{ self, ... }:
{
  imports = [ ];

  flake.nixosModules.verify = {
    imports = [ ./modules ];
  };

  perSystem =
    {
      pkgs,
      self',
      lib,
      ...
    }:
    with lib;
    {
      apps.verify = {
        type = "app";
        program =
          let

            nixosConfigurationsToVerify = filterAttrs (
              machine: configuration: builtins.hasAttr "verify" configuration.options
            ) self.nixosConfigurations;

            verifyClosedCommands =
              nixosConfiguration:
              let

                command = serviceName: interfaceName: host: ports: ''
                  echo "verify ${interfaceName} ports are closed for ${serviceName}"
                  ${pkgs.rustscan}/bin/rustscan \
                      --ports ${concatStringsSep "," (map toString ports)} \
                      --addresses ${host} \
                      --greppable
                '';

                interfaces = nixosConfiguration.options.verify.closed.value;

                interfaceCommands = mapAttrsToList (
                  interfaceName: interfaceConfiguration:
                  mapAttrsToList (
                    serviceName: servicePorts:
                    command serviceName interfaceName interfaceConfiguration.host servicePorts
                  ) interfaceConfiguration.ports
                ) interfaces;

              in
              flatten interfaceCommands;

            verify = machineName: nixosConfiguration: ''
              echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
              ${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
            '';

            allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);

          in
          pkgs.writers.writeBashBin "verify" allCommands;
      };
    };

}