Add ClamAV virusfilter support for Samba configuration and installation

2026-05-25 19:41:23 +02:00
parent 7c35a51a9b
commit 723b686c84
3 changed files with 84 additions and 7 deletions
@@ -13,6 +13,37 @@
  tags:
    - samba-server

+
+# ---
+# Virusfilter (ClamAV) — only when at least one share has vfs_object_virusfilter: true
+# ---
+
+- name: (samba-install.yml) Ensure virusfilter (ClamAV) packages are installed
+  package:
+    pkg: '{{ apt_install_server_samba_virusfilter }}'
+    state: present
+  when:
+    - "groups['samba_server']|string is search(inventory_hostname)"
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-install.yml) Ensure quarantine directory exists
+  file:
+    path: /data/samba/QUARANTINE
+    owner: root
+    group: root
+    mode: '0750'
+    state: directory
+  when:
+    - "groups['samba_server']|string is search(inventory_hostname)"
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+
 - name: (samba-install.yml) Ensure samba share directories exists
  file:
    path: "{{ item.path }}"
@@ -412,10 +412,19 @@
   #
   wide links = yes
 {%    endif %}
+{%-  set vfs_objects_parts = [] %}
+{%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool and item.recycle_path is defined and item.recycle_path|length > 0 %}
+{%-    set _ = vfs_objects_parts.append('recycle') %}
+{%   endif %}
+{%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
+{%-    set _ = vfs_objects_parts.append('virusfilter') %}
+{%   endif %}
+{%   if vfs_objects_parts | length > 0 %}
+
+   vfs objects = {{ vfs_objects_parts | join(' ') }}
+{%   endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}
-
-   vfs objects = recycle
   recycle:keeptree = yes
   # touch access time from this file
   # note: this is not the modified time, which is
@@ -438,8 +447,8 @@
   recycle:excludedir = /tmp,/temp,/cache,.Trash
   recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}

-   # - This is a list of files and directories that are neither visible nor accessible. 
-   # - Each entry in the list must be separated by a '/', which allows spaces to be 
+   # - This is a list of files and directories that are neither visible nor accessible.
+   # - Each entry in the list must be separated by a '/', which allows spaces to be
   # - included in the entry. '*' and '?' can be used to  specify multiple files or
   # - directories as in DOS wildcards.
   # -
@@ -449,11 +458,42 @@
   veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
 {%         endif %}
   delete veto files = yes
-{%      else %}
-
 {%      endif %}
-{%   else %}
+{%   endif %}
+{%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}

+   # --- Virusfilter-Einstellungen ---
+
+   # Scanner auswählen
+   virusfilter:scanner = clamav
+
+   # Socket-Pfad (Debian-Standard)
+   virusfilter:socket path = /var/run/clamav/clamd.ctl
+
+   # Verhalten bei Fund
+   virusfilter:infected file action = quarantine
+   virusfilter:quarantine directory = /data/samba/QUARANTINE
+
+   # Performance-Tuning: Ergebnis-Cache
+   #virusfilter:cache entry limit = 500
+   #virusfilter:cache time limit = 30
+
+   # Cache großzügig einstellen
+   virusfilter:cache entry limit = 1000
+   virusfilter:cache time limit = 60
+
+   # Dateigröße: Was wird gescannt?
+   #virusfilter:max file size = 52428800   # 50 MB max
+   virusfilter:max file size = 26214400   # 25 MB max
+   virusfilter:min file size = 10         # unter 10 Byte ignorieren
+
+   # Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
+   virusfilter:scan on open = yes
+   virusfilter:scan on close = no
+
+   # Timeouts (Millisekunden)
+   virusfilter:connect timeout = 30000
+   virusfilter:io timeout = 60000
 {%   endif %}

 {% endfor %}