{ self, ... }: { imports = [ ]; flake.nixosModules.verify = { imports = [ ./module.nix ]; }; perSystem = { pkgs, self', lib, ... }: with lib; { apps.verify = { type = "app"; program = let domain = machine: interface: self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain; servicePorts = machine: interface: self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports; command = service: interface: domain: ports: '' echo "verify ${interface} ports are closed for ${service}" ${pkgs.rustscan}/bin/rustscan \ --ports ${concatStringsSep "," (map toString ports)} \ --addresses ${domain} \ --greppable ''; commands = machine: interface: mapAttrsToList (service: ports: command service interface (domain machine interface) ports) ( servicePorts machine interface ); # machine -> [ interface, interface, ... ] # todo: make this more robust for machines which don't have this option available machines = mapAttrs ( machine: configuration: builtins.attrNames configuration.options.verify.closed.value ) self.nixosConfigurations; machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface); machineCommand = machine: interfaces: '' echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi ${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)} ''; allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines); in #pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public")); pkgs.writers.writeBashBin "verify" allCommands; }; }; }