commited current state (new functions, may not work by now)

roles/deploy-clamd/defaults/main.yml

@@ -0,0 +1 @@
+clamd_version: 1.4.2

roles/deploy-clamd/handlers/main.yml

@@ -0,0 +1,16 @@
+- name: "Reload Systemd Daemon"
+  systemd_service:
+    daemon_reload: true
+
+- name: "Start Clamd Service"
+  systemd_service:
+    name: clamd
+    state: started
+    enabled: true
+
+- name: "Start Freshclam Service"
+  systemd_service:
+    name: freshclam
+    state: started
+    enabled: true
+    

roles/deploy-clamd/tasks/compile-clamav.yml

@@ -0,0 +1,75 @@
+- name: "Download latest ClamAV Version to Control Node"
+  get_url:
+    url: https://www.clamav.net/downloads/production/clamav-{{ clamd_version }}.tar.gz
+    dest: "/tmp/clamav-{{ clamd_version }}.tar.gz"
+  delegate_to: localhost
+  
+- name: Copy ClamAV Tar from Control Node to Ansible Host
+  copy:
+    src: "/tmp/clamav-{{ clamd_version }}.tar.gz"
+    dest: "/usr/local/src/clamav-{{ clamd_version }}.tar.gz"
+
+- name: "Extract ClamAV Tar on Ansible Host"
+  unarchive:
+    src: "/usr/local/src/clamav-{{ clamd_version }}.tar.gz"
+    dest: "/usr/local/src/"
+    remote_src: true
+    
+- name: "Create Build Folder in ClamAV Dir"
+  file:
+    path: "/usr/local/src/clamav-{{ clamd_version }}/build"
+    state: directory
+
+- name: "Pin Cargo Regex Syntax Version"
+  args:
+    chdir: "/usr/local/src/clamav-{{ clamd_version }}/build"
+  shell: |
+    cargo update -p regex-syntax --precise 0.8.3
+
+- name: "Cmake ClamAV"
+  args:
+    chdir: "/usr/local/src/clamav-{{ clamd_version }}/build"
+  shell: |
+    cmake .. -D CMAKE_INSTALL_PREFIX=/usr -D CMAKE_INSTALL_LIBDIR=lib -D APP_CONFIG_DIRECTORY=/etc/clamav -D DATABASE_DIRECTORY=/var/lib/clamav -D ENABLE_JSON_SHARED=OFF
+
+- name: "Compile ClamAV"
+  args:
+    chdir: "/usr/local/src/clamav-{{ clamd_version }}/build"
+  shell: |
+      cmake --build .
+
+- name: "Test Compiled ClamAV"
+  args:
+    chdir: "/usr/local/src/clamav-{{ clamd_version }}/build"
+  shell: |
+    ctest .
+
+- name: "Install compiled ClamAV"
+  args:
+    chdir: "/usr/local/src/clamav-{{ clamd_version }}/build"
+  shell: |
+    cmake --build . --target install
+
+- name: "Create Freshclam Log File"
+  file:
+    path: "/var/log/freshclam.log"
+    state: touch
+    owner: clamav
+    group: clamav
+    mode: '600'
+
+- name: "Create ClamAV Log File"
+  file:
+    path: "/var/log/clamav.log"
+    state: touch
+    owner: clamav
+    group: clamav
+    mode: '600'
+
+- name: "Set ClamAV Signature Database Permission"
+  file:
+    path: "/var/lib/clamav"
+    state: directory
+    owner: clamav
+    group: clamav
+    recurse: yes

