{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.numbus.services.clamav;
  onAccessPaths = lib.mapAttrsToList (n: v: v.dataDir) (lib.filterAttrs (n: v:
    v ? enable && v.enable && v ? dataDir && v.dataDir != null && v.dataDir != false
  ) config.numbus.services);
  clamonacc_virus_notifier = pkgs.writeScript "clamonacc_virus_notifier.sh" ''
    #!${pkgs.bash}/bin/bash

    echo "CLAM_VIRUSEVENT_VIRUSNAME=\"$CLAM_VIRUSEVENT_VIRUSNAME\"" > /var/lib/clamav/virus_event.env
    echo "CLAM_VIRUSEVENT_FILENAME=\"$CLAM_VIRUSEVENT_FILENAME\"" >> /var/lib/clamav/virus_event.env

    /run/wrappers/bin/sudo /run/current-system/sw/bin/systemctl start clamav-virus-notify.service
  '';
in

{
  options.numbus.services.clamav = {
    enable = mkEnableOption "ClamAV open-source anti-virus software";
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.clamav pkgs.curl ];

    system.activationScripts.clamav-quarantine = ''
      mkdir -p /quarantine
      chown clamav:clamav /quarantine
      chmod 440 /quarantine
    '';

    security.sudo.extraRules = [{
      users = [ "clamav" ];
      commands = [{
        command = "/run/current-system/sw/bin/systemctl start clamav-virus-notify.service";
        options = [ "NOPASSWD" ];
      }];
    }];

    services.clamav = {
      updater.enable = true;
      clamonacc.enable = true;

      scanner = {
        enable = true;
        interval = "*-*-* 04:00:00"; # Everyday at 4am
        scanDirectories = [
          "/etc"
          "/home"
          "/var/lib"
          "/var/tmp"
          "/tmp"
        ];
      };

      daemon = {
        enable = true;
        settings = {
          OnAccessPrevention = true;
          OnAccessIncludePath = onAccessPaths;
          VirusEvent = "${clamonacc_virus_notifier}";
        };
      };
    };

    systemd.services.clamav-periodic-scan = mkIf (onAccessPaths != []) {
      description = "Periodic ClamAV virus scan";
      after = [ "clamav-daemon.service" "clamav-freshclam.service" ];
      requires = [ "clamav-daemon.service" ];
      wants = [ "clamav-freshclam.service" ];
      onFailure = [ "clamav-virus-notify.service" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.clamav}/bin/clamdscan --multiscan --fdpass --infected --allmatch --move=/quarantine ${lib.escapeShellArgs onAccessPaths}";
        Slice = "system-clamav.slice";
      };
    };

    systemd.timers.clamav-periodic-scan = mkIf (onAccessPaths != []) {
      description = "Timer for ClamAV periodic scan";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*-1/3-01 04:00:00";
        Persistent = true;
        Unit = "clamav-periodic-scan.service";
      };
    };
  };
}