From f7966d3fee4ba5b8678abe0e3788277a363c6747 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Sun, 30 Jul 2023 10:55:00 -0700
Subject: [PATCH] Make clamav use a proper user & state dir

---
 lib/fudo/mail/clamav.nix | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/lib/fudo/mail/clamav.nix b/lib/fudo/mail/clamav.nix
index 455548c..a954ade 100644
--- a/lib/fudo/mail/clamav.nix
+++ b/lib/fudo/mail/clamav.nix
@@ -4,22 +4,49 @@ with lib;
 let cfg = config.fudo.mail-server;
 
 in {
-  options.fudo.mail-server.clamav = {
+  options.fudo.mail-server.clamav = with types; {
     enable = mkOption {
       description = "Enable virus scanning with ClamAV.";
-      type = types.bool;
+      type = bool;
       default = true;
     };
+
+    state-directory = mkOption {
+      type = str;
+      description = "Path at which to store the ClamAV database.";
+      default = "/var/lib/clamav";
+    };
   };
 
   config = mkIf (cfg.enable && cfg.clamav.enable) {
 
+    users = {
+      users.clamav = {
+        isSystemUser = true;
+        group = "clamav";
+      };
+      groups.clamav = { members = [ "clamav" ]; };
+    };
+
+    systemd.tmpfiles.rules =
+      [ "d ${cfg.clamav.state-directory} 0750 clamav clamav - -" ];
+
     services.clamav = {
       daemon = {
         enable = true;
-        settings = { PhishingScanURLs = "no"; };
+        settings = {
+          PhishingScanURLs = "no";
+          DatabaseDirectory = cfg.clamav.state-directory;
+          User = "clamav";
+        };
+      };
+      updater = {
+        enable = true;
+        settings = {
+          User = "clamav";
+          DatabaseDirectory = cfg.clamav.state-directory;
+        };
       };
-      updater.enable = true;
     };
   };
 }