Add virusfilter support to Samba shares and configure ClamAV database checks

Adds handlers to reload AppArmor and restart ClamAV
Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.
2026-05-26 14:18:36 +02:00 · 2026-05-26 14:16:45 +02:00
3 changed files with 56 additions and 0 deletions
@@ -661,6 +661,7 @@ samba_shares:
    group_write_list: a-jur
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -672,6 +673,7 @@ samba_shares:
    group_write_list: kanzlei
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -692,6 +694,7 @@ samba_shares:
    group_write_list: wildvang
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -703,6 +706,7 @@ samba_shares:
 #    group_write_list: aulmann
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
+#    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
@@ -714,6 +718,7 @@ samba_shares:
 #    group_write_list: howe
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
+#    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
@@ -725,6 +730,7 @@ samba_shares:
    group_write_list: stahmann
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -736,6 +742,7 @@ samba_shares:
    group_write_list: traine
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -747,6 +754,7 @@ samba_shares:
    group_write_list: public
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -758,6 +766,7 @@ samba_shares:
    group_write_list: advoware
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -769,6 +778,7 @@ samba_shares:
    group_write_list: intern
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: false
@@ -780,6 +790,7 @@ samba_shares:
    group_write_list: alle
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -791,6 +802,7 @@ samba_shares:
 #    group_write_list: web
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
+#    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'

@@ -112,3 +112,10 @@
    daemon_reload: yes
    state: restarted

+- name: Reload AppArmor profile clamd
+  command: apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
+
+- name: Restart clamav-daemon
+  service:
+    name: clamav-daemon
+    state: restarted
@@ -58,6 +58,43 @@
    - samba-server
    - samba-virusfilter

+- name: (samba-install.yml) Check if ClamAV virus databases are present
+  find:
+    paths: /var/lib/clamav
+    patterns:
+      - "*.cvd"
+      - "*.cld"
+  register: clamav_db_files
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-install.yml) Stop clamav-freshclam service before initial database download
+  service:
+    name: clamav-freshclam
+    state: stopped
+  failed_when: false
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - clamav_db_files.files | length == 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-install.yml) Download initial ClamAV virus databases via freshclam
+  command: freshclam
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - clamav_db_files.files | length == 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
 - name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
  service:
    name: "{{ item }}"
Author	SHA1	Message	Date
chris	56a2c8464f	Add virusfilter support to Samba shares and configure ClamAV database checks	2026-05-26 14:18:36 +02:00
chris	1f78326503	Adds handlers to reload AppArmor and restart ClamAV Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.	2026-05-26 14:16:45 +02:00