New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/clamav-unofficial-sigs: init at 7.2 #106453
nixos/clamav-unofficial-sigs: init at 7.2 #106453
Conversation
d906eee
to
c2755e5
Compare
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've left a few thoughts on the module. I'm not familiar with this software (though I do run clamav
on a few systems), so please have patience if my comments are ignorant to the functionality of this software.
let | ||
cfg = config.services.clamav-unofficial-sigs; | ||
in { | ||
options.services.clamav-unofficial-sigs = with types; { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this live under services.clamav
which already exists? I'm not familiar with this software so let me know what you think 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The option could also be moved there, I just thought I'd create a separate module and option because the signatures are not from any official source.
This service can be seen as extension to freshclam. It uses other malware signature sites (possibly paid ones with credentials) and adds the signatures to the clamav database.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok this is a completely different project that just adds on to clamav
- definitely a valid reason to keep the module separate.
Looking at this comment points out why you will need values from the clamav
configuration... After this PR is merged you will be able to access the values you need, in this case via config.services.clamav.daemon.settinsg.PidFile
.
f75d272
to
7603e2c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a chance to look at the upstream project and have the following suggestions. Please let me know if you need a hand with anything, have questions, or disagree, etc... Thanks!
let | ||
cfg = config.services.clamav-unofficial-sigs; | ||
in { | ||
options.services.clamav-unofficial-sigs = with types; { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok this is a completely different project that just adds on to clamav
- definitely a valid reason to keep the module separate.
Looking at this comment points out why you will need values from the clamav
configuration... After this PR is merged you will be able to access the values you need, in this case via config.services.clamav.daemon.settinsg.PidFile
.
startAt = "hourly"; | ||
description = "Update unofficial ClamAV signatures"; | ||
|
||
serviceConfig = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the upstream unit would greatly benefit from your work here. Worst case scenario, call it free review from the upstream project 😄
If you're able to submit a PR and have upstream merge it, you could utilize the upstream unit (via systemd.packages
) and we can stay in sync with upstream. Ideally we have these sorts of changes land upstream instead of every distros downstream service.
echo ' | ||
allow_upgrades="no" | ||
allow_update_checks="no" | ||
clam_user="clamav" | ||
clam_group="clamav" | ||
clamd_pid="/run/clamav/clamd.pid" | ||
clamd_socket="/run/clamav/clamd.ctl" | ||
log_pipe_cmd="systemd-cat -t clamav-unofficial-sigs" | ||
enable_random="no" | ||
user_configuration_complete="yes" | ||
' > $out/etc/clamav-unofficial-sigs/os.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's move this to the module so we can take advantage of this PR, pulling values directly from the clamav
settings file, like this config.services.clamav.daemon.settinsg.PidFile
.
user_configuration_complete="yes" | ||
' > $out/etc/clamav-unofficial-sigs/os.conf | ||
|
||
wrapProgram $out/bin/clamav-unofficial-sigs \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this package need to include perl?
options.services.clamav-unofficial-sigs = with types; { | ||
enable = mkEnableOption "Unofficial ClamAV signatures"; | ||
|
||
extraConfig = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By convention we should call this option settings
, much like I did here.
cp clamav-unofficial-sigs.sh $out/bin/clamav-unofficial-sigs | ||
chmod +x $out/bin/clamav-unofficial-sigs | ||
|
||
cp config/master.conf $out/etc/clamav-unofficial-sigs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to log to stdout
instead of files? That would be the ideal solution.
If there is no way to log to stdout
then we should add LogsDirectory = "clamav-unofficial-sigs";
to the unit as well.
ping @SlothOfAnarchy |
I marked this as stale due to inactivity. → More info |
Closing due to inactivity from author. |
Motivation for this change
Initialize package and module for https://github.com/extremeshok/clamav-unofficial-sigs
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc @ajs124