Add virusfilter support to Samba shares and configure ClamAV database checks

Adds handlers to reload AppArmor and restart ClamAV
Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.
2026-05-26 14:18:36 +02:00 · 2026-05-26 14:16:45 +02:00
3 changed files with 56 additions and 0 deletions
@@ -661,6 +661,7 @@ samba_shares:
    group_write_list: a-jur
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -672,6 +673,7 @@ samba_shares:
    group_write_list: kanzlei
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -692,6 +694,7 @@ samba_shares:
    group_write_list: wildvang
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -703,6 +706,7 @@ samba_shares:
 #    group_write_list: aulmann
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
@@ -714,6 +718,7 @@ samba_shares:
 #    group_write_list: howe
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
@@ -725,6 +730,7 @@ samba_shares:
    group_write_list: stahmann
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -736,6 +742,7 @@ samba_shares:
    group_write_list: traine
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -747,6 +754,7 @@ samba_shares:
    group_write_list: public
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -758,6 +766,7 @@ samba_shares:
    group_write_list: advoware
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -769,6 +778,7 @@ samba_shares:
    group_write_list: intern
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: false
@@ -780,6 +790,7 @@ samba_shares:
    group_write_list: alle
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -791,6 +802,7 @@ samba_shares:
 #    group_write_list: web
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
@@ -112,3 +112,10 @@
    daemon_reload: yes
    state: restarted
 - name: Reload AppArmor profile clamd
  command: apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
 - name: Restart clamav-daemon
  service:
    name: clamav-daemon
    state: restarted
@@ -58,6 +58,43 @@
    - samba-server
    - samba-virusfilter
 - name: (samba-install.yml) Check if ClamAV virus databases are present
  find:
    paths: /var/lib/clamav
    patterns:
      - "*.cvd"
      - "*.cld"
  register: clamav_db_files
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-install.yml) Stop clamav-freshclam service before initial database download
  service:
    name: clamav-freshclam
    state: stopped
  failed_when: false
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - clamav_db_files.files | length == 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-install.yml) Download initial ClamAV virus databases via freshclam
  command: freshclam
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - clamav_db_files.files | length == 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
  service:
    name: "{{ item }}"
Author	SHA1	Message	Date
chris	56a2c8464f	Add virusfilter support to Samba shares and configure ClamAV database checks	2026-05-26 14:18:36 +02:00
chris	1f78326503	Adds handlers to reload AppArmor and restart ClamAV Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.	2026-05-26 14:16:45 +02:00