🚸 improve verify flake

This commit is contained in:
Ingolf Wagner 2024-09-15 06:09:53 +07:00
parent c264db7f13
commit 7e8c3d41c9
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
4 changed files with 37 additions and 36 deletions

View file

@ -172,7 +172,7 @@
++ [ ++ [
./machines/${name}/configuration.nix ./machines/${name}/configuration.nix
nix-topology.nixosModules.default nix-topology.nixosModules.default
self.nixosModules.verify #self.nixosModules.verify
]; ];
}; };
@ -462,6 +462,7 @@
srvos.nixosModules.hardware-hetzner-online-intel srvos.nixosModules.hardware-hetzner-online-intel
#srvos.nixosModules.server #srvos.nixosModules.server
#srvos.nixosModules.mixins-terminfo #srvos.nixosModules.mixins-terminfo
self.nixosModules.verify
{ {
home-manager.users.mainUser = import ./homes/palo; home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root; home-manager.users.root = import ./homes/root;

View file

@ -72,8 +72,8 @@
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@ingolf-wagner.de"; security.acme.defaults.email = "contact@ingolf-wagner.de";
verify.closed.wg0.domain = "10.100.0.1"; verify.closed.wg0.host = "10.100.0.1";
verify.closed.public.domain = "orbi.public"; verify.closed.public.host = "orbi.public";
# chungus rsync # chungus rsync
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [

View file

@ -19,44 +19,44 @@
type = "app"; type = "app";
program = program =
let let
domain =
machine: interface:
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
servicePorts =
machine: interface:
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
command = service: interface: domain: ports: '' nixosConfigurationsToVerify = filterAttrs (
echo "verify ${interface} ports are closed for ${service}" machine: configuration: builtins.hasAttr "verify" configuration.options
${pkgs.rustscan}/bin/rustscan \
--ports ${concatStringsSep "," (map toString ports)} \
--addresses ${domain} \
--greppable
'';
commands =
machine: interface:
mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
servicePorts machine interface
);
# machine -> [ interface, interface, ... ]
# todo: make this more robust for machines which don't have this option available
machines = mapAttrs (
machine: configuration: builtins.attrNames configuration.options.verify.closed.value
) self.nixosConfigurations; ) self.nixosConfigurations;
machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface); verifyClosedCommands =
nixosConfiguration:
let
machineCommand = machine: interfaces: '' command = serviceName: interfaceName: host: ports: ''
echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi echo "verify ${interfaceName} ports are closed for ${serviceName}"
${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)} ${pkgs.rustscan}/bin/rustscan \
--ports ${concatStringsSep "," (map toString ports)} \
--addresses ${host} \
--greppable
'';
interfaces = nixosConfiguration.options.verify.closed.value;
interfaceCommands = mapAttrsToList (
interfaceName: interfaceConfiguration:
mapAttrsToList (
serviceName: servicePorts:
command serviceName interfaceName interfaceConfiguration.host servicePorts
) interfaceConfiguration.ports
) interfaces;
in
flatten interfaceCommands;
verify = machineName: nixosConfiguration: ''
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
''; '';
allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines); allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
in in
#pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
pkgs.writers.writeBashBin "verify" allCommands; pkgs.writers.writeBashBin "verify" allCommands;
}; };
}; };

View file

@ -6,7 +6,7 @@ with types;
default = { }; default = { };
example = { example = {
public = { public = {
domain = "example.com"; host = "example.com";
ports = { ports = {
arr = [ arr = [
7878 7878
@ -16,7 +16,7 @@ with types;
}; };
}; };
work_vpn = { work_vpn = {
domain = "10.1.1.100"; host = "10.1.1.100";
ports = { ports = {
arr = [ arr = [
7878 7878
@ -32,7 +32,7 @@ with types;
''; '';
type = attrsOf (submodule { type = attrsOf (submodule {
options = { options = {
domain = mkOption { host = mkOption {
type = str; type = str;
description = '' description = ''
The host against which the rustscan will be done. The host against which the rustscan will be done.