nixos/clamav: add scanner service

author: happysalada <raphael@megzari.com> 2023-12-05 08:49:33 +0900
committer: Yt <happysalada@tuta.io> 2023-12-05 22:53:35 +0000
commit: 93c790aef367e2f72fd9a9a22741ef1ed7136fc4 (patch)
tree: cd9e4a1b790faa454e670669b26f13f8af3af34e /nixos
parent: 6b014e92def834ffd2101942031e09ac1772760f (diff)
download: nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar
nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.gz
nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.bz2
nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.lz
nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.xz
nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.zst
nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.zip
1 files changed, 43 insertions, 0 deletions
diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix
index 4713e91caf3f..d3164373ec01 100644
--- a/nixos/modules/services/security/clamav.nix
+++ b/nixos/modules/services/security/clamav.nix
@@ -98,6 +98,29 @@ in
           '';
         };
       };
+
+      scanner = {
+        enable = mkEnableOption (lib.mdDoc "ClamAV scanner");
+
+        interval = mkOption {
+          type = types.str;
+          default = "*-*-* 04:00:00";
+          description = lib.mdDoc ''
+            How often clamdscan is invoked. See systemd.time(7) for more
+            information about the format.
+            By default this runs using 10 cores at most, be sure to run it at a time of low traffic.
+          '';
+        };
+
+        scanDirectories = mkOption {
+          type = with types; listOf str;
+          default = [ "/home" "/var/lib" "/tmp" "/etc" "/var/tmp" ];
+          description = lib.mdDoc ''
+            List of directories to scan.
+            The default includes everything I could think of that is valid for nixos. Feel free to contribute a PR to add to the default if you see something missing.
+          '';
+        };
+      };
     };
   };
 
@@ -232,5 +255,25 @@ in
         PrivateDevices = "yes";
       };
     };
+
+    systemd.timers.clamdscan = mkIf cfg.scanner.enable {
+      description = "Timer for ClamAV virus scanner";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.scanner.interval;
+        Unit = "clamdscan.service";
+      };
+    };
+
+    systemd.services.clamdscan = mkIf cfg.scanner.enable {
+      description = "ClamAV virus scanner";
+      after = optionals cfg.updater.enable [ "clamav-freshclam.service" ];
+      wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkg}/bin/clamdscan --multiscan --fdpass --infected --allmatch ${lib.concatStringsSep " " cfg.scanner.scanDirectories}";
+      };
+    };
   };
 }
author	happysalada <raphael@megzari.com>	2023-12-05 08:49:33 +0900
committer	Yt <happysalada@tuta.io>	2023-12-05 22:53:35 +0000
commit	93c790aef367e2f72fd9a9a22741ef1ed7136fc4 (patch)
tree	cd9e4a1b790faa454e670669b26f13f8af3af34e /nixos
parent	6b014e92def834ffd2101942031e09ac1772760f (diff)
download	nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.gz nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.bz2 nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.lz nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.xz nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.tar.zst nixlib-93c790aef367e2f72fd9a9a22741ef1ed7136fc4.zip