palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use nixos-healthchecks instead of verify

Browse source
This commit is contained in:
Ingolf Wagner 2024-09-30 12:05:17 +09:00
parent 177f77faab
commit 4a10bae866
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
24 changed files with 122 additions and 289 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

104
flake.lock
View file

@ -253,6 +253,24 @@
} }
}, },
"flake-parts_3": { "flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1726153070,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixos-anywhere", "nixos-anywhere",
@ -273,9 +291,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_4": { "flake-parts_5": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib_2" "nixpkgs-lib": "nixpkgs-lib_3"
}, },
"locked": { "locked": {
"lastModified": 1722555600, "lastModified": 1722555600,
@ -291,9 +309,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_5": { "flake-parts_6": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib_3" "nixpkgs-lib": "nixpkgs-lib_4"
}, },
"locked": { "locked": {
"lastModified": 1726153070, "lastModified": 1726153070,
@ -469,6 +487,28 @@
"type": "github" "type": "github"
} }
}, },
"healthchecks": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1727664262,
"narHash": "sha256-8Q1YJCoVax+Mb80Fhtu7eZe8ewS3Syjce74wOy/8b3Y=",
"owner": "mrvandalo",
"repo": "nixos-healthchecks",
"rev": "64415df72d72c9c1f41223694dbe099e4a10f001",
"type": "github"
},
"original": {
"owner": "mrvandalo",
"repo": "nixos-healthchecks",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -576,11 +616,11 @@
"nixos-anywhere": { "nixos-anywhere": {
"inputs": { "inputs": {
"disko": "disko_2", "disko": "disko_2",
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_4",
"nixos-images": "nixos-images_2", "nixos-images": "nixos-images_2",
"nixos-stable": "nixos-stable", "nixos-stable": "nixos-stable",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1727450368, "lastModified": 1727450368,
@ -768,6 +808,18 @@
} }
}, },
"nixpkgs-lib_2": { "nixpkgs-lib_2": {
"locked": {
"lastModified": 1726442928,
"narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
}
},
"nixpkgs-lib_3": {
"locked": { "locked": {
"lastModified": 1722555339, "lastModified": 1722555339,
"narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
@ -779,7 +831,7 @@
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
} }
}, },
"nixpkgs-lib_3": { "nixpkgs-lib_4": {
"locked": { "locked": {
"lastModified": 1725233747, "lastModified": 1725233747,
"narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
@ -969,11 +1021,11 @@
}, },
"private-parts": { "private-parts": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_4", "flake-parts": "flake-parts_5",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_4"
}, },
"locked": { "locked": {
"lastModified": 1727519047, "lastModified": 1727519047,
@ -1010,6 +1062,7 @@
"clan-core": "clan-core", "clan-core": "clan-core",
"clan-fact-generators": "clan-fact-generators", "clan-fact-generators": "clan-fact-generators",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"healthchecks": "healthchecks",
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-utils": "home-manager-utils", "home-manager-utils": "home-manager-utils",
"kmonad": "kmonad", "kmonad": "kmonad",
@ -1029,7 +1082,7 @@
"srvos": "srvos", "srvos": "srvos",
"stylix": "stylix", "stylix": "stylix",
"taskwarrior": "taskwarrior", "taskwarrior": "taskwarrior",
"treefmt-nix": "treefmt-nix_5" "treefmt-nix": "treefmt-nix_6"
} }
}, },
"sops-nix": { "sops-nix": {
@ -1207,12 +1260,12 @@
}, },
"taskwarrior": { "taskwarrior": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_5", "flake-parts": "flake-parts_6",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"taskshell": "taskshell", "taskshell": "taskshell",
"treefmt-nix": "treefmt-nix_4" "treefmt-nix": "treefmt-nix_5"
}, },
"locked": { "locked": {
"lastModified": 1727417586, "lastModified": 1727417586,
@ -1298,6 +1351,27 @@
} }
}, },
"treefmt-nix_2": { "treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"healthchecks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1727431250,
"narHash": "sha256-uGRlRT47ecicF9iLD1G3g43jn2e+b5KaMptb59LHnvM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "879b29ae9a0378904fbbefe0dadaed43c8905754",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixos-anywhere", "nixos-anywhere",
@ -1318,7 +1392,7 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix_3": { "treefmt-nix_4": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"private-parts", "private-parts",
@ -1339,7 +1413,7 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix_4": { "treefmt-nix_5": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"taskwarrior", "taskwarrior",
@ -1360,7 +1434,7 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix_5": { "treefmt-nix_6": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"

