64 lines
2.1 KiB
Nix
64 lines
2.1 KiB
Nix
{ self, ... }:
|
|
{
|
|
imports = [ ];
|
|
|
|
flake.nixosModules.verify = {
|
|
imports = [ ./module.nix ];
|
|
};
|
|
|
|
perSystem =
|
|
{
|
|
pkgs,
|
|
self',
|
|
lib,
|
|
...
|
|
}:
|
|
with lib;
|
|
{
|
|
apps.verify = {
|
|
type = "app";
|
|
program =
|
|
let
|
|
domain =
|
|
machine: interface:
|
|
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
|
|
servicePorts =
|
|
machine: interface:
|
|
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
|
|
|
|
command = service: interface: domain: ports: ''
|
|
echo "verify ${interface} ports are closed for ${service}"
|
|
${pkgs.rustscan}/bin/rustscan \
|
|
--ports ${concatStringsSep "," (map toString ports)} \
|
|
--addresses ${domain} \
|
|
--greppable
|
|
'';
|
|
|
|
commands =
|
|
machine: interface:
|
|
mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
|
|
servicePorts machine interface
|
|
);
|
|
|
|
# machine -> [ interface, interface, ... ]
|
|
# todo: make this more robust for machines which don't have this option available
|
|
machines = mapAttrs (
|
|
machine: configuration: builtins.attrNames configuration.options.verify.closed.value
|
|
) self.nixosConfigurations;
|
|
|
|
machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
|
|
|
|
machineCommand = machine: interfaces: ''
|
|
echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
|
|
${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
|
|
'';
|
|
|
|
allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
|
|
|
|
in
|
|
#pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
|
|
pkgs.writers.writeBashBin "verify" allCommands;
|
|
};
|
|
};
|
|
|
|
}
|