youn.dev / nixfiles
my nixos/home-manager configuration
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

setup clamav antivirus + opnix credentials

Youn Mélois fb118f83 8563bac1

+185 -1
+55
flake.lock
··· 57 57 "type": "github" 58 58 } 59 59 }, 60 + "flake-utils": { 61 + "inputs": { 62 + "systems": "systems" 63 + }, 64 + "locked": { 65 + "lastModified": 1731533236, 66 + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 67 + "owner": "numtide", 68 + "repo": "flake-utils", 69 + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 70 + "type": "github" 71 + }, 72 + "original": { 73 + "owner": "numtide", 74 + "repo": "flake-utils", 75 + "type": "github" 76 + } 77 + }, 60 78 "home-manager": { 61 79 "inputs": { 62 80 "nixpkgs": [ ··· 184 202 "type": "github" 185 203 } 186 204 }, 205 + "opnix": { 206 + "inputs": { 207 + "flake-utils": "flake-utils", 208 + "nixpkgs": [ 209 + "nixpkgs" 210 + ] 211 + }, 212 + "locked": { 213 + "lastModified": 1761503988, 214 + "narHash": "sha256-MlMZXCTtPeXq/cDtJcL2XM8wCN33XOT9V2dB3PLV6f0=", 215 + "owner": "brizzbuzz", 216 + "repo": "opnix", 217 + "rev": "48fdb078b5a1cd0b20b501fccf6be2d1279d6fe6", 218 + "type": "github" 219 + }, 220 + "original": { 221 + "owner": "brizzbuzz", 222 + "repo": "opnix", 223 + "type": "github" 224 + } 225 + }, 187 226 "root": { 188 227 "inputs": { 189 228 "betterfox": "betterfox", ··· 194 233 "nixpkgs-graalvm-ce-21": "nixpkgs-graalvm-ce-21", 195 234 "nixpkgs-unstable": "nixpkgs-unstable", 196 235 "nur": "nur", 236 + "opnix": "opnix", 197 237 "zen-browser": "zen-browser" 238 + } 239 + }, 240 + "systems": { 241 + "locked": { 242 + "lastModified": 1681028828, 243 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 244 + "owner": "nix-systems", 245 + "repo": "default", 246 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 247 + "type": "github" 248 + }, 249 + "original": { 250 + "owner": "nix-systems", 251 + "repo": "default", 252 + "type": "github" 198 253 } 199 254 }, 200 255 "zen-browser": {
+12 -1
flake.nix
··· 21 21 inputs.nixpkgs.follows = "nixpkgs"; 22 22 }; 23 23 24 + opnix = { 25 + url = "github:brizzbuzz/opnix"; 26 + inputs.nixpkgs.follows = "nixpkgs"; 27 + }; 28 + 24 29 zen-browser = { 25 30 url = "github:0xc000022070/zen-browser-flake"; 26 31 inputs.nixpkgs.follows = "nixpkgs"; ··· 39 44 home-manager, 40 45 disko, 41 46 nur, 47 + opnix, 42 48 ... 43 49 }@inputs: 44 50 let ··· 127 133 inherit fonts; 128 134 }; 129 135 130 - modules = [ ./nixos/modules ] ++ modules; 136 + modules = [ 137 + ./nixos/modules 138 + opnix.nixosModules.default 139 + ] 140 + ++ modules; 131 141 }; 132 142 133 143 mkHomeManagerConfiguration = ··· 144 154 modules = [ 145 155 ./home-manager/common.nix 146 156 ./home-manager/modules 157 + opnix.homeManagerModules.default 147 158 ] 148 159 ++ modules; 149 160 };
+1
nixos/clever-cloud/default.nix
··· 31 31 }; 32 32 33 33 services = { 34 + clamav.enable = true; 34 35 # power management 35 36 thermald.enable = true; 36 37 tlp.enable = true;
+1
nixos/desktop/default.nix
··· 36 36 }; 37 37 38 38 services = { 39 + clamav.enable = true; 39 40 printing.enable = true; 40 41 mptcpd.enable = true; 41 42 };
+1
nixos/laptop/default.nix
··· 31 31 }; 32 32 33 33 services = { 34 + clamav.enable = true; 34 35 fprintd.enable = true; 35 36 36 37 # power management
+19
nixos/modules/_1password.nix