14
flake.nix
View file

@ -10,6 +10,9 @@
clan-fact-generators.url = "github:mrvandalo/clan-fact-generators"; clan-fact-generators.url = "github:mrvandalo/clan-fact-generators";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
healthchecks.inputs.nixpkgs.follows = "nixpkgs";
#healthchecks.url = "git+file:///home/palo/dev/nixos/healthcheck";
healthchecks.url = "github:mrvandalo/nixos-healthchecks";
home-manager-utils.inputs.home-manager.follows = "home-manager"; home-manager-utils.inputs.home-manager.follows = "home-manager";
home-manager-utils.url = "github:mrvandalo/home-manager-utils"; home-manager-utils.url = "github:mrvandalo/home-manager-utils";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
@ -38,8 +41,8 @@
stylix.inputs.nixpkgs.follows = "nixpkgs"; stylix.inputs.nixpkgs.follows = "nixpkgs";
stylix.url = "github:danth/stylix"; stylix.url = "github:danth/stylix";
taskwarrior.inputs.nixpkgs.follows = "nixpkgs"; taskwarrior.inputs.nixpkgs.follows = "nixpkgs";
taskwarrior.url = "github:mrvandalo/taskwarrior-flake";
#taskwarrior.url = "git+file:///home/palo/dev/nixos/taskwarrior-flake"; #taskwarrior.url = "git+file:///home/palo/dev/nixos/taskwarrior-flake";
taskwarrior.url = "github:mrvandalo/taskwarrior-flake";
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.url = "github:numtide/treefmt-nix";
@ -77,6 +80,7 @@
stylix, stylix,
taskwarrior, taskwarrior,
treefmt-nix, treefmt-nix,
healthchecks,
}: }:
let let
@ -379,9 +383,9 @@
systems = [ "x86_64-linux" ]; systems = [ "x86_64-linux" ];
imports = [ imports = [
clan-core.flakeModules.default clan-core.flakeModules.default
healthchecks.flakeModule
./nix/formatter.nix ./nix/formatter.nix
./nix/packages ./nix/packages
./nix/verify
./nix/topology ./nix/topology
]; ];
@ -418,7 +422,7 @@
name = "cherry"; name = "cherry";
host = "cherry.bear"; host = "cherry.bear";
modules = [ modules = [
self.nixosModules.verify healthchecks.nixosModules.default
zerotierModules zerotierModules
nixos-hardware.nixosModules.framework-13th-gen-intel nixos-hardware.nixosModules.framework-13th-gen-intel
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
@ -440,7 +444,7 @@
name = "chungus"; name = "chungus";
host = "chungus.bear"; host = "chungus.bear";
modules = [ modules = [
self.nixosModules.verify healthchecks.nixosModules.default
zerotierModules zerotierModules
zerotierControllerModule zerotierControllerModule
homeManagerModules homeManagerModules
@ -462,7 +466,7 @@
host = "orbi.bear"; host = "orbi.bear";
#host = "95.216.66.212"; #host = "95.216.66.212";
modules = [ modules = [
self.nixosModules.verify healthchecks.nixosModules.default
homeManagerModules homeManagerModules
stylixModules stylixModules
zerotierModules zerotierModules

2
machines/cherry/syncthing.nix
View file

@ -6,7 +6,7 @@
}: }:
{ {
verify.http.syncthing-gui = { healthchecks.http.syncthing-gui = {
url = config.services.syncthing.guiAddress; url = config.services.syncthing.guiAddress;
expectedContent = "syncthing"; expectedContent = "syncthing";
}; };

