diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix
index f1b66c6..f8aed7a 100644
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@@ -67,13 +67,13 @@
   components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
+  verify.closed.public.ports.opentelemetry = [ 4317 ];
 
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "contact@ingolf-wagner.de";
 
   verify.closed.wg0.domain = "10.100.0.1";
   verify.closed.public.domain = "orbi.public";
-  verify.closed.public.ports.opentelemetry = [ 4317 ];
 
   # chungus rsync
   users.users.root.openssh.authorizedKeys.keys = [
diff --git a/machines/orbi/media-transmission2.nix b/machines/orbi/media-transmission2.nix
index cca5d6a..b019628 100644
--- a/machines/orbi/media-transmission2.nix
+++ b/machines/orbi/media-transmission2.nix
@@ -130,6 +130,8 @@ in
     allowedUDPPorts = [ 51413 ];
   };
 
+  verify.closed.public.ports.transmission2 = [ uiPort ];
+
   # host nginx setup
   # ----------------
 
diff --git a/machines/orbi/service-nix-cache.nix b/machines/orbi/service-nix-cache.nix
index b4cabc8..21f93ef 100644
--- a/machines/orbi/service-nix-cache.nix
+++ b/machines/orbi/service-nix-cache.nix
@@ -32,6 +32,8 @@
     port = 5005;
   };
 
+  verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ];
+
   services.nginx = {
     enable = true;
     virtualHosts."cache.${config.networking.hostName}.wg0" = {
diff --git a/machines/orbi/service-photoprism.nix b/machines/orbi/service-photoprism.nix
index e5c83ab..e7ded27 100644
--- a/machines/orbi/service-photoprism.nix
+++ b/machines/orbi/service-photoprism.nix
@@ -16,6 +16,8 @@ in
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
   # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
 
+  verify.closed.public.ports.photoprism = [ photoprismPort ];
+
   containers.photoprism = {
     privateNetwork = false;
     autoStart = true;
diff --git a/machines/orbi/service-surrealdb.nix b/machines/orbi/service-surrealdb.nix
index d93e260..a6eea27 100644
--- a/machines/orbi/service-surrealdb.nix
+++ b/machines/orbi/service-surrealdb.nix
@@ -14,6 +14,7 @@ in
 {
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ];
+  verify.closed.public.ports.surrealdb = [ surrealdbPort ];
 
   containers.surrealdb = {
     privateNetwork = false;
diff --git a/machines/orbi/service-taskchampion.nix b/machines/orbi/service-taskchampion.nix
index 0cdf65e..484a96d 100644
--- a/machines/orbi/service-taskchampion.nix
+++ b/machines/orbi/service-taskchampion.nix
@@ -7,6 +7,8 @@
 }:
 {
 
+  verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
+
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
     config.services.taskchampion-sync-server.port
   ];
diff --git a/machines/orbi/service-taskwarrior.nix b/machines/orbi/service-taskwarrior.nix
index cf568d6..652ecc2 100644
--- a/machines/orbi/service-taskwarrior.nix
+++ b/machines/orbi/service-taskwarrior.nix
@@ -48,6 +48,8 @@ in
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ];
 
+  verify.closed.public.ports.taskserver-webui = [ uiPort ];
+
   # host nginx setup
   # ----------------
 
diff --git a/machines/orbi/service-vikunja.nix b/machines/orbi/service-vikunja.nix
index ffe8e66..9004944 100644
--- a/machines/orbi/service-vikunja.nix
+++ b/machines/orbi/service-vikunja.nix
@@ -13,6 +13,7 @@ in
 {
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ];
+  verify.closed.public.ports.vikunja = [ vikunjaPort ];
 
   containers.vikunja = {
     privateNetwork = false;
diff --git a/nix/verify/default.nix b/nix/verify/default.nix
index 39835d2..ac0e1d4 100644
--- a/nix/verify/default.nix
+++ b/nix/verify/default.nix
@@ -19,21 +19,45 @@
         type = "app";
         program =
           let
-            command = service: domain: ports: ''
-              echo "verify closed ports for ${service}"
+            domain =
+              machine: interface:
+              self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
+            servicePorts =
+              machine: interface:
+              self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
+
+            command = service: interface: domain: ports: ''
+              echo "verify ${interface} ports are closed for ${service}"
               ${pkgs.rustscan}/bin/rustscan \
                   --ports ${concatStringsSep "," (map toString ports)} \
                   --addresses ${domain} \
                   --greppable
             '';
-            domain = machine: self.nixosConfigurations.${machine}.options.verify.closed.value.public.domain;
+
             commands =
-              machine:
-              mapAttrsToList (
-                service: ports: command service (domain machine) ports
-              ) self.nixosConfigurations.${machine}.options.verify.closed.value.public.ports;
+              machine: interface:
+              mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
+                servicePorts machine interface
+              );
+
+            # machine -> [ interface, interface, ... ]
+            # todo: make this more robust for machines which don't have this option available
+            machines = mapAttrs (
+              machine: configuration: builtins.attrNames configuration.options.verify.closed.value
+            ) self.nixosConfigurations;
+
+            machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
+
+            machineCommand = machine: interfaces: ''
+              echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
+              ${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
+            '';
+
+            allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
+
           in
-          pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi"));
+          #pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
+          pkgs.writers.writeBashBin "verify" allCommands;
       };
     };
 
diff --git a/nix/verify/module.nix b/nix/verify/module.nix
index 0c35fc4..90116e3 100644
--- a/nix/verify/module.nix
+++ b/nix/verify/module.nix
@@ -2,6 +2,8 @@
 with lib;
 with types;
 {
+  # todo add commad option
+  # todo add remote command option
   options.verify.closed = mkOption {
     default = { };
     type = attrsOf (submodule {
@@ -14,6 +16,7 @@ with types;
         };
         # todo: make this an attrs so I know why port xyz should be closed.
         ports = mkOption {
+          default = { };
           type = attrsOf (listOf int);
           description = ''
             ports that should be closed