dotfiles/config/logging.nix

{ lib, config, pkgs, inputs, ... }: {

  imports = [
    ../hardware/logging.nix
    ./headless.nix
    (import ./networking.nix {
        hostname = "r330-logging";
        ip_address = "192.168.100.41";
        open_ports = [ 3000 9001 9003 ];
        inherit lib;
    })
  ];

  networking.firewall.enable = false;

  users.users.logging = import ./user.nix;

  environment.systemPackages = with pkgs; [
    suricata
  ];

  services.grafana = {
      enable = true;
      settings.server = {
          http_addr = "0.0.0.0";
          http_port = 3000;
          domain = "logging.randomctf.local";
      };
  };



  services.prometheus.exporters.blackbox = {
      enable = true;
      port = 9003;
      configFile = assets/blackbox.yml;
  };

  services.prometheus = {
    enable = true;
    port = 9001;
    globalConfig.scrape_interval = "10s";
    scrapeConfigs = let 
      node_port = toString config.services.prometheus.exporters.node.port;
      blackbox_relabel = [
        {
          source_labels = [ "__address__" ];
          target_label  = "__param_target";
        }
        {
          target_label  = "__address__";
          replacement   = "127.0.0.1:9003";
        }
      ];
    in [
      {
        job_name = "node";
        static_configs = [
          {
            targets = [ "127.0.0.1:${node_port}" ];
            labels.instance = "r330-logging";
          }
          {
            targets = [ "192.168.100.40:${node_port}" ];
            labels.instance = "r330-media";
          }
          {
            targets = [ "192.168.100.42:${node_port}" ];
            labels.instance = "sampledb-dev";
          }
          {
            targets = [ "192.168.100.45:${node_port}" ];
            labels.instance = "mindforge";
          }
          {
            targets = [ "192.168.100.1:9100" ];
            labels.instance = "GL-MT6000";
          }
        ];
      }
      {
        job_name = "blackbox_icmp";
        metrics_path = "/probe";
        params = { module = ["icmp"]; };
        static_configs = [
          {
            targets = [ "127.0.0.1" ];
            labels.instance = "r330-media";
          }
          {
            targets = [ "192.168.100.1" ];
            labels.instance = "GL-MT6000";
          }
          {
            targets = [ "192.168.100.11" ];
            labels.instance = "r330-idrac";
          }
          {
            targets = [ "192.168.100.12" ];
            labels.instance = "r730xd-idrac";
          }
          {
            targets = [ "192.168.100.20" ];
            labels.instance = "ideapad";
          }
          {
            targets = [ "192.168.100.21" ];
            labels.instance = "r330-proxmox";
          }
          {
            targets = [ "192.168.100.22" ];
            labels.instance = "r730xd-proxmox";
          }
          {
            targets = [ "192.168.100.40" ];
            labels.instance = "r330-media";
          }
          {
            targets = [ "192.168.100.42" ];
            labels.instance = "sampledb-dev";
          }
          {
            targets = [ "192.168.100.42" ];
            labels.instance = "sampledb-dev";
          }
          {
            targets = [ "192.168.100.45" ];
            labels.instance = "mindforge";
          }
          {
            targets = [ "1.1.1.1" ];
            labels.instance = "Cloudflare";
          }
          {
            targets = [ "8.8.8.8" ];
            labels.instance = "Google";
          }
        ];
        relabel_configs = blackbox_relabel;
      }
      {
        job_name = "blackbox_http_2xx";
        metrics_path = "/probe";
        params = { module = ["http_2xx"]; };
        static_configs = [
          {
              targets = [ "http://192.168.100.40:6011" ];
              labels.instance = "Qbittorrent";
          }
          {
              targets = [ "http://192.168.100.40:7878" ];
              labels.instance = "Radarr";
          }
          {
              targets = [ "http://192.168.100.40:8989" ];
              labels.instance = "Sonarr";
          }
          {
              targets = [ "http://192.168.100.40:9696" ];
              labels.instance = "Prowlarr";
          }
          {
              targets = [ "https://randomctf.com" ];
              labels.instance = "RandomCTF.com";
          }
          {
              targets = [ "https://git.randomctf.com" ];
              labels.instance = "Gitea";
          }
          {
              targets = [ "https://nextcloud.randomctf.com" ];
              labels.instance = "Nextcloud";
          }
        ];
        relabel_configs = blackbox_relabel;
      }
      {
        job_name = "blackbox_http_2xx_no_verify";
        metrics_path = "/probe";
        params = { module = ["http_2xx_tls_no_verify"]; };
        static_configs = [
          {
            targets = [ "https://192.168.100.40:5006" ];
            labels.instance = "Actual";
          }
        ];
        relabel_configs = blackbox_relabel;
      }
    ];
  };

  systemd.services.suricata = {
    description = "Suricata IDS/IPS";
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      type = "simple";
      User = "logging";
      ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19";
      Restart = "on-failure";
      CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
      AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
    };
  };

  environment.etc."suricata.yaml".source = ./assets/suricata.yaml;

  environment.etc."suricata/classification.config".text = ''
  '';

  environment.etc."suricata/reference.config".text = ''
  '';

  environment.etc."suricata/threshold.config".text = ''
  '';

  environment.etc."suricata/rules/suricata.rules".text = ''
  '';
}