2
machines/chungus/media-syncthing.nix
View file

@ -6,7 +6,7 @@
}: }:
{ {
verify.http.syncthing-gui = { healthchecks.http.syncthing-gui = {
url = config.services.syncthing.guiAddress; url = config.services.syncthing.guiAddress;
expectedContent = "syncthing"; expectedContent = "syncthing";
}; };

2
machines/chungus/service-forgejo.nix
View file

@ -5,7 +5,7 @@
... ...
}: }:
{ {
verify.http.forgejjo = { healthchecks.http.forgejjo = {
url = "http://git.chungus.private/explore/repos"; url = "http://git.chungus.private/explore/repos";
expectedContent = "nixinate"; expectedContent = "nixinate";
}; };

2
machines/chungus/service-paperless.nix
View file

@ -30,7 +30,7 @@
}; };
networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];
verify.http.paperless = { healthchecks.http.paperless = {
url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";
expectedContent = "paperless.chungus.private"; expectedContent = "paperless.chungus.private";
}; };

6
machines/orbi/configuration.nix
View file

@ -67,13 +67,13 @@
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
verify.closed.public.ports.opentelemetry = [ 4317 ]; healthchecks.closed.public.ports.opentelemetry = [ 4317 ];
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@ingolf-wagner.de"; security.acme.defaults.email = "contact@ingolf-wagner.de";
verify.closed.wg0.host = "10.100.0.1"; healthchecks.closed.wg0.host = "10.100.0.1";
verify.closed.public.host = "orbi.public"; healthchecks.closed.public.host = "orbi.public";
# chungus rsync # chungus rsync
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [

4
machines/orbi/media-arr.nix
View file

@ -11,13 +11,13 @@
8686 8686
]; ];
verify.closed.public.ports.arr = [ healthchecks.closed.public.ports.arr = [
7878 7878
8989 8989
8686 8686
]; ];
verify.http = { healthchecks.http = {
sonarr = { sonarr = {
url = "sonarr.ingolf-wagner.de"; url = "sonarr.ingolf-wagner.de";
expectedContent = "Sonarr"; expectedContent = "Sonarr";

2
machines/orbi/media-nextcloud.nix
View file

@ -35,7 +35,7 @@ in
443 443
]; ];
verify.http.nextcloud = { healthchecks.http.nextcloud = {
url = "https://nextcloud.ingolf-wagner.de/login"; url = "https://nextcloud.ingolf-wagner.de/login";
expectedContent = "Login"; expectedContent = "Login";
}; };

2
machines/orbi/media-syncthing.nix
View file

@ -6,7 +6,7 @@
}: }:
{ {
verify.http.syncthing-gui = { healthchecks.http.syncthing-gui = {
url = config.services.syncthing.guiAddress; url = config.services.syncthing.guiAddress;
expectedContent = "syncthing"; expectedContent = "syncthing";
}; };

2
machines/orbi/media-transmission2.nix
View file

@ -130,7 +130,7 @@ in
allowedUDPPorts = [ 51413 ]; allowedUDPPorts = [ 51413 ];
}; };
verify.closed.public.ports.transmission2 = [ uiPort ]; healthchecks.closed.public.ports.transmission2 = [ uiPort ];
# host nginx setup # host nginx setup
# ---------------- # ----------------

2
machines/orbi/service-forgejo.nix
View file

@ -6,7 +6,7 @@
}: }:
{ {
verify.http.forgejjo = { healthchecks.http.forgejjo = {
url = "https://git.ingolf-wagner.de/explore/repos"; url = "https://git.ingolf-wagner.de/explore/repos";
expectedContent = "palo/nixos-config"; expectedContent = "palo/nixos-config";
}; };

4
machines/orbi/service-nix-cache.nix
View file

@ -32,8 +32,8 @@
port = 5005; port = 5005;
}; };
verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ]; healthchecks.closed.public.ports.nix-serve = [ config.services.nix-serve.port ];
verify.http.nix-serve = { healthchecks.http.nix-serve = {
url = "cache.${config.networking.hostName}.wg0/nix-cache-info"; url = "cache.${config.networking.hostName}.wg0/nix-cache-info";
expectedContent = "Priority: 50"; expectedContent = "Priority: 50";
}; };

