✨ add local command to verify
Some checks failed
Build all NixOS Configurations / nix build (push) Has been cancelled
Some checks failed
Build all NixOS Configurations / nix build (push) Has been cancelled
This commit is contained in:
parent
7e8c3d41c9
commit
774b26b798
|
@ -67,13 +67,13 @@
|
||||||
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
|
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
|
||||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
|
||||||
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
|
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
|
||||||
verify.closed.public.ports.opentelemetry = [ 4317 ];
|
verify.public.closedPorts.opentelemetry = [ 4317 ];
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.acme.defaults.email = "contact@ingolf-wagner.de";
|
security.acme.defaults.email = "contact@ingolf-wagner.de";
|
||||||
|
|
||||||
verify.closed.wg0.host = "10.100.0.1";
|
verify.wg0.host = "10.100.0.1";
|
||||||
verify.closed.public.host = "orbi.public";
|
verify.public.host = "orbi.public";
|
||||||
|
|
||||||
# chungus rsync
|
# chungus rsync
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
8686
|
8686
|
||||||
];
|
];
|
||||||
|
|
||||||
verify.closed.public.ports.arr = [
|
verify.public.closedPorts.arr = [
|
||||||
7878
|
7878
|
||||||
8989
|
8989
|
||||||
8686
|
8686
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
|
lib,
|
||||||
config,
|
config,
|
||||||
factsGenerator,
|
factsGenerator,
|
||||||
components,
|
components,
|
||||||
|
@ -34,6 +35,24 @@ in
|
||||||
443
|
443
|
||||||
];
|
];
|
||||||
|
|
||||||
|
verify.public.localCommands.nextcloud =
|
||||||
|
let
|
||||||
|
domain = "https://nextcloud.ingolf-wagner.de/login";
|
||||||
|
curl = lib.getExe pkgs.curl;
|
||||||
|
grep = lib.getExe pkgs.gnugrep;
|
||||||
|
in
|
||||||
|
''
|
||||||
|
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
|
||||||
|
if ${curl} -s ${domain} | ${grep} -q "Login"; then
|
||||||
|
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'."
|
||||||
|
else
|
||||||
|
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "[Fail] Die Seite hat keinen Statuscode 200."
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
|
|
|
@ -130,7 +130,7 @@ in
|
||||||
allowedUDPPorts = [ 51413 ];
|
allowedUDPPorts = [ 51413 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
verify.closed.public.ports.transmission2 = [ uiPort ];
|
verify.public.closedPorts.transmission2 = [ uiPort ];
|
||||||
|
|
||||||
# host nginx setup
|
# host nginx setup
|
||||||
# ----------------
|
# ----------------
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
port = 5005;
|
port = 5005;
|
||||||
};
|
};
|
||||||
|
|
||||||
verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ];
|
verify.public.closedPorts.nix-serve = [ config.services.nix-serve.port ];
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -16,7 +16,7 @@ in
|
||||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
|
||||||
# networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
|
# networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
|
||||||
|
|
||||||
verify.closed.public.ports.photoprism = [ photoprismPort ];
|
verify.public.closedPorts.photoprism = [ photoprismPort ];
|
||||||
|
|
||||||
containers.photoprism = {
|
containers.photoprism = {
|
||||||
privateNetwork = false;
|
privateNetwork = false;
|
||||||
|
|
|
@ -14,7 +14,7 @@ in
|
||||||
{
|
{
|
||||||
|
|
||||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ];
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [ surrealdbPort ];
|
||||||
verify.closed.public.ports.surrealdb = [ surrealdbPort ];
|
verify.public.closedPorts.surrealdb = [ surrealdbPort ];
|
||||||
|
|
||||||
containers.surrealdb = {
|
containers.surrealdb = {
|
||||||
privateNetwork = false;
|
privateNetwork = false;
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
|
|
||||||
verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
|
verify.public.closedPorts.taskchampion = [ config.services.taskchampion-sync-server.port ];
|
||||||
|
|
||||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [
|
||||||
config.services.taskchampion-sync-server.port
|
config.services.taskchampion-sync-server.port
|
||||||
|
|
|
@ -48,7 +48,7 @@ in
|
||||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ];
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [ uiPort ];
|
||||||
networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ];
|
networking.firewall.interfaces.wg0.allowedUDPPorts = [ uiPort ];
|
||||||
|
|
||||||
verify.closed.public.ports.taskserver-webui = [ uiPort ];
|
verify.public.closedPorts.taskserver-webui = [ uiPort ];
|
||||||
|
|
||||||
# host nginx setup
|
# host nginx setup
|
||||||
# ----------------
|
# ----------------
|
||||||
|
|
|
@ -13,7 +13,7 @@ in
|
||||||
{
|
{
|
||||||
|
|
||||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ];
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [ vikunjaPort ];
|
||||||
verify.closed.public.ports.vikunja = [ vikunjaPort ];
|
verify.public.closedPorts.vikunja = [ vikunjaPort ];
|
||||||
|
|
||||||
containers.vikunja = {
|
containers.vikunja = {
|
||||||
privateNetwork = false;
|
privateNetwork = false;
|
||||||
|
|
|
@ -24,6 +24,30 @@
|
||||||
machine: configuration: builtins.hasAttr "verify" configuration.options
|
machine: configuration: builtins.hasAttr "verify" configuration.options
