From b5b9b0351880b051f68f04be9857c6d7f935309c Mon Sep 17 00:00:00 2001
From: JC Brand <jc@opkode.com>
Date: Sat, 12 Dec 2015 12:45:48 +0000
Subject: clamav: improvements

- Add new service for `clamd`, the ClamAV daemon.
- Replace the old upstart "jobs" section with systemd.services
- Remove unnecessary config options.
- Use `mkEnableOption`
---
 nixos/modules/services/security/clamav.nix | 107 +++++++++++++++++++----------
 1 file changed, 72 insertions(+), 35 deletions(-)

(limited to 'nixos/modules/services/security')

diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix
index 583fadb9d10a..548aee29b266 100644
--- a/nixos/modules/services/security/clamav.nix
+++ b/nixos/modules/services/security/clamav.nix
@@ -3,22 +3,37 @@ with lib;
 let
   clamavUser = "clamav";
   stateDir = "/var/lib/clamav";
+  runDir = "/var/run/clamav";
+  logDir = "/var/log/clamav";
   clamavGroup = clamavUser;
   cfg = config.services.clamav;
+  clamdConfigFile = pkgs.writeText "clamd.conf" ''
+    DatabaseDirectory ${stateDir}
+    LocalSocket ${runDir}/clamd.ctl
+    LogFile ${logDir}/clamav.log
+    PidFile ${runDir}/clamd.pid
+    User clamav
+
+    ${cfg.daemon.extraConfig}
+  '';
 in
 {
-  ###### interface
-
   options = {
-
     services.clamav = {
-      updater = {
-        enable = mkOption {
-        default = false;
-        description = ''
-            Whether to enable automatic ClamAV virus definitions database updates.
+      daemon = {
+        enable = mkEnableOption "clamd daemon";
+
+        extraConfig = mkOption {
+          type = types.lines;
+          default = "";
+          description = ''
+            Extra configuration for clamd. Contents will be added verbatim to the
+            configuration file.
           '';
         };
+      };
+      updater = {
+        enable = mkEnableOption "freshclam updater";
 
         frequency = mkOption {
           default = 12;
@@ -38,43 +53,65 @@ in
     };
   };
 
-  ###### implementation
-
-  config = mkIf cfg.updater.enable {
+  config = mkIf cfg.updater.enable or cfg.daemon.enable {
     environment.systemPackages = [ pkgs.clamav ];
-    users.extraUsers = singleton
-      { name = clamavUser;
-        uid = config.ids.uids.clamav;
-        description = "ClamAV daemon user";
-        home = stateDir;
-      };
+    users.extraUsers = singleton {
+      name = clamavUser;
+      uid = config.ids.uids.clamav;
+      description = "ClamAV daemon user";
+      home = stateDir;
+    };
 
-    users.extraGroups = singleton
-      { name = clamavGroup;
-        gid = config.ids.gids.clamav;
-      };
+    users.extraGroups = singleton {
+      name = clamavGroup;
+      gid = config.ids.gids.clamav;
+    };
 
-    services.clamav.updater.config = ''
+    services.clamav.updater.config = mkIf cfg.updater.enable ''
       DatabaseDirectory ${stateDir}
       Foreground yes
       Checks ${toString cfg.updater.frequency}
       DatabaseMirror database.clamav.net
     '';
 
-    jobs = {
-      clamav_updater = {
-	      name = "clamav-updater";
-        startOn = "started network-interfaces";
-        stopOn = "stopping network-interfaces";
-
-        preStart = ''
-          mkdir -m 0755 -p ${stateDir}
-          chown ${clamavUser}:${clamavGroup} ${stateDir}
-          '';
-        exec = "${pkgs.clamav}/bin/freshclam --daemon --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}";
-      }; 
+    systemd.services.clamd = mkIf cfg.daemon.enable {
+      description = "ClamAV daemon (clamd)";
+      path = [ pkgs.clamav ];
+      after = [ "network.target" "freshclam.service" ];
+      requires = [ "freshclam.service" ];
+      wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -m 0755 -p ${logDir}
+        mkdir -m 0755 -p ${runDir}
+        chown ${clamavUser}:${clamavGroup} ${logDir}
+        chown ${clamavUser}:${clamavGroup} ${runDir}
+      '';
+      serviceConfig = {
+        ExecStart = "${pkgs.clamav}/bin/clamd --config-file=${clamdConfigFile}";
+        Type = "forking";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        StartLimitInterval = "1min";
+      };
     };
 
+    systemd.services.freshclam = mkIf cfg.updater.enable {
+      description = "ClamAV updater (freshclam)";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.clamav ];
+      preStart = ''
+        mkdir -m 0755 -p ${stateDir}
+        chown ${clamavUser}:${clamavGroup} ${stateDir}
+      '';
+      serviceConfig = {
+        ExecStart = "${pkgs.clamav}/bin/freshclam --daemon --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        StartLimitInterval = "1min";
+      };
+    };
   };
-
 }
-- 
cgit 1.4.1