add clamav scan

nixops/avscan-module.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  avscan = pkgs.writeScript "avscan" ''
+    #!${pkgs.bash}/bin/bash
+
+    for user in $(cut -d":" -f1 /etc/passwd); do
+      if [ -d "/home/$user" ]; then
+          nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
+      fi
+    done
+  '';
+  cfg = config.services.avscan;
+in
+{
+  options.services.avscan = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable antivirus scan";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.clamav.updater.enable = true;
+    services.clamav.updater.interval = "daily";
+    services.clamav.updater.frequency = 1;
+
+    systemd.services.avscan = {
+      description = "Antivirus scan";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = "${avscan}";
+      };
+    };
+
+    systemd.timers.avscan = {
+      description = "Antivirus scan";
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "Mon 13:00";
+    };
+  };
+}

nixops/desktop.nix

@@ -13,6 +13,7 @@ in
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
+      ./avscan-module.nix
     ];
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
@@ -81,6 +82,8 @@ in
     setuid = true;
   };
 
+  services.avscan.enable = true;
+
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.extraConfig =