From e43f4514bcfa59c379d7f8a36e4d1b04c2dc7a6a Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Mon, 16 Sep 2024 07:06:03 +0700 Subject: [PATCH] :sparkles: create verify.http options --- machines/chungus/service-paperless.nix | 22 ++---- machines/orbi/media-arr.nix | 28 +++----- machines/orbi/media-nextcloud.nix | 21 ++---- machines/orbi/service-forgejo.nix | 22 ++---- machines/orbi/service-nix-cache.nix | 22 ++---- machines/orbi/service-photoprism.nix | 22 ++---- machines/orbi/service-taskchampion.nix | 22 ++---- nix/verify/default.nix | 1 + nix/verify/modules/http.nix | 96 ++++++++++++++++++++++++++ 9 files changed, 130 insertions(+), 126 deletions(-) create mode 100644 nix/verify/modules/http.nix diff --git a/machines/chungus/service-paperless.nix b/machines/chungus/service-paperless.nix index c1bd450..10d91bc 100644 --- a/machines/chungus/service-paperless.nix +++ b/machines/chungus/service-paperless.nix @@ -30,24 +30,10 @@ }; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ]; - verify.localCommands.paperless = - let - domain = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - grepString = "paperless.chungus.private"; - in - '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; + verify.http.paperless = { + url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; + expectedContent = "paperless.chungus.private"; + }; services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = { serverAliases = [ "paperless.ingolf-wagner.de" ]; diff --git a/machines/orbi/media-arr.nix b/machines/orbi/media-arr.nix index 56b2bb6..5c9b73c 100644 --- a/machines/orbi/media-arr.nix +++ b/machines/orbi/media-arr.nix @@ -16,27 +16,17 @@ 8989 8686 ]; - verify.localCommands = - let - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - command = domain: grepString: '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; - in - { - sonarr = command "sonarr.ingolf-wagner.de" "Sonarr"; - radarr = command "radarr.ingolf-wagner.de" "Radarr"; + verify.http = { + sonarr = { + url = "sonarr.ingolf-wagner.de"; + expectedContent = "Sonarr"; }; + radarr = { + url = "radarr.ingolf-wagner.de"; + expectedContent = "Radarr"; + }; + }; # download series services.sonarr = { diff --git a/machines/orbi/media-nextcloud.nix b/machines/orbi/media-nextcloud.nix index e199dbb..bbe56f6 100644 --- a/machines/orbi/media-nextcloud.nix +++ b/machines/orbi/media-nextcloud.nix @@ -35,23 +35,10 @@ in 443 ]; - verify.localCommands.nextcloud = - let - domain = "https://nextcloud.ingolf-wagner.de/login"; - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - in - '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "Login"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; + verify.http.nextcloud = { + url = "https://nextcloud.ingolf-wagner.de/login"; + expectedContent = "Login"; + }; services.nginx = { enable = true; diff --git a/machines/orbi/service-forgejo.nix b/machines/orbi/service-forgejo.nix index 42aae68..e464c8a 100644 --- a/machines/orbi/service-forgejo.nix +++ b/machines/orbi/service-forgejo.nix @@ -6,24 +6,10 @@ }: { - verify.localCommands.forgejo = - let - domain = "https://git.ingolf-wagner.de/explore/repos"; - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - grepString = "palo/nixos-config"; - in - '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; + verify.http.forgejjo = { + url = "https://git.ingolf-wagner.de/explore/repos"; + expectedContent = "palo/nixos-config"; + }; services.nginx = { enable = true; diff --git a/machines/orbi/service-nix-cache.nix b/machines/orbi/service-nix-cache.nix index a2535bc..26337c5 100644 --- a/machines/orbi/service-nix-cache.nix +++ b/machines/orbi/service-nix-cache.nix @@ -33,24 +33,10 @@ }; verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ]; - verify.localCommands.nix-serve = - let - domain = "cache.${config.networking.hostName}.wg0/nix-cache-info"; - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - grepString = "Priority: 50"; - in - '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; + verify.http.nix-serve = { + url = "cache.