nixos-config/nix/verify/default.nix
2024-09-15 07:08:05 +07:00

89 lines
2.6 KiB
Nix

{ self, ... }:
{
imports = [ ];
flake.nixosModules.verify = {
imports = [
./modules/closedPorts.nix
./modules/localCommands.nix
];
};
perSystem =
{
pkgs,
self',
lib,
...
}:
with lib;
{
apps.verify = {
type = "app";
program =
let
nixosConfigurationsToVerify = filterAttrs (
machine: configuration: builtins.hasAttr "verify" configuration.options
) self.nixosConfigurations;
verifyLocalCommands =
nixosConfiguration:
let
localCommands = nixosConfiguration.options.verify.localCommands.value;
commands = mapAttrsToList (
serviceName: serviceCommand:
let
# todo handle exit code and stderr and such properly
script = pkgs.writers.writeBash "${serviceName}" serviceCommand;
in
''
echo "verify service ${serviceName} (local command)"
${script}
''
) localCommands;
in
flatten commands;
verifyClosedCommands =
nixosConfiguration:
let
command = serviceName: interfaceName: host: ports: ''
echo "verify ${interfaceName} ports are closed for ${serviceName}"
${pkgs.rustscan}/bin/rustscan \
--ports ${concatStringsSep "," (map toString ports)} \
--addresses ${host} \
--greppable
'';
interfaces = nixosConfiguration.options.verify.closed.value;
interfaceCommands = mapAttrsToList (
interfaceName: interfaceConfiguration:
mapAttrsToList (
serviceName: servicePorts:
command serviceName interfaceName interfaceConfiguration.host servicePorts
) interfaceConfiguration.ports
) interfaces;
in
flatten interfaceCommands;
verify = machineName: nixosConfiguration: ''
echo "${machineName}" | ${pkgs.boxes}/bin/boxes -d ansi
${concatStringsSep "\n" (verifyClosedCommands nixosConfiguration)}
${concatStringsSep "\n" (verifyLocalCommands nixosConfiguration)}
'';
allCommands = concatStringsSep "\n\n" (mapAttrsToList verify nixosConfigurationsToVerify);
in
pkgs.writers.writeBashBin "verify" allCommands;
};
};
}