Added periodic clamAV scan. Added mail alert on virus detection.

2026-03-01 13:18:35 +01:00
parent bbe269bfcd
commit 3bfaf5fa6f
3 changed files with 118 additions and 1 deletions
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.numbus.services.clamav;
+  clamav_notifier = pkgs.writeScript "clamav-notify.sh" ''
+    #!${pkgs.bash}/bin/bash
+
+    # Check if triggered by Real-time event (file exists)
+    if [ -f /var/lib/clamav/virus_event.env ]; then
+      source /var/lib/clamav/virus_event.env
+      rm /var/lib/clamav/virus_event.env
+    fi
+
+    ADMIN_EMAIL="${config.numbus.mail.adminAddress}"
+    USER_EMAIL="${config.numbus.mail.userAddress}"
+    OWNER_NAME="${config.numbus.owner}"
+
+    if [ -n "$CLAM_VIRUSEVENT_VIRUSNAME" ]; then
+      # --- Real-time / VirusEvent Mode ---
+      SUBJECT="Numbus Server Alert: Virus Detected (Real-time)"
+      
+      TECH_BODY="
+      ClamAV Real-time Alert:
+      Server owner: $OWNER_NAME
+      
+      Virus detected: $CLAM_VIRUSEVENT_VIRUSNAME
+      File: $CLAM_VIRUSEVENT_FILENAME
+      
+      Action taken: Access blocked (OnAccessPrevention).
+      Please investigate manually.
+      "
+      
+      FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
+
+      L'antivirus de votre serveur a détecté et bloqué une menace en temps réel.
+      Fichier : $CLAM_VIRUSEVENT_FILENAME
+      
+      Votre administrateur a été notifié.
+      "
+    else
+      # --- Scheduled Scan Summary Mode ---
+      SUBJECT="Numbus Server Alert: Virus Detected during Scheduled Scan"
+      
+      # Retrieve logs (clamdscan prints FOUND when a virus is detected)
+      LOGS=$(journalctl -u clamav-periodic-scan.service -n 100 --no-pager | grep "FOUND")
+      
+      TECH_BODY="
+      ClamAV Scan Alert:
+      Server owner: $OWNER_NAME
+
+      Viruses detected:
+      $LOGS
+
+      Action taken: Detection only.
+      Please investigate manually.
+      "
+      
+      FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
+
+      L'antivirus de votre serveur a détecté une menace potentielle lors de l'analyse périodique.
+      Votre administrateur a été notifié avec les détails techniques.
+      Nous vous conseillons d'être prudent avec vos fichiers récents.
+      "
+    fi
+
+    printf "Subject: [ADMIN] $SUBJECT\n\n$TECH_BODY" | /run/wrappers/bin/sendmail -t "$ADMIN_EMAIL"
+    printf "Subject: [Alerte] Menace détectée sur votre serveur Numbus\n\n$FRIENDLY_BODY\n\nMerci de votre confiance,\nL'équipe de support,\nNumbus-Server." | /run/wrappers/bin/sendmail -t "$USER_EMAIL"
+  '';
+in
+
+{ 
+  config = mkIf cfg.enable {
+    systemd.services.clamav-virus-notify = {
+      description = "Email notification for ClamAV virus detection";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${clamav_notifier}";
+      };
+    };
+  };
+}
@@ -17,6 +17,14 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.clamav pkgs.curl ];

+    security.sudo.extraRules = [{
+      users = [ "clamav" ];
+      commands = [{
+        command = "/run/current-system/sw/bin/systemctl start clamav-virus-notify.service";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+
    services.clamav = {
      updater.enable = true;
      clamonacc.enable = true;
@@ -38,8 +46,34 @@ in
        settings = {
          OnAccessPrevention = true;
          OnAccessIncludePath = onAccessPaths;
+          VirusEvent = "echo 'CLAM_VIRUSEVENT_VIRUSNAME=\"%v\"\nCLAM_VIRUSEVENT_FILENAME=\"%f\"' > /var/lib/clamav/virus_event.env && /run/wrappers/bin/sudo /run/current-system/sw/bin/systemctl start clamav-virus-notify.service";
        };
      };
    };
+
+    systemd.services.clamav-periodic-scan = mkIf (onAccessPaths != []) {
+      description = "ClamAV periodic scan of service data directories";
+      after = [ "clamav-daemon.service" ];
+      requires = [ "clamav-daemon.service" ];
+      onFailure = [ "clamav-virus-notify.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.clamav}/bin/clamdscan --fdpass --multiscan ${lib.escapeShellArgs onAccessPaths}";
+        User = "clamav";
+        Group = "clamav";
+        SupplementaryGroups = [ "users" ];
+        TimeoutStartSec = "infinity";
+      };
+    };
+
+    systemd.timers.clamav-periodic-scan = mkIf (onAccessPaths != []) {
+      description = "Timer for ClamAV periodic scan";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-1/2-01 04:00:00";
+        Persistent = true;
+        Unit = "clamav-periodic-scan.service";
+      };
+    };
  };
 }
@@ -241,7 +241,7 @@ helper.mkPodmanService {
        sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive

        INSTALL_APPS_LIST=( "calendar" "contacts" "mail" "notes" "onlyoffice" "cookbook" "whiteboard" )
-        REMOVE_APPS_LIST=( "activity" "app_api" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" )
+        REMOVE_APPS_LIST=( "activity" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" )
        CURRENT_APPS_SIGNATURE="$(echo "''${INSTALL_APPS_LIST[@]}" "''${REMOVE_APPS_LIST[@]}")"
        APPS_SIGNATURE_FILE="/var/lib/numbus-server/${name}/installed_apps.signature"