🚸 improve verify flake
This commit is contained in:
parent
c264db7f13
commit
7e8c3d41c9
4 changed files with 37 additions and 36 deletions
|
@ -172,7 +172,7 @@
|
||||||
++ [
|
++ [
|
||||||
./machines/${name}/configuration.nix
|
./machines/${name}/configuration.nix
|
||||||
nix-topology.nixosModules.default
|
nix-topology.nixosModules.default
|
||||||
self.nixosModules.verify
|
#self.nixosModules.verify
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -462,6 +462,7 @@
|
||||||
srvos.nixosModules.hardware-hetzner-online-intel
|
srvos.nixosModules.hardware-hetzner-online-intel
|
||||||
#srvos.nixosModules.server
|
#srvos.nixosModules.server
|
||||||
#srvos.nixosModules.mixins-terminfo
|
#srvos.nixosModules.mixins-terminfo
|
||||||
|
self.nixosModules.verify
|
||||||
{
|
{
|
||||||
home-manager.users.mainUser = import ./homes/palo;
|
home-manager.users.mainUser = import ./homes/palo;
|
||||||
home-manager.users.root = import ./homes/root;
|
home-manager.users.root = import ./homes/root;
|
||||||
|
|
|
@ -72,8 +72,8 @@
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.acme.defaults.email = "contact@ingolf-wagner.de";
|
security.acme.defaults.email = "contact@ingolf-wagner.de";
|
||||||
|
|
||||||
verify.closed.wg0.domain = "10.100.0.1";
|
verify.closed.wg0.host = "10.100.0.1";
|
||||||
verify.closed.public.domain = "orbi.public";
|
verify.closed.public.host = "orbi.public";
|
||||||
|
|
||||||
# chungus rsync
|
# chungus rsync
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
|
|
@ -19,44 +19,44 @@
|
||||||
type = "app";
|
type = "app";
|
||||||
program =
|
program =
|
||||||
let
|
let
|
||||||
domain =
|
|
||||||
machine: interface:
|
|
||||||
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
|
|
||||||
servicePorts =
|
|
||||||
machine: interface:
|
|
||||||
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
|
|
||||||
|
|
||||||
command = service: interface: domain: ports: ''
|
nixosConfigurationsToVerify = filterAttrs (
|
||||||
echo "verify ${interface} ports are closed for ${service}"
|
machine: configuration: builtins.hasAttr "verify" configuration.options
|
||||||
|
) self.nixosConfigurations;
|
||||||
|
|
||||||
|
verifyClosedCommands =
|
||||||
|
nixosConfiguration:
|
||||||
|
let
|
||||||
|
|
||||||
|
command = serviceName: interfaceName: host: ports: ''
|
||||||
|
echo "verify ${interfaceName} ports are closed for ${serviceName}"
|
||||||
${pkgs.rustscan}/bin/rustscan \
|
${pkgs.rustscan}/bin/rustscan \
|
||||||
--ports ${concatStringsSep "," (map toString ports)} \
|
--ports ${concatStringsSep "," (map toString ports)} \
|
||||||
--addresses ${domain} \
|
--addresses ${host} \
|
||||||
--greppable
|
--greppable
|
||||||
'';
|
'';
|
||||||
|
|
||||||
commands =
|
interfaces = nixosConfiguration.options.verify.closed.value;
|
||||||
machine: interface:
|
|
||||||
mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
|
|
||||||
servicePorts machine interface
|
|
||||||
);
|
|
||||||
|
|
||||||
# machine -> [ interface, interface, ... ]
|
interfaceCommands = mapAttrsToList (
|
||||||
# todo: make this more robust for machines which don't have this option available
|
interfaceName: interfaceConfiguration:
|
||||||
machines = mapAttrs (
|
mapAttrsToList (
|
||||||
machine: configuration: builtins.attrNames configuration.options.verify.closed.value
|
serviceName: servicePorts:
|
||||||
) self.nixosConfigurations;
|
command serviceName interfaceName interfaceConfiguration.host servicePorts
|
||||||
|
) interfaceConfiguration.ports
|
||||||
machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
|
) interfaces;
|
||||||
|
|
||||||
machineCommand = machine: interfaces: ''
|
in
|
||||||
echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
|
flatten interfaceCommands;
|
||||||
${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
|
|
||||||
'';
|
verify = machineName: nixosConfiguration: ''
|
||||||
|
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
|
||||||
allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
|
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
|
||||||
|
'';
|
||||||
|
|
||||||
|
allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
|
||||||
|
|
||||||
in
|
in
|
||||||
#pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
|
|
||||||
pkgs.writers.writeBashBin "verify" allCommands;
|
pkgs.writers.writeBashBin "verify" allCommands;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -6,7 +6,7 @@ with types;
|
||||||
default = { };
|
default = { };
|
||||||
example = {
|
example = {
|
||||||
public = {
|
public = {
|
||||||
domain = "example.com";
|
host = "example.com";
|
||||||
ports = {
|
ports = {
|
||||||
arr = [
|
arr = [
|
||||||
7878
|
7878
|
||||||
|
@ -16,7 +16,7 @@ with types;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
work_vpn = {
|
work_vpn = {
|
||||||
domain = "10.1.1.100";
|
host = "10.1.1.100";
|
||||||
ports = {
|
ports = {
|
||||||
arr = [
|
arr = [
|
||||||
7878
|
7878
|
||||||
|
@ -32,7 +32,7 @@ with types;
|
||||||
'';
|
'';
|
||||||
type = attrsOf (submodule {
|
type = attrsOf (submodule {
|
||||||
options = {
|
options = {
|
||||||
domain = mkOption {
|
host = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = ''
|
description = ''
|
||||||
The host against which the rustscan will be done.
|
The host against which the rustscan will be done.
|
||||||
|
|
Loading…
Reference in a new issue