diff --git a/common.nix b/common.nix index 42d089d..68261cc 100644 --- a/common.nix +++ b/common.nix @@ -30,6 +30,7 @@ ./services/bazarr.nix ./services/cloudflare-ddns.nix ./services/fail2ban.nix + ./services/suricata.nix ]; ### Make build time quicker diff --git a/services/suricata.nix b/services/suricata.nix new file mode 100644 index 0000000..acb7162 --- /dev/null +++ b/services/suricata.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: +{ + config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { + + services.suricata = { + enable = true; + + settings = { + vars.address-groups = { + # Your local networks — Suricata won't alert on traffic within these + HOME_NET = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,127.0.0.0/8]"; + EXTERNAL_NET = "!$HOME_NET"; + }; + + # IDS mode: passive monitoring (read-only, no blocking) + # To enable IPS later, swap this for nfqueue mode + af-packet = [ + { interface = "eno1"; } + ]; + + # Structured JSON log — useful for dashboards and log aggregation + outputs = [ + { + eve-log = { + enabled = true; + filetype = "regular"; + filename = "eve.json"; + community-id = true; + types = [ + { alert = { tagged-packets = "yes"; }; } + { anomaly = {}; } + { drop = {}; } + ]; + }; + } + # Human-readable alert log for quick inspection + { + fast = { + enabled = true; + filename = "fast.log"; + append = "yes"; + }; + } + ]; + + # Enable unix socket so suricatasc can query running state + unix-command.enabled = true; + + classification-file = "${pkgs.suricata}/etc/suricata/classification.config"; + reference-config-file = "${pkgs.suricata}/etc/suricata/reference.config"; + }; + }; + + # Make suricata CLI tools available (suricatasc, suricata-update) + environment.systemPackages = [ pkgs.suricata ]; + + }; +}