verify closed ports script kinda works now.

This commit is contained in:
Ingolf Wagner 2024-09-14 07:09:41 +07:00
parent 4c1a3ef72f
commit 31d674132b
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
10 changed files with 48 additions and 9 deletions

View file

@ -67,13 +67,13 @@
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
verify.closed.public.ports.opentelemetry = [ 4317 ];
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@ingolf-wagner.de"; security.acme.defaults.email = "contact@ingolf-wagner.de";
verify.closed.wg0.domain = "10.100.0.1"; verify.closed.wg0.domain = "10.100.0.1";
verify.closed.public.domain = "orbi.public"; verify.closed.public.domain = "orbi.public";
verify.closed.public.ports.opentelemetry = [ 4317 ];
# chungus rsync # chungus rsync
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [

View file

@ -130,6 +130,8 @@ in
allowedUDPPorts = [ 51413 ]; allowedUDPPorts = [ 51413 ];
}; };
verify.closed.public.ports.transmission2 = [ uiPort ];
# host nginx setup # host nginx setup
# ---------------- # ----------------

View file

@ -32,6 +32,8 @@
port = 5005; port = 5005;
}; };
verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."cache.${config.networking.hostName}.wg0" = { virtualHosts."cache.${config.networking.hostName}.wg0" = {

View file

@ -16,6 +16,8 @@ in
networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
# networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ]; # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
verify.closed.public.ports.photoprism = [ photoprismPort ];
containers.photoprism = { containers.photoprism = {
privateNetwork = false; privateNetwork = false;
autoStart = true; autoStart = true;

View file

@ -14,6 +14,7 @@ in
{ {
networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ];
verify.closed.public.ports.surrealdb = [ surrealdbPort ];
containers.surrealdb = { containers.surrealdb = {
privateNetwork = false; privateNetwork = false;

View file

@ -7,6 +7,8 @@
}: }:
{ {
verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
networking.firewall.interfaces.wg0.allowedTCPPorts = [ networking.firewall.interfaces.wg0.allowedTCPPorts = [
config.services.taskchampion-sync-server.port config.services.taskchampion-sync-server.port
]; ];

View file

@ -48,6 +48,8 @@ in
networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ];
verify.closed.public.ports.taskserver-webui = [ uiPort ];
# host nginx setup # host nginx setup
# ---------------- # ----------------

View file

@ -13,6 +13,7 @@ in
{ {
networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ];
verify.closed.public.ports.vikunja = [ vikunjaPort ];
containers.vikunja = { containers.vikunja = {
privateNetwork = false; privateNetwork = false;

View file

@ -19,21 +19,45 @@
type = "app"; type = "app";
program = program =
let let
command = service: domain: ports: '' domain =
echo "verify closed ports for ${service}" machine: interface:
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
servicePorts =
machine: interface:
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
command = service: interface: domain: ports: ''
echo "verify ${interface} ports are closed for ${service}"
${pkgs.rustscan}/bin/rustscan \ ${pkgs.rustscan}/bin/rustscan \
--ports ${concatStringsSep "," (map toString ports)} \ --ports ${concatStringsSep "," (map toString ports)} \
--addresses ${domain} \ --addresses ${domain} \
--greppable --greppable
''; '';
domain = machine: self.nixosConfigurations.${machine}.options.verify.closed.value.public.domain;
commands = commands =
machine: machine: interface:
mapAttrsToList ( mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
service: ports: command service (domain machine) ports servicePorts machine interface
) self.nixosConfigurations.${machine}.options.verify.closed.value.public.ports; );
# machine -> [ interface, interface, ... ]
# todo: make this more robust for machines which don't have this option available
machines = mapAttrs (
machine: configuration: builtins.attrNames configuration.options.verify.closed.value
) self.nixosConfigurations;
machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
machineCommand = machine: interfaces: ''
echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
'';
allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
in in
pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi")); #pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
pkgs.writers.writeBashBin "verify" allCommands;
}; };
}; };

View file

@ -2,6 +2,8 @@
with lib; with lib;
with types; with types;
{ {
# todo add commad option
# todo add remote command option
options.verify.closed = mkOption { options.verify.closed = mkOption {
default = { }; default = { };
type = attrsOf (submodule { type = attrsOf (submodule {
@ -14,6 +16,7 @@ with types;
}; };
# todo: make this an attrs so I know why port xyz should be closed. # todo: make this an attrs so I know why port xyz should be closed.
ports = mkOption { ports = mkOption {
default = { };
type = attrsOf (listOf int); type = attrsOf (listOf int);
description = '' description = ''
ports that should be closed ports that should be closed