From be905d505a9071085bf49d398608d3253fa0ddce Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Fri, 29 May 2026 18:44:07 +0200
Subject: [PATCH] Add virusfilter support for Samba homes and update
 configuration files.

---
 group_vars/all/main.yml                       |   3 +
 roles/common/tasks/samba-install.yml          | 137 +++++++++++++++---
 .../etc/apparmor.d/local/usr.sbin.clamd.j2    |  11 ++
 3 files changed, 134 insertions(+), 17 deletions(-)
 create mode 100644 roles/common/templates/etc/apparmor.d/local/usr.sbin.clamd.j2

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 47b2c12..40e6140 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -1776,6 +1776,9 @@ samba_server_min_protocol: {}
 #
 samba_allow_insecure_wide_links: !!str no
 
+# include vfs object 'virusfilter' to (private) homes shares
+samba_homes_virusfilter: false
+
 samba_groups: []
 
 # samba_user:
diff --git a/roles/common/tasks/samba-install.yml b/roles/common/tasks/samba-install.yml
index c8ef19c..7a2e5e5 100644
--- a/roles/common/tasks/samba-install.yml
+++ b/roles/common/tasks/samba-install.yml
@@ -1,5 +1,4 @@
 ---
-
 # ---
 # Samba Server
 # ---
@@ -60,13 +59,73 @@
     - samba-server
     - samba-virusfilter
 
-- name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
+- name: (samba-config-server.yml) Check if ClamAV virus databases are present
+  find:
+    paths: /var/lib/clamav
+    patterns:
+      - "*.cvd"
+      - "*.cld"
+  register: clamav_db_files
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
   service:
-    name: "{{ item }}"
+    name: clamav-freshclam
+    state: stopped
+  failed_when: false
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - clamav_db_files.files | length == 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+  failed_when: false
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
+  command: freshclam
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - clamav_db_files.files | length == 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
+  service:
+    name: clamav-freshclam
+    state: started
     enabled: yes
-  loop:
-    - clamav-daemon
-    - clamav-freshclam
   when:
     - inventory_hostname in groups['samba_server']
     - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
@@ -91,17 +150,62 @@
     - samba-server
     - samba-virusfilter
 
-- name: (samba-install.yml) Configure AppArmor local profile for clamd (data paths)
-  blockinfile:
-    path: /etc/apparmor.d/local/usr.sbin.clamd
-    create: yes
+- name: (samba-config-server.yml) Ensure clamav user is member of all NIS user groups (homes virusfilter)
+  user:
+    name: clamav
+    groups: "{{ item.name }}"
+    append: yes
+  loop: "{{ nis_user }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_homes_virusfilter | default(false) | bool
+    - nis_user | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Get home directories of samba users (NIS users) via getent (homes virusfilter)
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ item.name }}"
+  loop: "{{ nis_user }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: samba_user_getent
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_homes_virusfilter | default(false) | bool
+    - nis_user | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
+  file:
+    path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
+    mode: "0750"
+    state: directory
+  loop: "{{ samba_user_getent.results | default([]) }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_homes_virusfilter | default(false) | bool
+    - item.ansible_facts is defined
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+
+- name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
+  template:
+    src: etc/apparmor.d/local/usr.sbin.clamd.j2
+    dest: /etc/apparmor.d/local/usr.sbin.clamd
     owner: root
     group: root
     mode: "0644"
-    marker: "# {mark} ANSIBLE MANAGED - smba virusfilter paths"
-    block: |
-      /data/** r,
-      /data/samba/QUARANTINE/** rw,
   notify: Reload AppArmor profile clamd
   when:
     - inventory_hostname in groups['samba_server']
@@ -110,8 +214,8 @@
   tags:
     - samba-server
     - samba-virusfilter
-
-- name: (samba-install.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
+  
+- name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
   lineinfile:
     path: /etc/clamav/clamd.conf
     regexp: "^#?\\s*AllowAllMatchScan\\s"
@@ -126,7 +230,6 @@
     - samba-server
     - samba-virusfilter
 
-
 # ---
 # /etc/samba/smb.conf
 # ---
diff --git a/roles/common/templates/etc/apparmor.d/local/usr.sbin.clamd.j2 b/roles/common/templates/etc/apparmor.d/local/usr.sbin.clamd.j2
new file mode 100644
index 0000000..65b68ce
--- /dev/null
+++ b/roles/common/templates/etc/apparmor.d/local/usr.sbin.clamd.j2
@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+# see: roles/common/tasks/samba-config-server.yml
+
+/data/** r,
+/data/samba/QUARANTINE/** rw,
+{% if samba_homes_virusfilter | default(false) | bool %}
+{{ nis_base_home }}/** r,
+{% if nis_base_home != '/home' %}
+/home/** r,
+{% endif %}
+{% endif %}