From 7e8c3d41c97de5db8018afea263893e48c429df1 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Sun, 15 Sep 2024 06:09:53 +0700
Subject: [PATCH] :children_crossing: improve verify flake

---
 flake.nix                       |  3 +-
 machines/orbi/configuration.nix |  4 +--
 nix/verify/default.nix          | 60 ++++++++++++++++-----------------
 nix/verify/modules/closed.nix   |  6 ++--
 4 files changed, 37 insertions(+), 36 deletions(-)

diff --git a/flake.nix b/flake.nix
index dd7a0bf..915899b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -172,7 +172,7 @@
             ++ [
               ./machines/${name}/configuration.nix
               nix-topology.nixosModules.default
-              self.nixosModules.verify
+              #self.nixosModules.verify
             ];
         };
 
@@ -462,6 +462,7 @@
                 srvos.nixosModules.hardware-hetzner-online-intel
                 #srvos.nixosModules.server
                 #srvos.nixosModules.mixins-terminfo
+                self.nixosModules.verify
                 {
                   home-manager.users.mainUser = import ./homes/palo;
                   home-manager.users.root = import ./homes/root;
diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix
index f8aed7a..cf30dfe 100644
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@@ -72,8 +72,8 @@
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "contact@ingolf-wagner.de";
 
-  verify.closed.wg0.domain = "10.100.0.1";
-  verify.closed.public.domain = "orbi.public";
+  verify.closed.wg0.host = "10.100.0.1";
+  verify.closed.public.host = "orbi.public";
 
   # chungus rsync
   users.users.root.openssh.authorizedKeys.keys = [
diff --git a/nix/verify/default.nix b/nix/verify/default.nix
index 4a2f61c..32faed1 100644
--- a/nix/verify/default.nix
+++ b/nix/verify/default.nix
@@ -19,44 +19,44 @@
         type = "app";
         program =
           let
-            domain =
-              machine: interface:
-              self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
-            servicePorts =
-              machine: interface:
-              self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
 
-            command = service: interface: domain: ports: ''
-              echo "verify ${interface} ports are closed for ${service}"
-              ${pkgs.rustscan}/bin/rustscan \
-                  --ports ${concatStringsSep "," (map toString ports)} \
-                  --addresses ${domain} \
-                  --greppable
-            '';
-
-            commands =
-              machine: interface:
-              mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
-                servicePorts machine interface
-              );
-
-            # machine -> [ interface, interface, ... ]
-            # todo: make this more robust for machines which don't have this option available
-            machines = mapAttrs (
-              machine: configuration: builtins.attrNames configuration.options.verify.closed.value
+            nixosConfigurationsToVerify = filterAttrs (
+              machine: configuration: builtins.hasAttr "verify" configuration.options
             ) self.nixosConfigurations;
 
-            machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
+            verifyClosedCommands =
+              nixosConfiguration:
+              let
 
-            machineCommand = machine: interfaces: ''
-              echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
-              ${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
+                command = serviceName: interfaceName: host: ports: ''
+                  echo "verify ${interfaceName} ports are closed for ${serviceName}"
+                  ${pkgs.rustscan}/bin/rustscan \
+                      --ports ${concatStringsSep "," (map toString ports)} \
+                      --addresses ${host} \
+                      --greppable
+                '';
+
+                interfaces = nixosConfiguration.options.verify.closed.value;
+
+                interfaceCommands = mapAttrsToList (
+                  interfaceName: interfaceConfiguration:
+                  mapAttrsToList (
+                    serviceName: servicePorts:
+                    command serviceName interfaceName interfaceConfiguration.host servicePorts
+                  ) interfaceConfiguration.ports
+                ) interfaces;
+
+              in
+              flatten interfaceCommands;
+
+            verify = machineName: nixosConfiguration: ''
+              echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
+              ${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
             '';
 
-            allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
+            allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
 
           in
-          #pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
           pkgs.writers.writeBashBin "verify" allCommands;
       };
     };
diff --git a/nix/verify/modules/closed.nix b/nix/verify/modules/closed.nix
index 94e6c72..6d3ca15 100644
--- a/nix/verify/modules/closed.nix
+++ b/nix/verify/modules/closed.nix
@@ -6,7 +6,7 @@ with types;
     default = { };
     example = {
       public = {
-        domain = "example.com";
+        host = "example.com";
         ports = {
           arr = [
             7878
@@ -16,7 +16,7 @@ with types;
         };
       };
       work_vpn = {
-        domain = "10.1.1.100";
+        host = "10.1.1.100";
         ports = {
           arr = [
             7878
@@ -32,7 +32,7 @@ with types;
     '';
     type = attrsOf (submodule {
       options = {
-        domain = mkOption {
+        host = mkOption {
           type = str;
           description = ''
             The host against which the rustscan will be done.