forked from M-Labs/it-infra
add clamav scan
This commit is contained in:
parent
c89551c610
commit
454130650f
|
@ -0,0 +1,45 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
avscan = pkgs.writeScript "avscan" ''
|
||||
#!${pkgs.bash}/bin/bash
|
||||
|
||||
for user in $(cut -d":" -f1 /etc/passwd); do
|
||||
if [ -d "/home/$user" ]; then
|
||||
nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
|
||||
fi
|
||||
done
|
||||
'';
|
||||
cfg = config.services.avscan;
|
||||
in
|
||||
{
|
||||
options.services.avscan = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable antivirus scan";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.clamav.updater.enable = true;
|
||||
services.clamav.updater.interval = "daily";
|
||||
services.clamav.updater.frequency = 1;
|
||||
|
||||
systemd.services.avscan = {
|
||||
description = "Antivirus scan";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
Group = "root";
|
||||
ExecStart = "${avscan}";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.avscan = {
|
||||
description = "Antivirus scan";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "Mon 13:00";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -13,6 +13,7 @@ in
|
|||
imports =
|
||||
[
|
||||
(./. + "/${host}-hardware-configuration.nix")
|
||||
./avscan-module.nix
|
||||
];
|
||||
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
||||
libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
|
||||
|
@ -81,6 +82,8 @@ in
|
|||
setuid = true;
|
||||
};
|
||||
|
||||
services.avscan.enable = true;
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.PasswordAuthentication = false;
|
||||
services.openssh.extraConfig =
|
||||
|
|
Loading…
Reference in New Issue