ClamAV: package virus fingerprint database updater.

12 years ago · 4f109c8a3d
parent 5b2b3825d8
commit 4f109c8a3d
3 changed files with 83 additions and 0 deletions
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -69,6 +69,7 @@ in
    unbound = 48;
    prayer = 49;
    mpd = 50;
+    clamav = 51;

    # When adding a uid, make sure it doesn't match an existing gid.

@ -118,6 +119,7 @@ in
    dovecot2 = 46;
    prayer = 49;
    mpd = 50;
+    clamav = 51;

    # When adding a gid, make sure it doesn't match an existing uid.

--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -161,6 +161,7 @@
  ./services/scheduling/atd.nix
  ./services/scheduling/cron.nix
  ./services/scheduling/fcron.nix
+  ./services/security/clamav.nix
  ./services/security/frandom.nix
  ./services/security/tor.nix
  ./services/security/torsocks.nix
--- a/modules/services/security/clamav.nix
+++ b/modules/services/security/clamav.nix
@ -0,0 +1,80 @@
+{ config, pkgs, ... }:
+with pkgs.lib;
+let
+  clamavUser = "clamav";
+  stateDir = "/var/lib/clamav";
+  clamavGroup = clamavUser;
+  cfg = config.services.clamav;
+in
+{
+  ###### interface
+
+  options = {
+
+    services.clamav = {
+      updater = {
+	enable = mkOption {
+	  default = false;
+	  description = ''
+	    Whether to enable automatic ClamAV virus definitions database updates.
+	  '';
+	};
+
+	frequency = mkOption {
+	  default = 12;
+	  description = ''
+	    Number of database checks per day.
+	  '';
+	};
+
+	config = mkOption {
+	  default = "";
+	  description = ''
+	    Extra configuration for freshclam. Contents will be added verbatim to the
+	    configuration file.
+	  '';
+	};
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.updater.enable {
+    environment.systemPackages = [ pkgs.clamav ];
+    users.extraUsers = singleton
+      { name = clamavUser;
+        uid = config.ids.uids.clamav;
+        description = "ClamAV daemon user";
+        home = stateDir;
+      };
+
+    users.extraGroups = singleton
+      { name = clamavGroup;
+        gid = config.ids.gids.clamav;
+      };
+
+    services.clamav.updater.config = ''
+      DatabaseDirectory ${stateDir}
+      Foreground yes
+      Checks ${toString cfg.updater.frequency}
+      DatabaseMirror database.clamav.net
+    '';
+
+    jobs = {
+      clamav_updater = {
+	name = "clamav-updater";
+          startOn = "started network-interfaces";
+          stopOn = "stopping network-interfaces";
+
+          preStart = ''
+            mkdir -m 0755 -p ${stateDir}
+            chown ${clamavUser}:${clamavGroup} ${stateDir}
+          '';
+          exec = "${pkgs.clamav}/bin/freshclam --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}";
+      }; 
+    };
+
+  };
+
+}