nixos-config/nix/verify/default.nix
2024-09-14 07:09:41 +07:00

64 lines
2.1 KiB
Nix

{ self, ... }:
{
imports = [ ];
flake.nixosModules.verify = {
imports = [ ./module.nix ];
};
perSystem =
{
pkgs,
self',
lib,
...
}:
with lib;
{
apps.verify = {
type = "app";
program =
let
domain =
machine: interface:
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.domain;
servicePorts =
machine: interface:
self.nixosConfigurations.${machine}.options.verify.closed.value.${interface}.ports;
command = service: interface: domain: ports: ''
echo "verify ${interface} ports are closed for ${service}"
${pkgs.rustscan}/bin/rustscan \
--ports ${concatStringsSep "," (map toString ports)} \
--addresses ${domain} \
--greppable
'';
commands =
machine: interface:
mapAttrsToList (service: ports: command service interface (domain machine interface) ports) (
servicePorts machine interface
);
# machine -> [ interface, interface, ... ]
# todo: make this more robust for machines which don't have this option available
machines = mapAttrs (
machine: configuration: builtins.attrNames configuration.options.verify.closed.value
) self.nixosConfigurations;
machineInterfaceCommand = machine: interface: concatStringsSep "\n\n" (commands machine interface);
machineCommand = machine: interfaces: ''
echo "${machine}" | ${pkgs.boxes}/bin/boxes -d ansi
${concatStringsSep "\n\n" (map (machineInterfaceCommand machine) interfaces)}
'';
allCommands = concatStringsSep "\n\n" (mapAttrsToList machineCommand machines);
in
#pkgs.writers.writeBashBin "verify" (concatStringsSep "\n\n" (commands "orbi" "public"));
pkgs.writers.writeBashBin "verify" allCommands;
};
};
}