From 774b26b7981cfc067ef02412f5f42c9a3e40daa2 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sun, 15 Sep 2024 06:32:21 +0700 Subject: [PATCH] :sparkles: add local command to verify --- machines/orbi/configuration.nix | 6 +-- machines/orbi/media-arr.nix | 2 +- machines/orbi/media-nextcloud.nix | 19 +++++++++ machines/orbi/media-transmission2.nix | 2 +- machines/orbi/service-nix-cache.nix | 2 +- machines/orbi/service-photoprism.nix | 2 +- machines/orbi/service-surrealdb.nix | 2 +- machines/orbi/service-taskchampion.nix | 2 +- machines/orbi/service-taskwarrior.nix | 2 +- machines/orbi/service-vikunja.nix | 2 +- nix/verify/default.nix | 29 ++++++++++++- nix/verify/modules/closed.nix | 53 ------------------------ nix/verify/modules/default.nix | 56 +++++++++++++++++++++++++- 13 files changed, 111 insertions(+), 68 deletions(-) delete mode 100644 nix/verify/modules/closed.nix diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index cf30dfe..70fc2ff 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -67,13 +67,13 @@ components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ]; - verify.closed.public.ports.opentelemetry = [ 4317 ]; + verify.public.closedPorts.opentelemetry = [ 4317 ]; security.acme.acceptTerms = true; security.acme.defaults.email = "contact@ingolf-wagner.de"; - verify.closed.wg0.host = "10.100.0.1"; - verify.closed.public.host = "orbi.public"; + verify.wg0.host = "10.100.0.1"; + verify.public.host = "orbi.public"; # chungus rsync users.users.root.openssh.authorizedKeys.keys = [ diff --git a/machines/orbi/media-arr.nix b/machines/orbi/media-arr.nix index 05bfd6a..cc72080 100644 --- a/machines/orbi/media-arr.nix +++ b/machines/orbi/media-arr.nix @@ -6,7 +6,7 @@ 8686 ]; - verify.closed.public.ports.arr = [ + verify.public.closedPorts.arr = [ 7878 8989 8686 diff --git a/machines/orbi/media-nextcloud.nix b/machines/orbi/media-nextcloud.nix index e9054cd..e7f7798 100644 --- a/machines/orbi/media-nextcloud.nix +++ b/machines/orbi/media-nextcloud.nix @@ -1,5 +1,6 @@ { pkgs, + lib, config, factsGenerator, components, @@ -34,6 +35,24 @@ in 443 ]; + verify.public.localCommands.nextcloud = + let + domain = "https://nextcloud.ingolf-wagner.de/login"; + curl = lib.getExe pkgs.curl; + grep = lib.getExe pkgs.gnugrep; + in + '' + if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then + if ${curl} -s ${domain} | ${grep} -q "Login"; then + echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'." + else + echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht." + fi + else + echo "[Fail] Die Seite hat keinen Statuscode 200." + fi + ''; + services.nginx = { enable = true; recommendedProxySettings = true; diff --git a/machines/orbi/media-transmission2.nix b/machines/orbi/media-transmission2.nix index b019628..5927a49 100644 --- a/machines/orbi/media-transmission2.nix +++ b/machines/orbi/media-transmission2.nix @@ -130,7 +130,7 @@ in allowedUDPPorts = [ 51413 ]; }; - verify.closed.public.ports.transmission2 = [ uiPort ]; + verify.public.closedPorts.transmission2 = [ uiPort ]; # host nginx setup # ---------------- diff --git a/machines/orbi/service-nix-cache.nix b/machines/orbi/service-nix-cache.nix index 21f93ef..c63b29a 100644 --- a/machines/orbi/service-nix-cache.nix +++ b/machines/orbi/service-nix-cache.nix @@ -32,7 +32,7 @@ port = 5005; }; - verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ]; + verify.public.closedPorts.nix-serve = [ config.services.nix-serve.port ]; services.nginx = { enable = true; diff --git a/machines/orbi/service-photoprism.nix b/machines/orbi/service-photoprism.nix index d3f3a05..576b355 100644 --- a/machines/orbi/service-photoprism.nix +++ b/machines/orbi/service-photoprism.nix @@ -16,7 +16,7 @@ in networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ]; # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ]; - verify.closed.public.ports.photoprism = [ photoprismPort ]; + verify.public.closedPorts.photoprism = [ photoprismPort ]; containers.photoprism = { privateNetwork = false; diff --git a/machines/orbi/service-surrealdb.nix b/machines/orbi/service-surrealdb.nix index a6eea27..57e75c9 100644 --- a/machines/orbi/service-surrealdb.nix +++ b/machines/orbi/service-surrealdb.nix @@ -14,7 +14,7 @@ in { networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ]; - verify.closed.public.ports.surrealdb = [ surrealdbPort ]; + verify.public.closedPorts.surrealdb = [ surrealdbPort ]; containers.surrealdb = { privateNetwork = false; diff --git a/machines/orbi/service-taskchampion.nix b/machines/orbi/service-taskchampion.nix index 484a96d..8af8f74 100644 --- a/machines/orbi/service-taskchampion.nix +++ b/machines/orbi/service-taskchampion.nix @@ -7,7 +7,7 @@ }: { - verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ]; + verify.public.closedPorts.taskchampion = [ config.services.taskchampion-sync-server.port ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.taskchampion-sync-server.port