Update to 2021-12-01 19:13

roles/clamav/defaults/main.yml

@@ -0,0 +1,16 @@
+---
+clam_mirror: database.clamav.net
+clam_user: clamav
+clam_group: clamav
+clam_enable_clamd: False
+clam_custom_db_url: []
+clam_safebrowsing: True
+clam_listen_port: 3310
+clam_ports: "{{ [clam_listen_port] + [clam_stream_port_min + ':' + clam_stream_port_max] }}"
+clam_listen_ip: 127.0.0.1
+clam_src_ip: []
+# Max stream size, in MB
+clam_stream_max_size: 50
+clam_stream_port_min: 30000
+clam_stream_port_max: 32000
+

roles/clamav/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+
+- include: ../common/handlers/main.yml
+
+- name: restart freshclam
+  service: name=freshclam state=restarted
+
+- name: restart clamd
+  service: name=clamd state={{ clam_enable_clamd | ternary('restarted','stopped') }}

roles/clamav/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+
+- name: Install packages
+  yum:
+    name:
+      - clamav
+      - clamav-data-empty
+      - clamav-server-systemd
+      - clamav-update
+
+- name: Create clamav user account
+  user:
+    name: clamav
+    system: True
+    shell: /sbin/nologin
+    comment: "ClamAV antivirus user account"
+
+- name: Set SELinux
+  seboolean: name={{ item }} state=True persistent=True
+  with_items:
+    - clamd_use_jit
+    - antivirus_can_scan_system
+  when: ansible_selinux.status == 'enabled'
+
+- name: Deploy freshclam configuration
+  template: src=freshclam.conf.j2 dest=/etc/freshclam.conf mode=644
+  notify: restart freshclam
+
+- name: Deploy clamd configuration
+  template: src=clamd.conf.j2 dest=/etc/clamd.conf
+  notify: restart clamd
+
+- name: Deploy systemd units
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  with_items:
+    - freshclam.service
+    - clamd.service
+  notify:
+    - restart freshclam
+    - restart clamd
+  register: clamav_units
+
+- name: Deploy tmpfiles.d fragment
+  copy:
+    content: 'd /run/clamav 755 {{ clam_user }} {{ clam_group }}'
+    dest: /etc/tmpfiles.d/clamav.conf
+  notify: systemd-tmpfiles
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: clamav_units.changed
+
+- name: Start and enable freshclam
+  service: name=freshclam state=started enabled=True
+
+- name: Handle clamd service
+  service: name=clamd state={{ clam_enable_clamd | ternary('started','stopped') }} enabled={{ clam_enable_clamd }}

roles/clamav/templates/clamd.conf.j2

@@ -0,0 +1,12 @@
+LogSyslog yes
+LogVerbose yes
+ExtendedDetectionInfo yes
+LocalSocket /var/run/clamav/clamd.sock
+LocalSocketMode 666
+TCPSocket {{ clam_listen_port }}
+TCPAddr {{ clam_listen_ip }}
+StreamMinPort {{ clam_stream_port_min }}
+StreamMaxPort {{ clam_stream_port_max }}
+StreamMaxLength {{ clam_stream_max_size }}M
+ExitOnOOM yes
+Foreground yes

roles/clamav/templates/clamd.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=ClamAV antivirus daemon
+After=syslog.target network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/clamd -c /etc/clamd.conf
+User={{ clam_user }}
+Group={{ clam_group }}
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

roles/clamav/templates/freshclam.conf.j2

@@ -0,0 +1,12 @@
+DatabaseDirectory /var/lib/clamav
+LogVerbose yes
+LogSyslog yes
+Checks {{ clam_safebrowsing | ternary('48','12') }}
+DatabaseOwner clamupdate
+DatabaseMirror {{ clam_mirror }}
+{% for custom in clam_custom_db_url %}
+DatabaseCustomURL={{ custom }}
+{% endfor %}
+NotifyClamd /etc/clamd.conf
+Foreground yes
+SafeBrowsing {{ clam_safebrowsing | ternary('yes','no') }}

roles/clamav/templates/freshclam.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=ClamAV signature updater
+After=network.target
+
+[Service]
+Type=simple
+User=clamupdate
+Group=clamupdate
+ExecStart=/usr/bin/freshclam --stdout --daemon
+Restart=on-failure
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+