From 454130650fd79d700a7b4b3e8bf9a7d153be2b21 Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Fri, 21 Jul 2023 18:00:01 +0800 Subject: [PATCH] add clamav scan --- nixops/avscan-module.nix | 45 ++++++++++++++++++++++++++++++++++++++++ nixops/desktop.nix | 3 +++ 2 files changed, 48 insertions(+) create mode 100644 nixops/avscan-module.nix diff --git a/nixops/avscan-module.nix b/nixops/avscan-module.nix new file mode 100644 index 00000000..f8e6864f --- /dev/null +++ b/nixops/avscan-module.nix @@ -0,0 +1,45 @@ +{ config, pkgs, lib, ... }: +with lib; +let + avscan = pkgs.writeScript "avscan" '' + #!${pkgs.bash}/bin/bash + + for user in $(cut -d":" -f1 /etc/passwd); do + if [ -d "/home/$user" ]; then + nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user + fi + done + ''; + cfg = config.services.avscan; +in +{ + options.services.avscan = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable antivirus scan"; + }; + }; + + config = mkIf cfg.enable { + services.clamav.updater.enable = true; + services.clamav.updater.interval = "daily"; + services.clamav.updater.frequency = 1; + + systemd.services.avscan = { + description = "Antivirus scan"; + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + ExecStart = "${avscan}"; + }; + }; + + systemd.timers.avscan = { + description = "Antivirus scan"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "Mon 13:00"; + }; + }; +} diff --git a/nixops/desktop.nix b/nixops/desktop.nix index 1e995f10..6acc7835 100644 --- a/nixops/desktop.nix +++ b/nixops/desktop.nix @@ -13,6 +13,7 @@ in imports = [ (./. + "/${host}-hardware-configuration.nix") + ./avscan-module.nix ]; nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { libp11 = super.libp11.override({ openssl = super.openssl_1_1; }); @@ -81,6 +82,8 @@ in setuid = true; }; + services.avscan.enable = true; + services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; services.openssh.extraConfig =