diff options
| author | JC Brand <jc@opkode.com> | 2015-12-12 12:45:48 +0000 |
|---|---|---|
| committer | JC Brand <jc@opkode.com> | 2015-12-13 15:55:56 +0000 |
| commit | b5b9b0351880b051f68f04be9857c6d7f935309c (patch) | |
| tree | 0dd36fcc2b9acf66fd71c68dfb921d922f37f1d8 /nixos/modules/services/security | |
| parent | 36e1e3a8a692e414e02cc08322476f921429dc23 (diff) | |
| download | nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.tar nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.tar.gz nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.tar.bz2 nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.tar.lz nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.tar.xz nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.tar.zst nixlib-b5b9b0351880b051f68f04be9857c6d7f935309c.zip | |
clamav: improvements
- Add new service for `clamd`, the ClamAV daemon. - Replace the old upstart "jobs" section with systemd.services - Remove unnecessary config options. - Use `mkEnableOption`
Diffstat (limited to 'nixos/modules/services/security')
| -rw-r--r-- | nixos/modules/services/security/clamav.nix | 107 |
1 files changed, 72 insertions, 35 deletions
diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index 583fadb9d10a..548aee29b266 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -3,22 +3,37 @@ with lib; let clamavUser = "clamav"; stateDir = "/var/lib/clamav"; + runDir = "/var/run/clamav"; + logDir = "/var/log/clamav"; clamavGroup = clamavUser; cfg = config.services.clamav; + clamdConfigFile = pkgs.writeText "clamd.conf" '' + DatabaseDirectory ${stateDir} + LocalSocket ${runDir}/clamd.ctl + LogFile ${logDir}/clamav.log + PidFile ${runDir}/clamd.pid + User clamav + + ${cfg.daemon.extraConfig} + ''; in { - ###### interface - options = { - services.clamav = { - updater = { - enable = mkOption { - default = false; - description = '' - Whether to enable automatic ClamAV virus definitions database updates. + daemon = { + enable = mkEnableOption "clamd daemon"; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration for clamd. Contents will be added verbatim to the + configuration file. ''; }; + }; + updater = { + enable = mkEnableOption "freshclam updater"; frequency = mkOption { default = 12; @@ -38,43 +53,65 @@ in }; }; - ###### implementation - - config = mkIf cfg.updater.enable { + config = mkIf cfg.updater.enable or cfg.daemon.enable { environment.systemPackages = [ pkgs.clamav ]; - users.extraUsers = singleton - { name = clamavUser; - uid = config.ids.uids.clamav; - description = "ClamAV daemon user"; - home = stateDir; - }; + users.extraUsers = singleton { + name = clamavUser; + uid = config.ids.uids.clamav; + description = "ClamAV daemon user"; + home = stateDir; + }; - users.extraGroups = singleton - { name = clamavGroup; - gid = config.ids.gids.clamav; - }; + users.extraGroups = singleton { + name = clamavGroup; + gid = config.ids.gids.clamav; + }; - services.clamav.updater.config = '' + services.clamav.updater.config = mkIf cfg.updater.enable '' DatabaseDirectory ${stateDir} Foreground yes Checks ${toString cfg.updater.frequency} DatabaseMirror database.clamav.net ''; - jobs = { - clamav_updater = { - name = "clamav-updater"; - startOn = "started network-interfaces"; - stopOn = "stopping network-interfaces"; - - preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${clamavUser}:${clamavGroup} ${stateDir} - ''; - exec = "${pkgs.clamav}/bin/freshclam --daemon --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}"; - }; + systemd.services.clamd = mkIf cfg.daemon.enable { + description = "ClamAV daemon (clamd)"; + path = [ pkgs.clamav ]; + after = [ "network.target" "freshclam.service" ]; + requires = [ "freshclam.service" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -m 0755 -p ${logDir} + mkdir -m 0755 -p ${runDir} + chown ${clamavUser}:${clamavGroup} ${logDir} + chown ${clamavUser}:${clamavGroup} ${runDir} + ''; + serviceConfig = { + ExecStart = "${pkgs.clamav}/bin/clamd --config-file=${clamdConfigFile}"; + Type = "forking"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + RestartSec = "10s"; + StartLimitInterval = "1min"; + }; }; + systemd.services.freshclam = mkIf cfg.updater.enable { + description = "ClamAV updater (freshclam)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.clamav ]; + preStart = '' + mkdir -m 0755 -p ${stateDir} + chown ${clamavUser}:${clamavGroup} ${stateDir} + ''; + serviceConfig = { + ExecStart = "${pkgs.clamav}/bin/freshclam --daemon --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + RestartSec = "10s"; + StartLimitInterval = "1min"; + }; + }; }; - } |