4
machines/orbi/service-photoprism.nix
View file

@ -16,8 +16,8 @@ in
networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
# networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ]; # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
verify.closed.public.ports.photoprism = [ photoprismPort ]; healthchecks.closed.public.ports.photoprism = [ photoprismPort ];
verify.http.photoprism = { healthchecks.http.photoprism = {
url = "http://10.100.0.1:2342/library/login"; url = "http://10.100.0.1:2342/library/login";
expectedContent = "AI-Powered Photos App"; expectedContent = "AI-Powered Photos App";
}; };

2
machines/orbi/service-surrealdb.nix
View file

@ -14,7 +14,7 @@ in
{ {
networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ];
verify.closed.public.ports.surrealdb = [ surrealdbPort ]; healthchecks.closed.public.ports.surrealdb = [ surrealdbPort ];
containers.surrealdb = { containers.surrealdb = {
privateNetwork = false; privateNetwork = false;

4
machines/orbi/service-taskchampion.nix
View file

@ -7,8 +7,8 @@
}: }:
{ {
verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ]; healthchecks.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
verify.http.taskchampion = { healthchecks.http.taskchampion = {
url = "http://orbi.private:10222"; url = "http://orbi.private:10222";
expectedContent = "TaskChampion sync server"; expectedContent = "TaskChampion sync server";
}; };

2
machines/orbi/service-taskwarrior.nix
View file

@ -48,7 +48,7 @@ in
networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ];
verify.closed.public.ports.taskserver-webui = [ uiPort ]; healthchecks.closed.public.ports.taskserver-webui = [ uiPort ];
# host nginx setup # host nginx setup
# ---------------- # ----------------

2
machines/orbi/service-vaultwarden.nix
View file

@ -6,7 +6,7 @@
}: }:
{ {
verify.http.vaultwarden = { healthchecks.http.vaultwarden = {
url = config.services.vaultwarden.config.domain; url = config.services.vaultwarden.config.domain;
expectedContent = "BOOOOM"; # fixme: seems this part is not working expectedContent = "BOOOOM"; # fixme: seems this part is not working
}; };

2
machines/orbi/service-vikunja.nix
View file

@ -13,7 +13,7 @@ in
{ {
networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ];
verify.closed.public.ports.vikunja = [ vikunjaPort ]; healthchecks.closed.public.ports.vikunja = [ vikunjaPort ];
containers.vikunja = { containers.vikunja = {
privateNetwork = false; privateNetwork = false;

2
machines/orbi/service-wastebin.nix
View file

@ -4,7 +4,7 @@ let
in in
{ {
verify.http.wastebin = { healthchecks.http.wastebin = {
url = "https://paste.ingolf-wagner.de"; url = "https://paste.ingolf-wagner.de";
expectedContent = "BOOOOM"; # fixme: seems this part is not working expectedContent = "BOOOOM"; # fixme: seems this part is not working
}; };

