diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index aeb5f3a..b4279fe 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -3160,6 +3160,12 @@ apt_install_server_samba: - samba - nscd +apt_install_server_samba_virusfilter: + - clamav + - clamav-daemon + - clamav-freshclam + - samba-vfs-modules + # samba_workgroup # # example: diff --git a/roles/common/tasks/samba-config-server.yml b/roles/common/tasks/samba-config-server.yml index e51abb6..d05164b 100644 --- a/roles/common/tasks/samba-config-server.yml +++ b/roles/common/tasks/samba-config-server.yml @@ -4,16 +4,29 @@ # Samba Server # --- - - name: (samba-install.yml) Ensure samba packages server are installed. package: pkg: '{{ apt_install_server_samba }}' state: present when: - - "groups['samba_server']|string is search(inventory_hostname)" + - inventory_hostname in groups['samba_server'] tags: - samba-server +- name: (samba-install.yml) Ensure quarantine directory exists + file: + path: /data/samba/QUARANTINE + owner: root + group: root + mode: '0750' + state: directory + when: + - inventory_hostname in groups['samba_server'] + - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0 + tags: + - samba-server + - samba-virusfilter + - name: (samba-config-server.yml) Ensure samba share directories exists file: path: "{{ item.path }}" @@ -26,10 +39,91 @@ loop_control: label: '{{ item.name }}' when: - - "groups['samba_server']|string is search(inventory_hostname)" + - inventory_hostname in groups['samba_server'] tags: - samba-shares +# --- +# Virusfilter (ClamAV) - only when at least one share has vfs_object_virusfilter: true +# --- + +- name: (samba-install.yml) Ensure virusfilter (ClamAV) packages are installed + package: + pkg: '{{ apt_install_server_samba_virusfilter }}' + state: present + when: + - inventory_hostname in groups['samba_server'] + - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0 + tags: + - samba-server + - samba-virusfilter + +- name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled + service: + name: "{{ item }}" + enabled: yes + loop: + - clamav-daemon + - clamav-freshclam + when: + - inventory_hostname in groups['samba_server'] + - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0 + tags: + - samba-server + - samba-virusfilter + +- name: (samba-install.yml) Ensure clamav user is member of all Samba groups + user: + name: clamav + groups: "{{ item.name }}" + append: yes + loop: "{{ samba_groups }}" + loop_control: + label: "{{ item.name }}" + when: + - inventory_hostname in groups['samba_server'] + - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | + selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0 + - samba_groups | length > 0 + tags: + - samba-server + - samba-virusfilter + +- name: (samba-install.yml) Configure AppArmor local profile for clamd (data paths) + blockinfile: + path: /etc/apparmor.d/local/usr.sbin.clamd + create: yes + owner: root + group: root + mode: "0644" + marker: "# {mark} ANSIBLE MANAGED - smba virusfilter paths" + block: | + /data/** r, + /data/samba/QUARANTINE/** rw, + notify: Reload AppArmor profile clamd + when: + - inventory_hostname in groups['samba_server'] + - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | + selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0 + tags: + - samba-server + - samba-virusfilter + +- name: (samba-install.yml) Ensure AllowAllMatchScan is enabled in clamd.conf + lineinfile: + path: /etc/clamav/clamd.conf + regexp: "^#?\\s*AllowAllMatchScan\\s" + line: "AllowAllMatchScan true" + state: present + notify: Restart clamav-daemon + when: + - inventory_hostname in groups['samba_server'] + - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | + selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0 + tags: + - samba-server + - samba-virusfilter + # --- # /etc/samba/smb.conf @@ -40,19 +134,18 @@ path: /etc/samba/smb.conf.ORIG register: smb_conf_exists when: - - "groups['samba_server']|string is search(inventory_hostname)" + - inventory_hostname in groups['samba_server'] tags: - samba-server - name: (samba-config-server.yml) Backup existing file /etc/samba/smb.conf command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG when: - - "groups['samba_server']|string is search(inventory_hostname)" + - inventory_hostname in groups['samba_server'] - smb_conf_exists.stat.exists == False tags: - samba-server - - name: (samba-config-server.yml) /etc/samba/smb.conf template: dest: /etc/samba/smb.conf @@ -61,16 +154,13 @@ group: root mode: 0644 when: - - "groups['samba_server']|string is search(inventory_hostname)" - - samba_user is defined and samba_user|length > 0 - - samba_shares is defined and samba_shares|length > 0 + - inventory_hostname in groups['samba_server'] notify: - Restart smbd - Restart nmbd tags: - samba-server - - name: (samba-config-server.yml) Ensure file /etc/samba/users.map exists copy: src: "{{ role_path + '/files/etc/samba/users.map' }}" @@ -79,14 +169,13 @@ group: root mode: 0644 when: - - "groups['samba_server']|string is search(inventory_hostname)" + - inventory_hostname in groups['samba_server'] notify: - Restart smbd - Restart nmbd tags: - samba-server - # --- # Cronjob for cleaning up samba trash dirs # --- @@ -97,21 +186,21 @@ register: clean_samba_trash_exists when: - inventory_hostname in groups['samba_server'] - tags: [samba-server, samba-cron] - + tags: + - samba-server + - samba-cron - name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh' template: dest: /root/bin/samba/conf/clean_samba_trash.conf src: root/bin/samba/conf/clean_samba_trash.conf.j2 when: - - "groups['samba_server']|string is search(inventory_hostname)" + - inventory_hostname in groups['samba_server'] - clean_samba_trash_exists.stat.exists|bool tags: - samba-server - samba-cron - - name: (samba-config-server.yml) Check if cleaning up trash dirs is configured ansible.builtin.lineinfile: path: /root/bin/samba/conf/clean_samba_trash.conf @@ -124,7 +213,6 @@ - inventory_hostname in groups['samba_server'] tags: [samba-server, samba-cron] - - name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs ansible.builtin.cron: name: "{{ samba_cronjob_trash_dirs.name }}" @@ -141,7 +229,6 @@ - (clean_samba_trash_dirs.found | int) > 0 tags: [samba-server, samba-cron] - # --- # Cronjob for setting permissions on samba shares # --- @@ -154,7 +241,6 @@ - inventory_hostname in groups['samba_server'] tags: [samba-server, samba-cron] - - name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh' ansible.builtin.template: dest: /root/bin/samba/conf/set_permissions_samba_shares.conf @@ -164,7 +250,6 @@ - set_permissions_on_samba_shares_exists.stat.exists | bool tags: [samba-server, samba-cron] - - name: (samba-config-server.yml) Creates a cron job for setting permissions to samba dirs ansible.builtin.cron: name: "{{ samba_cronjob_permissions.name }}" diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 index f5f7aa1..28bd117 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2 +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -412,10 +412,19 @@ # wide links = yes {% endif %} +{%- set vfs_objects_parts = [] %} +{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool and item.recycle_path is defined and item.recycle_path|length > 0 %} +{%- set _ = vfs_objects_parts.append('recycle') %} +{% endif %} +{% if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %} +{%- set _ = vfs_objects_parts.append('virusfilter') %} +{% endif %} +{% if vfs_objects_parts | length > 0 %} + + vfs objects = {{ vfs_objects_parts | join(' ') }} +{% endif %} {% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %} {% if item.recycle_path is defined and item.recycle_path|length > 0 %} - - vfs objects = recycle recycle:keeptree = yes # touch access time from this file # note: this is not the modified time, which is @@ -449,11 +458,42 @@ veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/ {% endif %} delete veto files = yes -{% else %} - {% endif %} -{% else %} +{% endif %} +{% if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %} + # --- Virusfilter-Einstellungen --- + + # Scanner auswählen + virusfilter:scanner = clamav + + # Socket-Pfad (Debian-Standard) + virusfilter:socket path = /var/run/clamav/clamd.ctl + + # Verhalten bei Fund + virusfilter:infected file action = quarantine + virusfilter:quarantine directory = /data/samba/QUARANTINE + + # Performance-Tuning: Ergebnis-Cache + #virusfilter:cache entry limit = 500 + #virusfilter:cache time limit = 30 + + # Cache großzügig einstellen + virusfilter:cache entry limit = 1000 + virusfilter:cache time limit = 60 + + # Dateigröße: Was wird gescannt? + #virusfilter:max file size = 52428800 # 50 MB max + virusfilter:max file size = 26214400 # 25 MB max + virusfilter:min file size = 10 # unter 10 Byte ignorieren + + # Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen + virusfilter:scan on open = yes + virusfilter:scan on close = no + + # Timeouts (Millisekunden) + virusfilter:connect timeout = 30000 + virusfilter:io timeout = 60000 {% endif %} {% endfor %}