92 lines
2.8 KiB
Nix
92 lines
2.8 KiB
Nix
{ self, ... }:
|
|
{
|
|
imports = [ ];
|
|
|
|
flake.nixosModules.verify = {
|
|
imports = [
|
|
./modules/closedPorts.nix
|
|
./modules/http.nix
|
|
./modules/localCommands.nix
|
|
];
|
|
};
|
|
|
|
perSystem =
|
|
{
|
|
pkgs,
|
|
self',
|
|
lib,
|
|
...
|
|
}:
|
|
with lib;
|
|
{
|
|
apps.verify = {
|
|
type = "app";
|
|
program =
|
|
let
|
|
|
|
nixosConfigurationsToVerify = filterAttrs (
|
|
machine: configuration: builtins.hasAttr "verify" configuration.options
|
|
) self.nixosConfigurations;
|
|
|
|
verifyLocalCommands =
|
|
nixosConfiguration:
|
|
let
|
|
|
|
localCommands = nixosConfiguration.options.verify.localCommands.value;
|
|
|
|
commands = mapAttrsToList (
|
|
serviceName: serviceCommand:
|
|
let
|
|
# todo handle exit code and stderr and such properly
|
|
script = pkgs.writers.writeBash "${serviceName}" serviceCommand;
|
|
#title = if title != null then title else "verify service ${serviceName}";
|
|
title = "verify service ${serviceName}";
|
|
in
|
|
''
|
|
echo "${title}"
|
|
${script}
|
|
''
|
|
) localCommands;
|
|
|
|
in
|
|
flatten commands;
|
|
|
|
verifyClosedCommands =
|
|
nixosConfiguration:
|
|
let
|
|
|
|
command = serviceName: interfaceName: host: ports: ''
|
|
echo "verify ${interfaceName} ports are closed for ${serviceName}"
|
|
${pkgs.rustscan}/bin/rustscan \
|
|
--ports ${concatStringsSep "," (map toString ports)} \
|
|
--addresses ${host} \
|
|
--greppable
|
|
'';
|
|
|
|
interfaces = nixosConfiguration.options.verify.closed.value;
|
|
|
|
interfaceCommands = mapAttrsToList (
|
|
interfaceName: interfaceConfiguration:
|
|
mapAttrsToList (
|
|
serviceName: servicePorts:
|
|
command serviceName interfaceName interfaceConfiguration.host servicePorts
|
|
) interfaceConfiguration.ports
|
|
) interfaces;
|
|
|
|
in
|
|
flatten interfaceCommands;
|
|
|
|
verify = machineName: nixosConfiguration: ''
|
|
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
|
|
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
|
|
${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)}
|
|
'';
|
|
|
|
allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
|
|
|
|
in
|
|
pkgs.writers.writeBashBin "verify" allCommands;
|
|
};
|
|
};
|
|
|
|
}
|