|
||||||
) self.nixosConfigurations;
|
) self.nixosConfigurations;
|
||||||
|
|
||||||
|
verifyLocalCommands =
|
||||||
|
nixosConfiguration:
|
||||||
|
let
|
||||||
|
|
||||||
|
interfaces = nixosConfiguration.options.verify.value;
|
||||||
|
|
||||||
|
interfaceCommands = mapAttrsToList (
|
||||||
|
interfaceName: interfaceConfiguration:
|
||||||
|
mapAttrsToList (
|
||||||
|
serviceName: serviceCommand:
|
||||||
|
let
|
||||||
|
# todo handle exit code and stderr and such properly
|
||||||
|
script = pkgs.writers.writeBash "${interfaceName}-${serviceName}" serviceCommand;
|
||||||
|
in
|
||||||
|
''
|
||||||
|
echo "verify ${interfaceName} service ${serviceName} (local command)"
|
||||||
|
${script}
|
||||||
|
''
|
||||||
|
) interfaceConfiguration.localCommands
|
||||||
|
) interfaces;
|
||||||
|
|
||||||
|
in
|
||||||
|
flatten interfaceCommands;
|
||||||
|
|
||||||
verifyClosedCommands =
|
verifyClosedCommands =
|
||||||
nixosConfiguration:
|
nixosConfiguration:
|
||||||
let
|
let
|
||||||
|
@ -36,14 +60,14 @@
|
||||||
--greppable
|
--greppable
|
||||||
'';
|
'';
|
||||||
|
|
||||||
interfaces = nixosConfiguration.options.verify.closed.value;
|
interfaces = nixosConfiguration.options.verify.value;
|
||||||
|
|
||||||
interfaceCommands = mapAttrsToList (
|
interfaceCommands = mapAttrsToList (
|
||||||
interfaceName: interfaceConfiguration:
|
interfaceName: interfaceConfiguration:
|
||||||
mapAttrsToList (
|
mapAttrsToList (
|
||||||
serviceName: servicePorts:
|
serviceName: servicePorts:
|
||||||
command serviceName interfaceName interfaceConfiguration.host servicePorts
|
command serviceName interfaceName interfaceConfiguration.host servicePorts
|
||||||
) interfaceConfiguration.ports
|
) interfaceConfiguration.closedPorts
|
||||||
) interfaces;
|
) interfaces;
|
||||||
|
|
||||||
in
|
in
|
||||||
|
@ -52,6 +76,7 @@
|
||||||
verify = machineName: nixosConfiguration: ''
|
verify = machineName: nixosConfiguration: ''
|
||||||
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
|
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
|
||||||
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
|
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
|
||||||
|
${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
|
allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
|
||||||
|
|
|
@ -1,53 +0,0 @@
|
||||||
{ lib, ... }:
|
|
||||||
with lib;
|
|
||||||
with types;
|
|
||||||
{
|
|
||||||
options.verify.closed = mkOption {
|
|
||||||
default = { };
|
|
||||||
example = {
|
|
||||||
public = {
|
|
||||||
host = "example.com";
|
|
||||||
ports = {
|
|
||||||
arr = [
|
|
||||||
7878
|
|
||||||
8989
|
|
||||||
8686
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
work_vpn = {
|
|
||||||
host = "10.1.1.100";
|
|
||||||
ports = {
|
|
||||||
arr = [
|
|
||||||
7878
|
|
||||||
8989
|
|
||||||
8686
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
description = ''
|
|
||||||
Verify that ports the defined ports are closed for a specific interface.
|
|
||||||
Verification is done by rustscan.
|
|
||||||
'';
|
|
||||||
type = attrsOf (submodule {
|
|
||||||
options = {
|
|
||||||
host = mkOption {
|
|
||||||
type = str;
|
|
||||||
description = ''
|
|
||||||
The host against which the rustscan will be done.
|
|
||||||
Needed because we have more than interface on the machine.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
ports = mkOption {
|
|
||||||
default = { };
|
|
||||||
type = attrsOf (listOf int);
|
|
||||||
description = ''
|
|
||||||
service -> [port, ... ]
|
|
||||||
Ports that should be verified as beeing closed.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -2,7 +2,59 @@
|
||||||
with lib;
|
with lib;
|
||||||
with types;
|
with types;
|
||||||
{
|
{
|
||||||
# todo add commad option
|
|
||||||
# todo add remote command option
|
# todo add remote command option
|
||||||
imports = [ ./closed.nix ];
|
|
||||||
|
options.verify = mkOption {
|
||||||
|
default = { };
|
||||||
|
example = {
|
||||||
|
public = {
|
||||||
|
host = "example.com";
|
||||||
|
closedPorts = {
|
||||||
|
arr = [
|
||||||
|
7878
|
||||||
|
8989
|
||||||
|
8686
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
vpn = {
|
||||||
|
host = "10.1.1.100";
|
||||||
|
localCommands.arr = ''
|
||||||
|
echo "test arr with curl or something";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
description = ''
|
||||||
|
Verify that ports the defined ports are closed for a specific interface.
|
||||||
|
Verification is done by rustscan.
|
||||||
|
'';
|
||||||
|
type = attrsOf (submodule {
|
||||||
|
options = {
|
||||||
|
host = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = ''
|
||||||
|
The host against which the rustscan will be done.
|
||||||
|
Needed because we have more than interface on the machine.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
closedPorts = mkOption {
|
||||||
|
default = { };
|
||||||
|
type = attrsOf (listOf int);
|
||||||
|
description = ''
|
||||||
|
service -> [port, ... ]
|
||||||
|
Ports that should be verified as beeing closed.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
localCommands = mkOption {
|
||||||
|
default = { };
|
||||||
|
type = attrsOf str;
|
||||||
|
description = ''
|
||||||
|
service -> command
|
||||||
|
command to run on local machine to test remote server.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue