add clamav scan

This commit is contained in:
Sebastien Bourdeauducq 2023-07-21 18:00:01 +08:00
parent c89551c610
commit 454130650f
2 changed files with 48 additions and 0 deletions

45
nixops/avscan-module.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let
avscan = pkgs.writeScript "avscan" ''
#!${pkgs.bash}/bin/bash
for user in $(cut -d":" -f1 /etc/passwd); do
if [ -d "/home/$user" ]; then
nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
fi
done
'';
cfg = config.services.avscan;
in
{
options.services.avscan = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable antivirus scan";
};
};
config = mkIf cfg.enable {
services.clamav.updater.enable = true;
services.clamav.updater.interval = "daily";
services.clamav.updater.frequency = 1;
systemd.services.avscan = {
description = "Antivirus scan";
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
ExecStart = "${avscan}";
};
};
systemd.timers.avscan = {
description = "Antivirus scan";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "Mon 13:00";
};
};
}

View File

@ -13,6 +13,7 @@ in
imports =
[
(./. + "/${host}-hardware-configuration.nix")
./avscan-module.nix
];
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
@ -81,6 +82,8 @@ in
setuid = true;
};
services.avscan.enable = true;
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.extraConfig =