create verify.http options

This commit is contained in:
Ingolf Wagner 2024-09-16 07:06:03 +07:00
parent c584bb39ce
commit e43f4514bc
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
9 changed files with 130 additions and 126 deletions

View file

@ -30,24 +30,10 @@
}; };
networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];
verify.localCommands.paperless = verify.http.paperless = {
let url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";
domain = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; expectedContent = "paperless.chungus.private";
curl = lib.getExe pkgs.curl; };
grep = lib.getExe pkgs.gnugrep;
grepString = "paperless.chungus.private";
in
''
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'."
else
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht."
fi
else
echo "[Fail] Die Seite hat keinen Statuscode 200."
fi
'';
services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = { services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
serverAliases = [ "paperless.ingolf-wagner.de" ]; serverAliases = [ "paperless.ingolf-wagner.de" ];

View file

@ -16,26 +16,16 @@
8989 8989
8686 8686
]; ];
verify.localCommands =
let
curl = lib.getExe pkgs.curl;
grep = lib.getExe pkgs.gnugrep;
command = domain: grepString: '' verify.http = {
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then sonarr = {
if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then url = "sonarr.ingolf-wagner.de";
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'." expectedContent = "Sonarr";
else };
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht." radarr = {
fi url = "radarr.ingolf-wagner.de";
else expectedContent = "Radarr";
echo "[Fail] Die Seite hat keinen Statuscode 200." };
fi
'';
in
{
sonarr = command "sonarr.ingolf-wagner.de" "Sonarr";
radarr = command "radarr.ingolf-wagner.de" "Radarr";
}; };
# download series # download series

View file

@ -35,23 +35,10 @@ in
443 443
]; ];
verify.localCommands.nextcloud = verify.http.nextcloud = {
let url = "https://nextcloud.ingolf-wagner.de/login";
domain = "https://nextcloud.ingolf-wagner.de/login"; expectedContent = "Login";
curl = lib.getExe pkgs.curl; };
grep = lib.getExe pkgs.gnugrep;
in
''
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
if ${curl} -s ${domain} | ${grep} -q "Login"; then
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'."
else
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht."
fi
else
echo "[Fail] Die Seite hat keinen Statuscode 200."
fi
'';
services.nginx = { services.nginx = {
enable = true; enable = true;

View file

@ -6,24 +6,10 @@
}: }:
{ {
verify.localCommands.forgejo = verify.http.forgejjo = {
let url = "https://git.ingolf-wagner.de/explore/repos";
domain = "https://git.ingolf-wagner.de/explore/repos"; expectedContent = "palo/nixos-config";
curl = lib.getExe pkgs.curl; };
grep = lib.getExe pkgs.gnugrep;
grepString = "palo/nixos-config";
in
''
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'."
else
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht."
fi
else
echo "[Fail] Die Seite hat keinen Statuscode 200."
fi
'';
services.nginx = { services.nginx = {
enable = true; enable = true;

View file

@ -33,24 +33,10 @@
}; };
verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ]; verify.closed.public.ports.nix-serve = [ config.services.nix-serve.port ];
verify.localCommands.nix-serve = verify.http.nix-serve = {
let url = "cache.${config.networking.hostName}.wg0/nix-cache-info";
domain = "cache.${config.networking.hostName}.wg0/nix-cache-info"; expectedContent = "Priority: 50";
curl = lib.getExe pkgs.curl; };
grep = lib.getExe pkgs.gnugrep;
grepString = "Priority: 50";
in
''
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'."
else
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht."
fi
else
echo "[Fail] Die Seite hat keinen Statuscode 200."
fi
'';
services.nginx = { services.nginx = {
enable = true; enable = true;

