nixos-config-priv/systems/common/optional/services/clamav.nix

#
# FIXME check for dependency somehow? Requires the msmtp.nix option for email notifications
#

{ pkgs, lib, config, ... }:
let
  # FIXME
  # isEnabled = name: predicate: {
  # assertion = predicate;
  # message = "${name} should be enabled for the clamav.nix config to work correctly.";
  # };

  # Function to notify users and admin when a suspicious file is detected
  notify-all-users = pkgs.writeScript "notify-all-users-of-sus-file"
    ''
      #!/usr/bin/env bash
      ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
      # Send an alert to all graphical users.
      for ADDRESS in /run/user/*; do
          USERID=''${ADDRESS#/run/user/}
         /run/wrappers/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" ${pkgs.libnotify}/bin/notify-send -i dialog-warning "Suspicious file" "$ALERT"
      done

      echo -e "To:$(hostname).alerts.net@hexagon.cx\n\nSubject: Suspicious file on $(hostname)\n\n$ALERT" | msmtp -a default alerts.net@hexagon.cx
    '';
in
{
  # FIXME
  # assertions = lib.mapAttrsToList isEnabled {
  # "hosts/common/optional/msmtp" = config.msmtp.enable;
  # };

  security.sudo = {
    extraConfig =
      ''
        clamav ALL = (ALL) NOPASSWD: SETENV: ${pkgs.libnotify}/bin/notify-send
      '';
  };

  services = {
    clamav = {
      daemon = {
        enable = true;
        settings = {
          # ClamAV configuration. Refer to <https://linux.die.net/man/5/clamd.conf>, for details on supported values.
          OnAccessPrevention = false;
          OnAccessExtraScanning = true;
          OnAccessExcludeUname = "clamav";
          VirusEvent = "${notify-all-users}";
          User = "clamav";
        };
      };
      updater = {
        enable = true;
        interval = "daily";
        frequency = 2;
        settings = {
          # Refer to <https://linux.die.net/man/5/freshclam.conf>,for details on supported values.
        };
      };
      # # TODO stage 3 checkback - this isn't currently available in stable but looks to be coming down the pipe https://github.com/NixOS/nixpkgs/commits/master/nixos/modules/services/security/clamav.nix
      # fangfrisch = {
      #   enable = true;
      #   interval = "daily";
      # };
      # scanner = {
      #   # By default his runs using 10 cores, be sure
      #   enable = true;
      #   interval = "*-*-* 04:00:00"; # default
      #   scanDirectories = [
      #     # these are currently defaults from the nixos pkg maintainer for everything he thought was valid for nixos
      #     "/home" "/var/lib" "/tmp" "/etc" "/var/tmp"
      #   ];
      # };
    };
  };
}
asdf 2024-06-07 11:37:13 +00:00			`#`
			`# FIXME check for dependency somehow? Requires the msmtp.nix option for email notifications`
			`#`

			`{ pkgs, lib, config, ... }:`
			`let`
			`# FIXME`
			`# isEnabled = name: predicate: {`
			`# assertion = predicate;`
			`# message = "${name} should be enabled for the clamav.nix config to work correctly.";`
			`# };`

			`# Function to notify users and admin when a suspicious file is detected`
			`notify-all-users = pkgs.writeScript "notify-all-users-of-sus-file"`
			`''`
			`#!/usr/bin/env bash`
			`ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"`
			`# Send an alert to all graphical users.`
			`for ADDRESS in /run/user/*; do`
			`USERID=''${ADDRESS#/run/user/}`
			`/run/wrappers/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" ${pkgs.libnotify}/bin/notify-send -i dialog-warning "Suspicious file" "$ALERT"`
			`done`

			`echo -e "To:$(hostname).alerts.net@hexagon.cx\n\nSubject: Suspicious file on $(hostname)\n\n$ALERT" \| msmtp -a default alerts.net@hexagon.cx`
			`'';`
			`in`
			`{`
			`# FIXME`
			`# assertions = lib.mapAttrsToList isEnabled {`
			`# "hosts/common/optional/msmtp" = config.msmtp.enable;`
			`# };`

			`security.sudo = {`
			`extraConfig =`
			`''`
			`clamav ALL = (ALL) NOPASSWD: SETENV: ${pkgs.libnotify}/bin/notify-send`
			`'';`
			`};`

			`services = {`
			`clamav = {`
			`daemon = {`
			`enable = true;`
			`settings = {`
			`# ClamAV configuration. Refer to <https://linux.die.net/man/5/clamd.conf>, for details on supported values.`
			`OnAccessPrevention = false;`
			`OnAccessExtraScanning = true;`
			`OnAccessExcludeUname = "clamav";`
			`VirusEvent = "${notify-all-users}";`
			`User = "clamav";`
			`};`
			`};`
			`updater = {`
			`enable = true;`
			`interval = "daily";`
			`frequency = 2;`
			`settings = {`
			`# Refer to <https://linux.die.net/man/5/freshclam.conf>,for details on supported values.`
			`};`
			`};`
			`# # TODO stage 3 checkback - this isn't currently available in stable but looks to be coming down the pipe https://github.com/NixOS/nixpkgs/commits/master/nixos/modules/services/security/clamav.nix`
			`# fangfrisch = {`
			`# enable = true;`
			`# interval = "daily";`
			`# };`
			`# scanner = {`
			`# # By default his runs using 10 cores, be sure`
			`# enable = true;`
			`# interval = "--* 04:00:00"; # default`
			`# scanDirectories = [`
			`# # these are currently defaults from the nixos pkg maintainer for everything he thought was valid for nixos`
			`# "/home" "/var/lib" "/tmp" "/etc" "/var/tmp"`
			`# ];`
			`# };`
			`};`
			`};`
			`}`