From 7ef34db19bd35bf043880e95e49dc2044082bf87 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Fri, 13 Sep 2024 14:32:10 +0700
Subject: [PATCH] :construction: poc of rustscan script generator

---
 flake.nix                       |  2 ++
 machines/orbi/configuration.nix |  4 ++++
 machines/orbi/media-arr.nix     |  6 ++++++
 nix/scan/default.nix            | 31 +++++++++++++++++++++++++++++++
 nix/scan/module.nix             | 24 ++++++++++++++++++++++++
 5 files changed, 67 insertions(+)
 create mode 100644 nix/scan/default.nix
 create mode 100644 nix/scan/module.nix

diff --git a/flake.nix b/flake.nix
index 21f98c4..c64a913 100644
--- a/flake.nix
+++ b/flake.nix
@@ -172,6 +172,7 @@
             ++ [
               ./machines/${name}/configuration.nix
               nix-topology.nixosModules.default
+              self.nixosModules.scan
             ];
         };
 
@@ -376,6 +377,7 @@
           clan-core.flakeModules.default
           ./nix/formatter.nix
           ./nix/packages
+          ./nix/scan
           ./nix/topology
         ];
 
diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix
index 65d1863..1e6d728 100644
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@@ -71,6 +71,10 @@
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "contact@ingolf-wagner.de";
 
+  verify.closed.wg0.domain = "10.100.0.1";
+  verify.closed.public.domain = "orbi.public";
+  verify.closed.public.ports = [ 4317 ];
+
   # chungus rsync
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD"
diff --git a/machines/orbi/media-arr.nix b/machines/orbi/media-arr.nix
index ae1a2b4..a9e5f9a 100644
--- a/machines/orbi/media-arr.nix
+++ b/machines/orbi/media-arr.nix
@@ -6,6 +6,12 @@
     8686
   ];
 
+  verify.closed.public.ports = [
+    7878
+    8989
+    8686
+  ];
+
   # download series
   services.sonarr = {
     enable = true;
diff --git a/nix/scan/default.nix b/nix/scan/default.nix
new file mode 100644
index 0000000..70a76ee
--- /dev/null
+++ b/nix/scan/default.nix
@@ -0,0 +1,31 @@
+{ self, ... }:
+{
+  imports = [ ];
+
+  flake.nixosModules.scan = {
+    imports = [ ./module.nix ];
+  };
+
+  perSystem =
+    {
+      pkgs,
+      self',
+      lib,
+      ...
+    }:
+    with lib;
+    {
+      apps.scan = {
+        type = "app";
+        program =
+          let
+            ports = machine: self.nixosConfigurations.${machine}.options.verify.closed.value.public.ports;
+            domain = machine: self.nixosConfigurations.${machine}.options.verify.closed.value.public.domain;
+          in
+          pkgs.writers.writeBashBin "scan" ''
+            ${pkgs.rustscan}/bin/rustscan --ports ${concatStringsSep "," (map toString (ports "orbi"))} --addresses ${domain "orbi"} --greppable
+          '';
+      };
+    };
+
+}
diff --git a/nix/scan/module.nix b/nix/scan/module.nix
new file mode 100644
index 0000000..6996a40
--- /dev/null
+++ b/nix/scan/module.nix
@@ -0,0 +1,24 @@
+{ lib, ... }:
+with lib;
+with types;
+{
+  options.verify.closed = mkOption {
+    default = { };
+    type = attrsOf (submodule {
+      options = {
+        domain = mkOption {
+          type = str;
+          description = ''
+            domain to scan
+          '';
+        };
+        ports = mkOption {
+          type = listOf int;
+          description = ''
+            ports that should be closed
+          '';
+        };
+      };
+    });
+  };
+}