View file

@ -17,24 +17,10 @@ in
# networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ]; # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
verify.closed.public.ports.photoprism = [ photoprismPort ]; verify.closed.public.ports.photoprism = [ photoprismPort ];
verify.localCommands.photoprism = verify.http.photoprism = {
let url = "http://10.100.0.1:2342/library/login";
domain = "http://10.100.0.1:2342/library/login"; expectedContent = "AI-Powered Photos App";
curl = lib.getExe pkgs.curl; };
grep = lib.getExe pkgs.gnugrep;
grepString = "AI-Powered Photos App";
in
''
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'."
else
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht."
fi
else
echo "[Fail] Die Seite hat keinen Statuscode 200."
fi
'';
containers.photoprism = { containers.photoprism = {
privateNetwork = false; privateNetwork = false;

View file

@ -8,24 +8,10 @@
{ {
verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ]; verify.closed.public.ports.taskchampion = [ config.services.taskchampion-sync-server.port ];
verify.localCommands.taskchampion = verify.http.taskchampion = {
let url = "http://orbi.private:10222";
domain = "http://orbi.private:10222"; expectedContent = "TaskChampion sync server";
curl = lib.getExe pkgs.curl; };
grep = lib.getExe pkgs.gnugrep;
grepString = "TaskChampion sync server";
in
''
if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then
echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'."
else
echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht."
fi
else
echo "[Fail] Die Seite hat keinen Statuscode 200."
fi
'';
networking.firewall.interfaces.wg0.allowedTCPPorts = [ networking.firewall.interfaces.wg0.allowedTCPPorts = [
config.services.taskchampion-sync-server.port config.services.taskchampion-sync-server.port

View file

@ -5,6 +5,7 @@
flake.nixosModules.verify = { flake.nixosModules.verify = {
imports = [ imports = [
./modules/closedPorts.nix ./modules/closedPorts.nix
./modules/http.nix
./modules/localCommands.nix ./modules/localCommands.nix
]; ];
}; };

View file

@ -0,0 +1,96 @@
{
lib,
config,
pkgs,
...
}:
with lib;
with types;
{
options.verify.http = mkOption {
default = { };
description = ''
Verify that ports the defined ports are closed for a specific interface.
Verification is done by rustscan.
'';
type = attrsOf (submodule {
options = {
url = mkOption {
type = str;
description = ''
URL to analyze.
'';
};
responseCode = mkOption {
type = int;
default = 200;
description = ''
expected response code
'';
};
expectedContent = mkOption {
type = nullOr str;
description = ''
expected string in the response
'';
};
};
});
};
config = {
verify.localCommands =
let
curl = lib.getExe pkgs.curl;
grep = lib.getExe pkgs.gnugrep;
scriptWithExpectedContent = url: responseCode: expectedContent: ''
if ${curl} -s -o /dev/null -w "%{http_code}" ${url} | ${grep} -q "${toString responseCode}"; then
if ${curl} -s ${url} | ${grep} -q "${expectedContent}"; then
echo -n ""
#echo " [ OK ] Die Seite hat Statuscode ${toString responseCode} und enthält den String '${expectedContent}'."
else
echo " [Fail] Der Statuscode ist 200, aber die Seite enthält den String '${expectedContent}' nicht."
fi
else
echo " [Fail] Die Seite hat keinen Statuscode ${toString responseCode}."
fi
'';
scriptWithoutExpectedContent = url: responseCode: ''
if ${curl} -s -o /dev/null -w "%{http_code}" ${url} | ${grep} -q "${toString responseCode}"; then
echo -n ""
#echo " [ OK ] Die Seite hat Statuscode ${toString responseCode}."
else
echo " [Fail] Die Seite hat keinen Statuscode ${toString responseCode}."
fi
'';
script =
url: responeCode: expectedContent:
if (expectedContent == null) then
scriptWithExpectedContent url responeCode expectedContent
else
scriptWithoutExpectedContent url responeCode;
in
mapAttrs' (
service:
{
url,
responseCode,
expectedContent,
}:
nameValuePair ("http_" + service) (script url responseCode expectedContent)
) config.verify.http;
# verify.localCommands.taskchampion =
# let
# domain = "http://orbi.private:10222";
# grepString = "TaskChampion sync server";
# in
#
};
}