diff --git a/machines/orbi/service-taskwarrior.nix b/machines/orbi/service-taskwarrior.nix index 652ecc2..8031a4f 100644 --- a/machines/orbi/service-taskwarrior.nix +++ b/machines/orbi/service-taskwarrior.nix @@ -48,7 +48,7 @@ in networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ]; - verify.closed.public.ports.taskserver-webui = [ uiPort ]; + verify.public.closedPorts.taskserver-webui = [ uiPort ]; # host nginx setup # ---------------- diff --git a/machines/orbi/service-vikunja.nix b/machines/orbi/service-vikunja.nix index 9004944..34a4f22 100644 --- a/machines/orbi/service-vikunja.nix +++ b/machines/orbi/service-vikunja.nix @@ -13,7 +13,7 @@ in { networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ]; - verify.closed.public.ports.vikunja = [ vikunjaPort ]; + verify.public.closedPorts.vikunja = [ vikunjaPort ]; containers.vikunja = { privateNetwork = false; diff --git a/nix/verify/default.nix b/nix/verify/default.nix index 32faed1..75c6261 100644 --- a/nix/verify/default.nix +++ b/nix/verify/default.nix @@ -24,6 +24,30 @@ machine: configuration: builtins.hasAttr "verify" configuration.options ) self.nixosConfigurations; + verifyLocalCommands = + nixosConfiguration: + let + + interfaces = nixosConfiguration.options.verify.value; + + interfaceCommands = mapAttrsToList ( + interfaceName: interfaceConfiguration: + mapAttrsToList ( + serviceName: serviceCommand: + let + # todo handle exit code and stderr and such properly + script = pkgs.writers.writeBash "${interfaceName}-${serviceName}" serviceCommand; + in + '' + echo "verify ${interfaceName} service ${serviceName} (local command)" + ${script} + '' + ) interfaceConfiguration.localCommands + ) interfaces; + + in + flatten interfaceCommands; + verifyClosedCommands = nixosConfiguration: let @@ -36,14 +60,14 @@ --greppable ''; - interfaces = nixosConfiguration.options.verify.closed.value; + interfaces = nixosConfiguration.options.verify.value; interfaceCommands = mapAttrsToList ( interfaceName: interfaceConfiguration: mapAttrsToList ( serviceName: servicePorts: command serviceName interfaceName interfaceConfiguration.host servicePorts - ) interfaceConfiguration.ports + ) interfaceConfiguration.closedPorts ) interfaces; in @@ -52,6 +76,7 @@ verify = machineName: nixosConfiguration: '' echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi ${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)} + ${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)} ''; allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify); diff --git a/nix/verify/modules/closed.nix b/nix/verify/modules/closed.nix deleted file mode 100644 index 6d3ca15..0000000 --- a/nix/verify/modules/closed.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ lib, ... }: -with lib; -with types; -{ - options.verify.closed = mkOption { - default = { }; - example = { - public = { - host = "example.com"; - ports = { - arr = [ - 7878 - 8989 - 8686 - ]; - }; - }; - work_vpn = { - host = "10.1.1.100"; - ports = { - arr = [ - 7878 - 8989 - 8686 - ]; - }; - }; - }; - description = '' - Verify that ports the defined ports are closed for a specific interface. - Verification is done by rustscan. - ''; - type = attrsOf (submodule { - options = { - host = mkOption { - type = str; - description = '' - The host against which the rustscan will be done. - Needed because we have more than interface on the machine. - ''; - }; - ports = mkOption { - default = { }; - type = attrsOf (listOf int); - description = '' - service -> [port, ... ] - Ports that should be verified as beeing closed. - ''; - }; - }; - }); - }; -} diff --git a/nix/verify/modules/default.nix b/nix/verify/modules/default.nix index a0cffac..a3ccf80 100644 --- a/nix/verify/modules/default.nix +++ b/nix/verify/modules/default.nix @@ -2,7 +2,59 @@ with lib; with types; { - # todo add commad option # todo add remote command option - imports = [ ./closed.nix ]; + + options.verify = mkOption { + default = { }; + example = { + public = { + host = "example.com"; + closedPorts = { + arr = [ + 7878 + 8989 + 8686 + ]; + }; + }; + vpn = { + host = "10.1.1.100"; + localCommands.arr = '' + echo "test arr with curl or something"; + ''; + }; + }; + description = '' + Verify that ports the defined ports are closed for a specific interface. + Verification is done by rustscan. + ''; + type = attrsOf (submodule { + options = { + host = mkOption { + type = str; + description = '' + The host against which the rustscan will be done. + Needed because we have more than interface on the machine. + ''; + }; + closedPorts = mkOption { + default = { }; + type = attrsOf (listOf int); + description = '' + service -> [port, ... ] + Ports that should be verified as beeing closed. + ''; + }; + localCommands = mkOption { + default = { }; + type = attrsOf str; + description = '' + service -> command + command to run on local machine to test remote server. + ''; + }; + }; + }); + }; + }