diff --git a/modules/mail/clamav.nix b/modules/mail/clamav.nix new file mode 100644 index 0000000..548d1d8 --- /dev/null +++ b/modules/mail/clamav.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.numbus.services.clamav; + clamav_notifier = pkgs.writeScript "clamav-notify.sh" '' + #!${pkgs.bash}/bin/bash + + # Check if triggered by Real-time event (file exists) + if [ -f /var/lib/clamav/virus_event.env ]; then + source /var/lib/clamav/virus_event.env + rm /var/lib/clamav/virus_event.env + fi + + ADMIN_EMAIL="${config.numbus.mail.adminAddress}" + USER_EMAIL="${config.numbus.mail.userAddress}" + OWNER_NAME="${config.numbus.owner}" + + if [ -n "$CLAM_VIRUSEVENT_VIRUSNAME" ]; then + # --- Real-time / VirusEvent Mode --- + SUBJECT="Numbus Server Alert: Virus Detected (Real-time)" + + TECH_BODY=" + ClamAV Real-time Alert: + Server owner: $OWNER_NAME + + Virus detected: $CLAM_VIRUSEVENT_VIRUSNAME + File: $CLAM_VIRUSEVENT_FILENAME + + Action taken: Access blocked (OnAccessPrevention). + Please investigate manually. + " + + FRIENDLY_BODY="Cher/Chère $OWNER_NAME, + + L'antivirus de votre serveur a détecté et bloqué une menace en temps réel. + Fichier : $CLAM_VIRUSEVENT_FILENAME + + Votre administrateur a été notifié. + " + else + # --- Scheduled Scan Summary Mode --- + SUBJECT="Numbus Server Alert: Virus Detected during Scheduled Scan" + + # Retrieve logs (clamdscan prints FOUND when a virus is detected) + LOGS=$(journalctl -u clamav-periodic-scan.service -n 100 --no-pager | grep "FOUND") + + TECH_BODY=" + ClamAV Scan Alert: + Server owner: $OWNER_NAME + + Viruses detected: + $LOGS + + Action taken: Detection only. + Please investigate manually. + " + + FRIENDLY_BODY="Cher/Chère $OWNER_NAME, + + L'antivirus de votre serveur a détecté une menace potentielle lors de l'analyse périodique. + Votre administrateur a été notifié avec les détails techniques. + Nous vous conseillons d'être prudent avec vos fichiers récents. + " + fi + + printf "Subject: [ADMIN] $SUBJECT\n\n$TECH_BODY" | /run/wrappers/bin/sendmail -t "$ADMIN_EMAIL" + printf "Subject: [Alerte] Menace détectée sur votre serveur Numbus\n\n$FRIENDLY_BODY\n\nMerci de votre confiance,\nL'équipe de support,\nNumbus-Server." | /run/wrappers/bin/sendmail -t "$USER_EMAIL" + ''; +in + +{ + config = mkIf cfg.enable { + systemd.services.clamav-virus-notify = { + description = "Email notification for ClamAV virus detection"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${clamav_notifier}"; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/services/clamav.nix b/modules/services/clamav.nix index b98778a..457afbc 100644 --- a/modules/services/clamav.nix +++ b/modules/services/clamav.nix @@ -17,6 +17,14 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.clamav pkgs.curl ]; + security.sudo.extraRules = [{ + users = [ "clamav" ]; + commands = [{ + command = "/run/current-system/sw/bin/systemctl start clamav-virus-notify.service"; + options = [ "NOPASSWD" ]; + }]; + }]; + services.clamav = { updater.enable = true; clamonacc.enable = true; @@ -38,8 +46,34 @@ in settings = { OnAccessPrevention = true; OnAccessIncludePath = onAccessPaths; + VirusEvent = "echo 'CLAM_VIRUSEVENT_VIRUSNAME=\"%v\"\nCLAM_VIRUSEVENT_FILENAME=\"%f\"' > /var/lib/clamav/virus_event.env && /run/wrappers/bin/sudo /run/current-system/sw/bin/systemctl start clamav-virus-notify.service"; }; }; }; + + systemd.services.clamav-periodic-scan = mkIf (onAccessPaths != []) { + description = "ClamAV periodic scan of service data directories"; + after = [ "clamav-daemon.service" ]; + requires = [ "clamav-daemon.service" ]; + onFailure = [ "clamav-virus-notify.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.clamav}/bin/clamdscan --fdpass --multiscan ${lib.escapeShellArgs onAccessPaths}"; + User = "clamav"; + Group = "clamav"; + SupplementaryGroups = [ "users" ]; + TimeoutStartSec = "infinity"; + }; + }; + + systemd.timers.clamav-periodic-scan = mkIf (onAccessPaths != []) { + description = "Timer for ClamAV periodic scan"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*-1/2-01 04:00:00"; + Persistent = true; + Unit = "clamav-periodic-scan.service"; + }; + }; }; } \ No newline at end of file diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 0edec8b..5384a42 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -241,7 +241,7 @@ helper.mkPodmanService { sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive INSTALL_APPS_LIST=( "calendar" "contacts" "mail" "notes" "onlyoffice" "cookbook" "whiteboard" ) - REMOVE_APPS_LIST=( "activity" "app_api" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" ) + REMOVE_APPS_LIST=( "activity" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" ) CURRENT_APPS_SIGNATURE="$(echo "''${INSTALL_APPS_LIST[@]}" "''${REMOVE_APPS_LIST[@]}")" APPS_SIGNATURE_FILE="/var/lib/numbus-server/${name}/installed_apps.signature"