✨ add local command to verify

machines/orbi/configuration.nix

@@ -67,13 +67,13 @@
   components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
-  verify.closed.public.ports.opentelemetry = [ 4317 ];
+  verify.public.closedPorts.opentelemetry = [ 4317 ];
 
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "contact@ingolf-wagner.de";
 
-  verify.closed.wg0.host = "10.100.0.1";
+  verify.wg0.host = "10.100.0.1";
-  verify.closed.public.host = "orbi.public";
+  verify.public.host = "orbi.public";
 
   # chungus rsync
   users.users.root.openssh.authorizedKeys.keys = [

machines/orbi/media-arr.nix

@@ -6,7 +6,7 @@
     8686
   ];
 
-  verify.closed.public.ports.arr = [
+  verify.public.closedPorts.arr = [
     7878
     8989
     8686

machines/orbi/media-nextcloud.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  lib,
   config,
   factsGenerator,
   components,
@@ -34,6 +35,24 @@ in
     443
   ];
 
+  verify.public.localCommands.nextcloud =
+    let
+      domain = "https://nextcloud.ingolf-wagner.de/login";
+      curl = lib.getExe pkgs.curl;
+      grep = lib.getExe pkgs.gnugrep;
+    in
+    ''
+      if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
+        if ${curl} -s ${domain} | ${grep} -q "Login"; then
+          echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'."
+        else
+          echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht."
+        fi
+      else
+        echo "[Fail] Die Seite hat keinen Statuscode 200."
+      fi
+    '';
+
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;

machines/orbi/media-transmission2.nix

@@ -130,7 +130,7 @@ in
     allowedUDPPorts = [ 51413 ];
   };
 
-  verify.closed.public.ports.transmission2 = [ uiPort ];
+  verify.public.closedPorts.transmission2 = [ uiPort ];
 
   # host nginx setup
   # ----------------

machines/orbi/service-nix-cache.nix

@@ -32,7 +32,7 @@
     port = 5005;
   };
 
-  verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ];
+  verify.public.closedPorts.nix-serve = [ config.services.nix-serve.port ];
 
   services.nginx = {
     enable = true;

machines/orbi/service-photoprism.nix

@@ -16,7 +16,7 @@ in
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
   # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
 
-  verify.closed.public.ports.photoprism = [ photoprismPort ];
+  verify.public.closedPorts.photoprism = [ photoprismPort ];
 
   containers.photoprism = {
     privateNetwork = false;

machines/orbi/service-surrealdb.nix

@@ -14,7 +14,7 @@ in
 {
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ];
-  verify.closed.public.ports.surrealdb = [ surrealdbPort ];
+  verify.public.closedPorts.surrealdb = [ surrealdbPort ];
 
   containers.surrealdb = {
     privateNetwork = false;

machines/orbi/service-taskchampion.nix

@@ -7,7 +7,7 @@
 }:
 {
 
-  verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
+  verify.public.closedPorts.taskchampion = [ config.services.taskchampion-sync-server.port ];
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
     config.services.taskchampion-sync-server.port

machines/orbi/service-taskwarrior.nix

@@ -48,7 +48,7 @@ in
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ];
 
-  verify.closed.public.ports.taskserver-webui = [ uiPort ];
+  verify.public.closedPorts.taskserver-webui = [ uiPort ];
 
   # host nginx setup
   # ----------------

machines/orbi/service-vikunja.nix

@@ -13,7 +13,7 @@ in
 {
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ];
-  verify.closed.public.ports.vikunja = [ vikunjaPort ];
+  verify.public.closedPorts.vikunja = [ vikunjaPort ];
 
   containers.vikunja = {
     privateNetwork = false;

nix/verify/default.nix

@@ -24,6 +24,30 @@
               machine: configuration: builtins.hasAttr "verify" configuration.options
             ) self.nixosConfigurations;
 
