🚸 improve verify flake

2024-09-15 06:09:53 +07:00 · 2024-09-15 06:09:53 +07:00 · 7e8c3d41c9
parent c264db7f13
commit 7e8c3d41c9
4 changed files with 37 additions and 36 deletions
--- a/flake.nix
+++ b/flake.nix
@ -172,7 +172,7 @@
            ++ [
              ./machines/${name}/configuration.nix
              nix-topology.nixosModules.default
-              self.nixosModules.verify
+              #self.nixosModules.verify
            ];
        };

@ -462,6 +462,7 @@
                srvos.nixosModules.hardware-hetzner-online-intel
                #srvos.nixosModules.server
                #srvos.nixosModules.mixins-terminfo
+                self.nixosModules.verify
                {
                  home-manager.users.mainUser = import ./homes/palo;
                  home-manager.users.root = import ./homes/root;
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@ -72,8 +72,8 @@
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "contact@ingolf-wagner.de";

-  verify.closed.wg0.domain = "10.100.0.1";
-  verify.closed.public.domain = "orbi.public";
+  verify.closed.wg0.host = "10.100.0.1";
+  verify.closed.public.host = "orbi.public";

  # chungus rsync
  users.users.root.openssh.authorizedKeys.keys = [
--- a/nix/verify/default.nix
+++ b/nix/verify/default.nix
@ -19,44 +19,44 @@
        type = "app";
        program =
          let
-            domain =
-              machine: interface:
-              self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
-            servicePorts =
-              machine: interface:
-              self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;

-            command = service: interface: domain: ports: ''
-              echo "verify ${interface} ports are closed for ${service}"
-              ${pkgs.rustscan}/bin/rustscan \
-                  --ports ${concatStringsSep "," (map toString ports)} \
-                  --addresses ${domain} \
-                  --greppable
-            '';
-
-            commands =
-              machine: interface:
-              mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
-                servicePorts machine interface
-              );
-
-            # machine -> [ interface, interface, ... ]
-            # todo: make this more robust for machines which don't have this option available
-            machines = mapAttrs (
-              machine: configuration: builtins.attrNames configuration.options.verify.closed.value
+            nixosConfigurationsToVerify = filterAttrs (
+              machine: configuration: builtins.hasAttr "verify" configuration.options
            ) self.nixosConfigurations;

-            machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
+            verifyClosedCommands =
+              nixosConfiguration:
+              let

-            machineCommand = machine: interfaces: ''
-              echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
-              ${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
+                command = serviceName: interfaceName: host: ports: ''
+                  echo "verify ${interfaceName} ports are closed for ${serviceName}"
+                  ${pkgs.rustscan}/bin/rustscan \
+                      --ports ${concatStringsSep "," (map toString ports)} \
+                      --addresses ${host} \
+                      --greppable
+                '';
+
+                interfaces = nixosConfiguration.options.verify.closed.value;
+
+                interfaceCommands = mapAttrsToList (
+                  interfaceName: interfaceConfiguration:
+                  mapAttrsToList (
+                    serviceName: servicePorts:
+                    command serviceName interfaceName interfaceConfiguration.host servicePorts
+                  ) interfaceConfiguration.ports
+                ) interfaces;
+
+              in
+              flatten interfaceCommands;
+
+            verify = machineName: nixosConfiguration: ''
+              echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
+              ${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
            '';

-            allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
+            allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);

          in
-          #pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
          pkgs.writers.writeBashBin "verify" allCommands;
      };
    };
--- a/nix/verify/modules/closed.nix
+++ b/nix/verify/modules/closed.nix
@ -6,7 +6,7 @@ with types;
    default = { };
    example = {
      public = {
-        domain = "example.com";
+        host = "example.com";
        ports = {
          arr = [
            7878
@ -16,7 +16,7 @@ with types;
        };
      };
      work_vpn = {
-        domain = "10.1.1.100";
+        host = "10.1.1.100";
        ports = {
          arr = [
            7878
@ -32,7 +32,7 @@ with types;
    '';
    type = attrsOf (submodule {
      options = {
-        domain = mkOption {
+        host = mkOption {
          type = str;
          description = ''
            The host against which the rustscan will be done.