Make clamav use a proper user & state dir

2023-07-30 10:55:00 -07:00 · 2023-07-30 10:55:00 -07:00 · f7966d3fee
commit f7966d3fee
parent cb039ceabd
1 changed files with 31 additions and 4 deletions
--- a/lib/fudo/mail/clamav.nix
+++ b/lib/fudo/mail/clamav.nix
@ -4,22 +4,49 @@ with lib;
 let cfg = config.fudo.mail-server;

 in {
-  options.fudo.mail-server.clamav = {
+  options.fudo.mail-server.clamav = with types; {
    enable = mkOption {
      description = "Enable virus scanning with ClamAV.";
-      type = types.bool;
+      type = bool;
      default = true;
    };
+
+    state-directory = mkOption {
+      type = str;
+      description = "Path at which to store the ClamAV database.";
+      default = "/var/lib/clamav";
+    };
  };

  config = mkIf (cfg.enable && cfg.clamav.enable) {

+    users = {
+      users.clamav = {
+        isSystemUser = true;
+        group = "clamav";
+      };
+      groups.clamav = { members = [ "clamav" ]; };
+    };
+
+    systemd.tmpfiles.rules =
+      [ "d ${cfg.clamav.state-directory} 0750 clamav clamav - -" ];
+
    services.clamav = {
      daemon = {
        enable = true;
-        settings = { PhishingScanURLs = "no"; };
+        settings = {
+          PhishingScanURLs = "no";
+          DatabaseDirectory = cfg.clamav.state-directory;
+          User = "clamav";
+        };
+      };
+      updater = {
+        enable = true;
+        settings = {
+          User = "clamav";
+          DatabaseDirectory = cfg.clamav.state-directory;
+        };
      };
-      updater.enable = true;
    };
  };
 }