+            verifyLocalCommands =
+              nixosConfiguration:
+              let
+
+                interfaces = nixosConfiguration.options.verify.value;
+
+                interfaceCommands = mapAttrsToList (
+                  interfaceName: interfaceConfiguration:
+                  mapAttrsToList (
+                    serviceName: serviceCommand:
+                    let
+                      # todo handle exit code and stderr and such properly
+                      script = pkgs.writers.writeBash "${interfaceName}-${serviceName}" serviceCommand;
+                    in
+                    ''
+                      echo "verify ${interfaceName} service ${serviceName} (local command)"
+                      ${script}
+                    ''
+                  ) interfaceConfiguration.localCommands
+                ) interfaces;
+
+              in
+              flatten interfaceCommands;
+
             verifyClosedCommands =
               nixosConfiguration:
               let
@@ -36,14 +60,14 @@
                       --greppable
                 '';
 
-                interfaces = nixosConfiguration.options.verify.closed.value;
+                interfaces = nixosConfiguration.options.verify.value;
 
                 interfaceCommands = mapAttrsToList (
                   interfaceName: interfaceConfiguration:
                   mapAttrsToList (
                     serviceName: servicePorts:
                     command serviceName interfaceName interfaceConfiguration.host servicePorts
-                  ) interfaceConfiguration.ports
+                  ) interfaceConfiguration.closedPorts
                 ) interfaces;
 
               in
@@ -52,6 +76,7 @@
             verify = machineName: nixosConfiguration: ''
               echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
               ${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
+              ${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)}
             '';
 
             allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);

nix/verify/modules/closed.nix

@@ -1,53 +0,0 @@
-{ lib, ... }:
-with lib;
-with types;
-{
-  options.verify.closed = mkOption {
-    default = { };
-    example = {
-      public = {
-        host = "example.com";
-        ports = {
-          arr = [
-            7878
-            8989
-            8686
-          ];
-        };
-      };
-      work_vpn = {
-        host = "10.1.1.100";
-        ports = {
-          arr = [
-            7878
-            8989
-            8686
-          ];
-        };
-      };
-    };
-    description = ''
-      Verify that ports the defined ports are closed for a specific interface.
-      Verification is done by rustscan.
-    '';
-    type = attrsOf (submodule {
-      options = {
-        host = mkOption {
-          type = str;
-          description = ''
-            The host against which the rustscan will be done.
-            Needed because we have more than interface on the machine.
-          '';
-        };
-        ports = mkOption {
-          default = { };
-          type = attrsOf (listOf int);
-          description = ''
-            service -> [port, ... ]
-            Ports that should be verified as beeing closed.
-          '';
-        };
-      };
-    });
-  };
-}

nix/verify/modules/default.nix

@@ -2,7 +2,59 @@
 with lib;
 with types;
 {
-  # todo add commad option
   # todo add remote command option
-  imports = [ ./closed.nix ];
+
+  options.verify = mkOption {
+    default = { };
+    example = {
+      public = {
+        host = "example.com";
+        closedPorts = {
+          arr = [
+            7878
+            8989
+            8686
+          ];
+        };
+      };
+      vpn = {
+        host = "10.1.1.100";
+        localCommands.arr = ''
+          echo "test arr with curl or something";
+        '';
+      };
+    };
+    description = ''
+      Verify that ports the defined ports are closed for a specific interface.
+      Verification is done by rustscan.
+    '';
+    type = attrsOf (submodule {
+      options = {
+        host = mkOption {
+          type = str;
+          description = ''
+            The host against which the rustscan will be done.
+            Needed because we have more than interface on the machine.
+          '';
+        };
+        closedPorts = mkOption {
+          default = { };
+          type = attrsOf (listOf int);
+          description = ''
+            service -> [port, ... ]
+            Ports that should be verified as beeing closed.
+          '';
+        };
+        localCommands = mkOption {
+          default = { };
+          type = attrsOf str;
+          description = ''
+            service -> command
+            command to run on local machine to test remote server.
+          '';
+        };
+      };
+    });
+  };
+
 }