Add virusfilter support for Samba homes and update configuration files.

2026-05-29 18:44:07 +02:00
parent 63344a4a29
commit be905d505a
3 changed files with 134 additions and 17 deletions
@@ -1776,6 +1776,9 @@ samba_server_min_protocol: {}
 #
 samba_allow_insecure_wide_links: !!str no
 # include vfs object 'virusfilter' to (private) homes shares
 samba_homes_virusfilter: false
 samba_groups: []
 # samba_user:
@@ -1,5 +1,4 @@
 ---
 # ---
 # Samba Server
 # ---
@@ -60,13 +59,73 @@
    - samba-server
    - samba-virusfilter
- name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
+- name: (samba-config-server.yml) Check if ClamAV virus databases are present
  find:
    paths: /var/lib/clamav
    patterns:
      - "*.cvd"
      - "*.cld"
  register: clamav_db_files
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
  service:
-    name: "{{ item }}"
+    name: clamav-freshclam
    state: stopped
  failed_when: false
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - clamav_db_files.files | length == 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
  service:
    name: clamav-daemon
    state: started
    enabled: yes
  failed_when: false
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
  command: freshclam
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - clamav_db_files.files | length == 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
  service:
    name: clamav-daemon
    state: started
    enabled: yes
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
  service:
    name: clamav-freshclam
    state: started
    enabled: yes
  loop:
    - clamav-daemon
    - clamav-freshclam
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
@@ -91,17 +150,62 @@
    - samba-server
    - samba-virusfilter
- name: (samba-install.yml) Configure AppArmor local profile for clamd (data paths)
+- name: (samba-config-server.yml) Ensure clamav user is member of all NIS user groups (homes virusfilter)
-  blockinfile:
+  user:
-    path: /etc/apparmor.d/local/usr.sbin.clamd
+    name: clamav
-    create: yes
+    groups: "{{ item.name }}"
    append: yes
  loop: "{{ nis_user }}"
  loop_control:
    label: "{{ item.name }}"
  when:
    - inventory_hostname in groups['samba_server']
    - samba_homes_virusfilter | default(false) | bool
    - nis_user | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Get home directories of samba users (NIS users) via getent (homes virusfilter)
  ansible.builtin.getent:
    database: passwd
    key: "{{ item.name }}"
  loop: "{{ nis_user }}"
  loop_control:
    label: "{{ item.name }}"
  register: samba_user_getent
  when:
    - inventory_hostname in groups['samba_server']
    - samba_homes_virusfilter | default(false) | bool
    - nis_user | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
  file:
    path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
    mode: "0750"
    state: directory
  loop: "{{ samba_user_getent.results | default([]) }}"
  loop_control:
    label: "{{ item.item.name }}"
  when:
    - inventory_hostname in groups['samba_server']
    - samba_homes_virusfilter | default(false) | bool
    - item.ansible_facts is defined
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
  template:
    src: etc/apparmor.d/local/usr.sbin.clamd.j2
    dest: /etc/apparmor.d/local/usr.sbin.clamd
    owner: root
    group: root
    mode: "0644"
    marker: "# {mark} ANSIBLE MANAGED - smba virusfilter paths"
    block: |
      /data/** r,
      /data/samba/QUARANTINE/** rw,
  notify: Reload AppArmor profile clamd
  when:
    - inventory_hostname in groups['samba_server']
@@ -111,7 +215,7 @@
    - samba-server
    - samba-virusfilter
- name: (samba-install.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
+- name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
  lineinfile:
    path: /etc/clamav/clamd.conf
    regexp: "^#?\\s*AllowAllMatchScan\\s"
@@ -126,7 +230,6 @@
    - samba-server
    - samba-virusfilter
 # ---
 # /etc/samba/smb.conf
 # ---
@@ -0,0 +1,11 @@
 # {{ ansible_managed }}
 # see: roles/common/tasks/samba-config-server.yml
 /data/** r,
 /data/samba/QUARANTINE/** rw,
 {% if samba_homes_virusfilter | default(false) | bool %}
 {{ nis_base_home }}/** r,
 {% if nis_base_home != '/home' %}
 /home/** r,
 {% endif %}
 {% endif %}