{ self, ... }: { imports = [ ]; flake.nixosModules.verify = { imports = [ ./modules ]; }; perSystem = { pkgs, self', lib, ... }: with lib; { apps.verify = { type = "app"; program = let nixosConfigurationsToVerify = filterAttrs ( machine: configuration: builtins.hasAttr "verify" configuration.options ) self.nixosConfigurations; verifyLocalCommands = nixosConfiguration: let localCommands = nixosConfiguration.options.verify.localCommands.value; commands = mapAttrsToList ( serviceName: serviceCommand: let # todo handle exit code and stderr and such properly script = pkgs.writers.writeBash "${serviceName}" serviceCommand; in '' echo "verify service ${serviceName} (local command)" ${script} '' ) localCommands; in flatten commands; verifyClosedCommands = nixosConfiguration: let command = serviceName: interfaceName: host: ports: '' echo "verify ${interfaceName} ports are closed for ${serviceName}" ${pkgs.rustscan}/bin/rustscan \ --ports ${concatStringsSep "," (map toString ports)} \ --addresses ${host} \ --greppable ''; interfaces = nixosConfiguration.options.verify.closed.value; interfaceCommands = mapAttrsToList ( interfaceName: interfaceConfiguration: mapAttrsToList ( serviceName: servicePorts: command serviceName interfaceName interfaceConfiguration.host servicePorts ) interfaceConfiguration.ports ) interfaces; in flatten interfaceCommands; verify = machineName: nixosConfiguration: '' echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi ${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)} ${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)} ''; allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify); in pkgs.writers.writeBashBin "verify" allCommands; }; }; }