${config.networking.hostName}.wg0/nix-cache-info"; + expectedContent = "Priority: 50"; + }; services.nginx = { enable = true; diff --git a/machines/orbi/service-photoprism.nix b/machines/orbi/service-photoprism.nix index fd72819..07a4a4e 100644 --- a/machines/orbi/service-photoprism.nix +++ b/machines/orbi/service-photoprism.nix @@ -17,24 +17,10 @@ in # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ]; verify.closed.public.ports.photoprism = [ photoprismPort ]; - verify.localCommands.photoprism = - let - domain = "http://10.100.0.1:2342/library/login"; - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - grepString = "AI-Powered Photos App"; - in - '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; + verify.http.photoprism = { + url = "http://10.100.0.1:2342/library/login"; + expectedContent = "AI-Powered Photos App"; + }; containers.photoprism = { privateNetwork = false; diff --git a/machines/orbi/service-taskchampion.nix b/machines/orbi/service-taskchampion.nix index bff8e10..b99b358 100644 --- a/machines/orbi/service-taskchampion.nix +++ b/machines/orbi/service-taskchampion.nix @@ -8,24 +8,10 @@ { verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ]; - verify.localCommands.taskchampion = - let - domain = "http://orbi.private:10222"; - curl = lib.getExe pkgs.curl; - grep = lib.getExe pkgs.gnugrep; - grepString = "TaskChampion sync server"; - in - '' - if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then - if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then - echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." - else - echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." - fi - else - echo "[Fail] Die Seite hat keinen Statuscode 200." - fi - ''; + verify.http.taskchampion = { + url = "http://orbi.private:10222"; + expectedContent = "TaskChampion sync server"; + }; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.taskchampion-sync-server.port diff --git a/nix/verify/default.nix b/nix/verify/default.nix index 156d415..bd78aa0 100644 --- a/nix/verify/default.nix +++ b/nix/verify/default.nix @@ -5,6 +5,7 @@ flake.nixosModules.verify = { imports = [ ./modules/closedPorts.nix + ./modules/http.nix ./modules/localCommands.nix ]; }; diff --git a/nix/verify/modules/http.nix b/nix/verify/modules/http.nix new file mode 100644 index 0000000..37d8a0c --- /dev/null +++ b/nix/verify/modules/http.nix @@ -0,0 +1,96 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with types; +{ + options.verify.http = mkOption { + default = { }; + description = '' + Verify that ports the defined ports are closed for a specific interface. + Verification is done by rustscan. + ''; + type = attrsOf (submodule { + options = { + url = mkOption { + type = str; + description = '' + URL to analyze. + ''; + }; + responseCode = mkOption { + type = int; + default = 200; + description = '' + expected response code + ''; + }; + expectedContent = mkOption { + type = nullOr str; + description = '' + expected string in the response + ''; + }; + }; + }); + }; + + config = { + + verify.localCommands = + let + curl = lib.getExe pkgs.curl; + grep = lib.getExe pkgs.gnugrep; + scriptWithExpectedContent = url: responseCode: expectedContent: '' + if ${curl} -s -o /dev/null -w "%{http_code}" ${url} | ${grep} -q "${toString responseCode}"; then + if ${curl} -s ${url} | ${grep} -q "${expectedContent}"; then + echo -n "" + #echo " [ OK ] Die Seite hat Statuscode ${toString responseCode} und enthält den String '${expectedContent}'." + else + echo " [Fail] Der Statuscode ist 200, aber die Seite enthält den String '${expectedContent}' nicht." + fi + else + echo " [Fail] Die Seite hat keinen Statuscode ${toString responseCode}." + fi + ''; + + scriptWithoutExpectedContent = url: responseCode: '' + if ${curl} -s -o /dev/null -w "%{http_code}" ${url} | ${grep} -q "${toString responseCode}"; then + echo -n "" + #echo " [ OK ] Die Seite hat Statuscode ${toString responseCode}." + else + echo " [Fail] Die Seite hat keinen Statuscode ${toString responseCode}." + fi + ''; + script = + url: responeCode: expectedContent: + if (expectedContent == null) then + scriptWithExpectedContent url responeCode expectedContent + else + scriptWithoutExpectedContent url responeCode; + + in + mapAttrs' ( + service: + { + url, + responseCode, + expectedContent, + }: + nameValuePair ("http_" + service) (script url responseCode expectedContent) + + ) config.verify.http; + + # verify.localCommands.taskchampion = + # let + # domain = "http://orbi.private:10222"; + # grepString = "TaskChampion sync server"; + # in + # + + }; + +}