From b91b0ef2346415ba1edff717bb28499cda577330 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Mon, 6 Apr 2026 20:36:45 +0100
Subject: [PATCH] Add Suricata IDS to FredOS-Mediaserver

Passive network monitoring via af-packet on eno1. Rulesets auto-updated
from ET/Open, abuse.ch, and other community sources via suricata-update.
Runs alongside fail2ban; IPS/blocking mode can be enabled later.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 common.nix            |  1 +
 services/suricata.nix | 58 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 services/suricata.nix

diff --git a/common.nix b/common.nix
index 42d089d..68261cc 100644
--- a/common.nix
+++ b/common.nix
@@ -30,6 +30,7 @@
     ./services/bazarr.nix
     ./services/cloudflare-ddns.nix
     ./services/fail2ban.nix
+    ./services/suricata.nix
   ];
 
   ### Make build time quicker
diff --git a/services/suricata.nix b/services/suricata.nix
new file mode 100644
index 0000000..acb7162
--- /dev/null
+++ b/services/suricata.nix
@@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+
+    services.suricata = {
+      enable = true;
+
+      settings = {
+        vars.address-groups = {
+          # Your local networks — Suricata won't alert on traffic within these
+          HOME_NET = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,127.0.0.0/8]";
+          EXTERNAL_NET = "!$HOME_NET";
+        };
+
+        # IDS mode: passive monitoring (read-only, no blocking)
+        # To enable IPS later, swap this for nfqueue mode
+        af-packet = [
+          { interface = "eno1"; }
+        ];
+
+        # Structured JSON log — useful for dashboards and log aggregation
+        outputs = [
+          {
+            eve-log = {
+              enabled = true;
+              filetype = "regular";
+              filename = "eve.json";
+              community-id = true;
+              types = [
+                { alert = { tagged-packets = "yes"; }; }
+                { anomaly = {}; }
+                { drop = {}; }
+              ];
+            };
+          }
+          # Human-readable alert log for quick inspection
+          {
+            fast = {
+              enabled = true;
+              filename = "fast.log";
+              append = "yes";
+            };
+          }
+        ];
+
+        # Enable unix socket so suricatasc can query running state
+        unix-command.enabled = true;
+
+        classification-file = "${pkgs.suricata}/etc/suricata/classification.config";
+        reference-config-file = "${pkgs.suricata}/etc/suricata/reference.config";
+      };
+    };
+
+    # Make suricata CLI tools available (suricatasc, suricata-update)
+    environment.systemPackages = [ pkgs.suricata ];
+
+  };
+}