··· 23 23 mode = "0755"; 24 24 }; 25 25 }; 26 + 27 + services.onepassword-secrets = { 28 + enable = true; 29 + # 0640 root:onepassword-secrets 30 + tokenFile = "/etc/opnix-token"; 31 + 32 + secrets = { 33 + clamavNotificationApiCredential = { 34 + reference = "op://OpNix/ClamAV notification API/credential"; 35 + owner = "clamav"; 36 + group = "clamav"; 37 + }; 38 + clamavNotificationApiUrl = { 39 + reference = "op://OpNix/ClamAV notification API/url"; 40 + owner = "clamav"; 41 + group = "clamav"; 42 + }; 43 + }; 44 + }; 26 45 }; 27 46 }
+96
nixos/modules/clamav.nix
··· 1 + { 2 + config, 3 + pkgs, 4 + lib, 5 + user, 6 + ... 7 + }: 8 + 9 + let 10 + cfg = config.services.clamav; 11 + 12 + clamavNotificationApiCredentialFile = 13 + config.services.onepassword-secrets.secretPaths."clamavNotificationApiCredential"; 14 + clamavNotificationApiUrlFile = 15 + config.services.onepassword-secrets.secretPaths."clamavNotificationApiUrl"; 16 + 17 + clamavNotify = pkgs.writeShellScript "clamav-notify-cc.sh" '' 18 + function check_variables () { 19 + if [[ -z "''${CLAM_VIRUSEVENT_FILENAME}" || -z "''${CLAM_VIRUSEVENT_VIRUSNAME}" ]]; then 20 + echo "Unexpected input" 21 + exit 1 22 + fi 23 + } 24 + 25 + function do_notify () { 26 + local virus_name="''${CLAM_VIRUSEVENT_VIRUSNAME}" 27 + local filename="''${CLAM_VIRUSEVENT_FILENAME}" 28 + local user="$(${pkgs.coreutils}/bin/whoami)" 29 + local fqdn="$(${pkgs.hostname}/bin/hostname -f)" 30 + echo "Virus detection notification sent at: $(${pkgs.coreutils}/bin/date)" 31 + ${pkgs.curl}/bin/curl "$(${pkgs.coreutils}/bin/cat ${clamavNotificationApiUrlFile})" \ 32 + --user "$(${pkgs.coreutils}/bin/cat ${clamavNotificationApiCredentialFile})" \ 33 + --json "{\"virus\":\"''${virus_name}\",\"file\":\"''${filename}\",\"user\":\"''${user}\",\"host\":\"''${fqdn}\"}" 34 + } 35 + 36 + function main () { 37 + check_variables 38 + do_notify 39 + } 40 + 41 + main 42 + ''; 43 + in 44 + { 45 + options.services.clamav = { 46 + enable = lib.mkEnableOption "clamav"; 47 + }; 48 + 49 + config = lib.mkIf cfg.enable { 50 + services.clamav = { 51 + daemon = { 52 + enable = true; 53 + settings = { 54 + OnAccessExcludeUname = "clamav"; 55 + OnAccessIncludePath = "${user.homeDirectory}/Downloads"; 56 + VirusEvent = "${clamavNotify}"; 57 + }; 58 + }; 59 + updater.enable = true; 60 + }; 61 + 62 + systemd.services.clamav-freshclam.wants = [ "network-online.target" ]; 63 + 64 + systemd.services.clamav-daemon = { 65 + serviceConfig = pkgs.lib.mkForce { 66 + ExecStart = "${cfg.package}/bin/clamd"; 67 + ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; 68 + User = "clamav"; 69 + Group = "clamav"; 70 + StateDirectory = "clamav"; 71 + RuntimeDirectory = "clamav"; 72 + PrivateNetwork = "no"; 73 + }; 74 + }; 75 + 76 + systemd.services.clamav-clamonacc = { 77 + unitConfig = { 78 + Description = "ClamAV daemon for on-access scanning"; 79 + Wants = "network-online.target"; 80 + After = "network-online.target syslog.target"; 81 + Requires = "clamav-daemon.service"; 82 + }; 83 + serviceConfig = { 84 + Type = "simple"; 85 + ExecStartPre = [ 86 + "${pkgs.bash}/bin/bash -c 'while [ ! -S /run/clamav/clamd.ctl ]; do ${pkgs.coreutils}/bin/sleep 1; done'" 87 + "${pkgs.coreutils}/bin/mkdir -p /var/lib/clamav/quarantine" 88 + ]; 89 + ExecStart = "${cfg.package}/bin/clamonacc --foreground --stream --move=/var/lib/clamav/quarantine"; 90 + Restart = "on-failure"; 91 + }; 92 + wantedBy = [ "multi-user.target" ]; 93 + }; 94 + 95 + }; 96 + }