From 723b686c84d5fb7676cad3a066fb488c18484d65 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 25 May 2026 19:41:23 +0200
Subject: [PATCH] Add ClamAV virusfilter support for Samba configuration and
 installation

---
 group_vars/all/main.yml                      |  6 +++
 roles/common/tasks/samba-install.yml         | 31 +++++++++++
 roles/common/templates/etc/samba/smb.conf.j2 | 54 +++++++++++++++++---
 3 files changed, 84 insertions(+), 7 deletions(-)

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 799b89a..47b2c12 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -1747,6 +1747,12 @@ apt_install_client_samba:
   - samba-client
   - samba-common
 
+apt_install_server_samba_virusfilter:
+  - clamav
+  - clamav-daemon
+  - clamav-freshclam
+  - samba-vfs-modules
+
 
 # samba_workgroup
 #
diff --git a/roles/common/tasks/samba-install.yml b/roles/common/tasks/samba-install.yml
index 66e738a..cc08f4a 100644
--- a/roles/common/tasks/samba-install.yml
+++ b/roles/common/tasks/samba-install.yml
@@ -13,6 +13,37 @@
   tags:
     - samba-server
 
+
+# ---
+# Virusfilter (ClamAV) — only when at least one share has vfs_object_virusfilter: true
+# ---
+
+- name: (samba-install.yml) Ensure virusfilter (ClamAV) packages are installed
+  package:
+    pkg: '{{ apt_install_server_samba_virusfilter }}'
+    state: present
+  when:
+    - "groups['samba_server']|string is search(inventory_hostname)"
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-install.yml) Ensure quarantine directory exists
+  file:
+    path: /data/samba/QUARANTINE
+    owner: root
+    group: root
+    mode: '0750'
+    state: directory
+  when:
+    - "groups['samba_server']|string is search(inventory_hostname)"
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+
 - name: (samba-install.yml) Ensure samba share directories exists
   file:
     path: "{{ item.path }}"
diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2
index f5f7aa1..ae805f4 100644
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@@ -412,10 +412,19 @@
    #
    wide links = yes
 {%    endif %}
+{%-  set vfs_objects_parts = [] %}
+{%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool and item.recycle_path is defined and item.recycle_path|length > 0 %}
+{%-    set _ = vfs_objects_parts.append('recycle') %}
+{%   endif %}
+{%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
+{%-    set _ = vfs_objects_parts.append('virusfilter') %}
+{%   endif %}
+{%   if vfs_objects_parts | length > 0 %}
+
+   vfs objects = {{ vfs_objects_parts | join(' ') }}
+{%   endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}
-
-   vfs objects = recycle
    recycle:keeptree = yes
    # touch access time from this file
    # note: this is not the modified time, which is
@@ -438,8 +447,8 @@
    recycle:excludedir = /tmp,/temp,/cache,.Trash
    recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
 
-   # - This is a list of files and directories that are neither visible nor accessible. 
-   # - Each entry in the list must be separated by a '/', which allows spaces to be 
+   # - This is a list of files and directories that are neither visible nor accessible.
+   # - Each entry in the list must be separated by a '/', which allows spaces to be
    # - included in the entry. '*' and '?' can be used to  specify multiple files or
    # - directories as in DOS wildcards.
    # -
@@ -449,11 +458,42 @@
    veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
 {%         endif %}
    delete veto files = yes
-{%      else %}
-
 {%      endif %}
-{%   else %}
+{%   endif %}
+{%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
 
+   # --- Virusfilter-Einstellungen ---
+
+   # Scanner auswählen
+   virusfilter:scanner = clamav
+
+   # Socket-Pfad (Debian-Standard)
+   virusfilter:socket path = /var/run/clamav/clamd.ctl
+
+   # Verhalten bei Fund
+   virusfilter:infected file action = quarantine
+   virusfilter:quarantine directory = /data/samba/QUARANTINE
+
+   # Performance-Tuning: Ergebnis-Cache
+   #virusfilter:cache entry limit = 500
+   #virusfilter:cache time limit = 30
+
+   # Cache großzügig einstellen
+   virusfilter:cache entry limit = 1000
+   virusfilter:cache time limit = 60
+
+   # Dateigröße: Was wird gescannt?
+   #virusfilter:max file size = 52428800   # 50 MB max
+   virusfilter:max file size = 26214400   # 25 MB max
+   virusfilter:min file size = 10         # unter 10 Byte ignorieren
+
+   # Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
+   virusfilter:scan on open = yes
+   virusfilter:scan on close = no
+
+   # Timeouts (Millisekunden)
+   virusfilter:connect timeout = 30000
+   virusfilter:io timeout = 60000
 {%   endif %}
 
 {% endfor %}