s18"; Restart = "on-failure"; CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN"; }; }; environment.etc."suricata.yaml".source = pkgs.writeTextFile { name = "suricata.yaml"; text = '' %YAML 1.1 --- vars: address-groups: HOME_NET: "[192.168.100.0/24]" EXTERNAL_NET: "!$HOME_NET" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 GENEVE_PORTS: 6081 VXLAN_PORTS: 4789 TEREDO_PORTS: 3544 SIP_PORTS: "[5060, 5061]" default-log-dir: /home/logging/logs classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config default-rule-path: /etc/suricata/rules rule-files: - suricata.rules stats: enabled: yes af-packet: - interface: enp6s18 use-mmap: yes tpacket-v3: yes cluster-id: 99 cluster-type: cluster_flow defrag: yes outputs: - fast: enabled: yes filename: fast.log append: yes - eve-log: enabled: yes filetype: regular filename: eve.json types: - alert: tagged-packets: yes - http: extended: yes - http2 - dns: enabled: yes - tls: extended: yes - flow - mqtt - ssh - dhcp: enabled: yes - arp: enabled: yes - ldap - quic - sip - rfb - snmp - bittorrent-dht - krb5 - dcerpc - ike - tftp - smb - nfs - rdp - ftp - websocket - smtp - pcap-log: enabled: yes filename: log.pcap limit: 1gb max-files: 20 - stats: enabled: yes filename: stats.log append: yes totals: yes threads: no ''; }; environment.etc."suricata/classification.config".text = '' ''; environment.etc."suricata/reference.config".text = '' ''; environment.etc."suricata/threshold.config".text = '' ''; environment.etc."suricata/rules/suricata.rules".text = '' ''; }