92
nix/verify/default.nix
View file

@ -1,92 +0,0 @@
{ self, ... }:
{
imports = [ ];
flake.nixosModules.verify = {
imports = [
./modules/closedPorts.nix
./modules/http.nix
./modules/localCommands.nix
];
};
perSystem =
{
pkgs,
self',
lib,
...
}:
with lib;
{
apps.verify = {
type = "app";
program =
let
nixosConfigurationsToVerify = filterAttrs (
machine: configuration: builtins.hasAttr "verify" configuration.options
) self.nixosConfigurations;
verifyLocalCommands =
nixosConfiguration:
let
localCommands = nixosConfiguration.options.verify.localCommands.value;
commands = mapAttrsToList (
serviceName: serviceCommand:
let
# todo handle exit code and stderr and such properly
script = pkgs.writers.writeBash "${serviceName}" serviceCommand;
#title = if title != null then title else "verify service ${serviceName}";
title = "verify service ${serviceName}";
in
''
echo "${title}"
${script}
''
) localCommands;
in
flatten commands;
verifyClosedCommands =
nixosConfiguration:
let
command = serviceName: interfaceName: host: ports: ''
echo "verify ${interfaceName} ports are closed for ${serviceName}"
${pkgs.rustscan}/bin/rustscan \
--ports ${concatStringsSep "," (map toString ports)} \
--addresses ${host} \
--greppable
'';
interfaces = nixosConfiguration.options.verify.closed.value;
interfaceCommands = mapAttrsToList (
interfaceName: interfaceConfiguration:
mapAttrsToList (
serviceName: servicePorts:
command serviceName interfaceName interfaceConfiguration.host servicePorts
) interfaceConfiguration.ports
) interfaces;
in
flatten interfaceCommands;
verify = machineName: nixosConfiguration: ''
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)}
'';
allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
in
pkgs.writers.writeBashBin "verify" allCommands;
};
};
}

46
nix/verify/modules/closedPorts.nix
View file

@ -1,46 +0,0 @@
{ lib, ... }:
with lib;
with types;
{
# todo add remote command option
options.verify.closed = mkOption {
default = { };
example = {
public = {
host = "example.com";
ports = {
arr = [
7878
8989
8686
];
};
};
};
description = ''
Verify that ports the defined ports are closed for a specific interface.
Verification is done by rustscan.
'';
type = attrsOf (submodule {
options = {
host = mkOption {
type = str;
description = ''
The host against which the rustscan will be done.
Needed because we have more than interface on the machine.
'';
};
ports = mkOption {
default = { };
type = attrsOf (listOf int);
description = ''
service -> [port, ... ]
Ports that should be verified as beeing closed.
'';
};
};
});
};
}

92
nix/verify/modules/http.nix
View file

@ -1,92 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
with types;
{
options.verify.http = mkOption {
default = { };
example = {
github = {
url = "https://github.com";
expectedContent = "GitHub";
};
};
description = ''
Run curl commands to verify if response code is as expected and expectedContent is part of the body.
'';
type = attrsOf (submodule {
options = {
url = mkOption {
type = str;
description = ''
URL to analyze.
'';
};
responseCode = mkOption {
type = int;
default = 200;
description = ''
Expected response code
'';
};
expectedContent = mkOption {
type = nullOr str;
description = ''
Expected string in the response
'';
};
};
});
};
config = {
verify.localCommands =
let
curl = lib.getExe pkgs.curl;
grep = lib.getExe pkgs.gnugrep;
scriptWithExpectedContent = url: responseCode: expectedContent: ''
if ${curl} -s -o /dev/null -w "%{http_code}" ${url} | ${grep} -q "${toString responseCode}"; then
if ${curl} -s ${url} | ${grep} -q "${expectedContent}"; then
echo -n ""
else
echo " [Fail] ${url} did return ${toString responseCode}, but did not contain the string '${expectedContent}'."
fi
else
echo " [Fail] ${url} did not return ${toString responseCode}."
fi
'';
scriptWithoutExpectedContent = url: responseCode: ''
if ${curl} -s -o /dev/null -w "%{http_code}" ${url} | ${grep} -q "${toString responseCode}"; then
echo -n ""
else
echo " [Fail] ${url} did not return ${toString responseCode}."
fi
'';
script =
url: responeCode: expectedContent:
if (expectedContent == null) then
scriptWithExpectedContent url responeCode expectedContent
else
scriptWithoutExpectedContent url responeCode;
in
mapAttrs' (
service:
{
url,
responseCode,
expectedContent,
}:
nameValuePair ("http_" + service) (script url responseCode expectedContent)
) config.verify.http;
};
}

15
nix/verify/modules/localCommands.nix
View file

@ -1,15 +0,0 @@
{ lib, ... }:
with lib;
with types;
{
options.verify.localCommands = mkOption {
default = { };
type = attrsOf str;
description = ''
service -> command
command to run on local machine to test remote server.
'';
};
}