nixos/modules/services/security/clamav.nix at 21.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / clamav.nix
at 21.11-pre 4.7 kB view raw
  1{ config, lib, pkgs, ... }:
  2with lib;
  3let
  4  clamavUser = "clamav";
  5  stateDir = "/var/lib/clamav";
  6  runDir = "/run/clamav";
  7  clamavGroup = clamavUser;
  8  cfg = config.services.clamav;
  9  pkg = pkgs.clamav;
 10
 11  toKeyValue = generators.toKeyValue {
 12    mkKeyValue = generators.mkKeyValueDefault {} " ";
 13    listsAsDuplicateKeys = true;
 14  };
 15
 16  clamdConfigFile = pkgs.writeText "clamd.conf" (toKeyValue cfg.daemon.settings);
 17  freshclamConfigFile = pkgs.writeText "freshclam.conf" (toKeyValue cfg.updater.settings);
 18in
 19{
 20  imports = [
 21    (mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.")
 22    (mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.")
 23    (mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.")
 24  ];
 25
 26  options = {
 27    services.clamav = {
 28      daemon = {
 29        enable = mkEnableOption "ClamAV clamd daemon";
 30
 31        settings = mkOption {
 32          type = with types; attrsOf (oneOf [ bool int str (listOf str) ]);
 33          default = {};
 34          description = ''
 35            ClamAV configuration. Refer to <link xlink:href="https://linux.die.net/man/5/clamd.conf"/>,
 36            for details on supported values.
 37          '';
 38        };
 39      };
 40      updater = {
 41        enable = mkEnableOption "ClamAV freshclam updater";
 42
 43        frequency = mkOption {
 44          type = types.int;
 45          default = 12;
 46          description = ''
 47            Number of database checks per day.
 48          '';
 49        };
 50
 51        interval = mkOption {
 52          type = types.str;
 53          default = "hourly";
 54          description = ''
 55            How often freshclam is invoked. See systemd.time(7) for more
 56            information about the format.
 57          '';
 58        };
 59
 60        settings = mkOption {
 61          type = with types; attrsOf (oneOf [ bool int str (listOf str) ]);
 62          default = {};
 63          description = ''
 64            freshclam configuration. Refer to <link xlink:href="https://linux.die.net/man/5/freshclam.conf"/>,
 65            for details on supported values.
 66          '';
 67        };
 68      };
 69    };
 70  };
 71
 72  config = mkIf (cfg.updater.enable || cfg.daemon.enable) {
 73    environment.systemPackages = [ pkg ];
 74
 75    users.users.${clamavUser} = {
 76      uid = config.ids.uids.clamav;
 77      group = clamavGroup;
 78      description = "ClamAV daemon user";
 79      home = stateDir;
 80    };
 81
 82    users.groups.${clamavGroup} =
 83      { gid = config.ids.gids.clamav; };
 84
 85    services.clamav.daemon.settings = {
 86      DatabaseDirectory = stateDir;
 87      LocalSocket = "${runDir}/clamd.ctl";
 88      PidFile = "${runDir}/clamd.pid";
 89      TemporaryDirectory = "/tmp";
 90      User = "clamav";
 91      Foreground = true;
 92    };
 93
 94    services.clamav.updater.settings = {
 95      DatabaseDirectory = stateDir;
 96      Foreground = true;
 97      Checks = cfg.updater.frequency;
 98      DatabaseMirror = [ "database.clamav.net" ];
 99    };
100
101    environment.etc."clamav/freshclam.conf".source = freshclamConfigFile;
102    environment.etc."clamav/clamd.conf".source = clamdConfigFile;
103
104    systemd.services.clamav-daemon = mkIf cfg.daemon.enable {
105      description = "ClamAV daemon (clamd)";
106      after = optional cfg.updater.enable "clamav-freshclam.service";
107      requires = optional cfg.updater.enable "clamav-freshclam.service";
108      wantedBy = [ "multi-user.target" ];
109      restartTriggers = [ clamdConfigFile ];
110
111      preStart = ''
112        mkdir -m 0755 -p ${runDir}
113        chown ${clamavUser}:${clamavGroup} ${runDir}
114      '';
115
116      serviceConfig = {
117        ExecStart = "${pkg}/bin/clamd";
118        ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
119        PrivateTmp = "yes";
120        PrivateDevices = "yes";
121        PrivateNetwork = "yes";
122      };
123    };
124
125    systemd.timers.clamav-freshclam = mkIf cfg.updater.enable {
126      description = "Timer for ClamAV virus database updater (freshclam)";
127      wantedBy = [ "timers.target" ];
128      timerConfig = {
129        OnCalendar = cfg.updater.interval;
130        Unit = "clamav-freshclam.service";
131      };
132    };
133
134    systemd.services.clamav-freshclam = mkIf cfg.updater.enable {
135      description = "ClamAV virus database updater (freshclam)";
136      restartTriggers = [ freshclamConfigFile ];
137
138      preStart = ''
139        mkdir -m 0755 -p ${stateDir}
140        chown ${clamavUser}:${clamavGroup} ${stateDir}
141      '';
142
143      serviceConfig = {
144        Type = "oneshot";
145        ExecStart = "${pkg}/bin/freshclam";
146        SuccessExitStatus = "1"; # if databases are up to date
147        PrivateTmp = "yes";
148        PrivateDevices = "yes";
149      };
150    };
151  };
152}