roles/deploy-clamd/tasks/configure-clamav.yml

@@ -0,0 +1,27 @@
+- name: Deploy ClamAV Systemd Service
+  template:
+    src: templates/systemd-clamav-service.j2
+    dest: /etc/systemd/system/clamd.service
+  notify:
+    - Reload Systemd Daemon
+
+- name: Deploy ClamAV Freshclam Service
+  template:
+    src: templates/systemd-freshclam-service.j2
+    dest: /etc/systemd/system/freshclam.service
+  notify: 
+    - Reload Systemd Daemon
+  
+- name: Deploy Freshclam Config File
+  template:
+    src: templates/freshclam-config.j2
+    dest: /etc/clamav/freshclam.conf
+  notify:
+    - Start Freshclam Service
+
+- name: Deploy ClamAV Config File
+  template:
+    src: templates/clamav-config.j2
+    dest: /etc/clamav/clamd.conf
+  notify: 
+    - Start Clamd Service

roles/deploy-clamd/tasks/install-dependencies.yml

@@ -0,0 +1,41 @@
+- name: "Install ClamAV Compilation Dependencies"
+  ansible.builtin.apt:
+    pkg:
+      - curl
+      - gcc
+      - make
+      - pkg-config
+      - python3
+      - python3-pip
+      - python3-pytest
+      - valgrind
+      - cmake
+      - check
+      - libbz2-dev
+      - libcurl4-openssl-dev
+      - libjson-c-dev
+      - libmilter-dev
+      - libncurses5-dev
+      - libpcre2-dev
+      - libssl-dev
+      - libxml2-dev
+      - zlib1g-dev
+      - sudo
+    state: present
+  
+- name: Check if cargo is installed already
+  shell: command -v cargo
+  register: cargo_exists
+  ignore_errors: true
+
+- name: "Install rusttoolchain for Compilation"
+  become: true
+  shell: |
+      curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y
+  when: cargo_exists.rc != 0
+
+- name: Ensure Cargo is set in Path
+  shell: |
+    source $HOME/.cargo/env
+  args:
+    executable: /bin/bash

roles/deploy-clamd/tasks/main.yml

@@ -0,0 +1,12 @@
+- name: Install ClamAV Dependencies
+  import_tasks: install-dependencies.yml
+  when: ansible_facts['os_family']|lower == 'debian'
+
+- name: Setup ClamAV Service User/Group
+  import_tasks: setup-clamav-user-group.yml
+
+- name: Compile ClamAV
+  import_tasks: compile-clamav.yml
+
+- name: Configure ClamAV
+  import_tasks: configure-clamav.yml

roles/deploy-clamd/tasks/setup-clamav-user-group.yml

@@ -0,0 +1,13 @@
+- name: "Setup ClamAV Service Group"
+  group:
+    name: clamav
+    state: present
+
+- name: "Setup ClamAV Service User"
+  user:
+    name: clamav
+    comment: ClamAV Service Account
+    shell: /bin/false
+    group: clamav
+    
+

roles/deploy-clamd/templates/clamav-config.j2

@@ -0,0 +1,81 @@
+TCPSocket 3310
+TCPAddr {{ ansible_default_ipv6.address }}
+
+User clamav
+ScanMail true
+ScanArchive true
+ArchiveBlockEncrypted false
+MaxDirectoryRecursion 15
+FollowDirectorySymlinks false
+FollowFileSymlinks false
+ReadTimeout 180
+MaxThreads 24
+MaxConnectionQueueLength 30
+LogSyslog true
+LogRotate true
+LogFacility LOG_LOCAL6
+LogClean false
+LogVerbose false
+PreludeEnable no
+PreludeAnalyzerName ClamAV
+DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
+SelfCheck 3600
+Foreground false
+Debug false
+ScanPE true
+MaxEmbeddedPE 10M
+ScanOLE2 true
+ScanPDF true
+ScanHTML true
+MaxHTMLNormalize 10M
+MaxHTMLNoTags 2M
+MaxScriptNormalize 5M
+MaxZipTypeRcg 1M
+ScanSWF true
+ExitOnOOM false
+LeaveTemporaryFiles false
+AlgorithmicDetection true
+ScanELF true
+IdleTimeout 30
+CrossFilesystems true
+PhishingSignatures true
+PhishingScanURLs true
+PhishingAlwaysBlockSSLMismatch false
+PhishingAlwaysBlockCloak false
+PartitionIntersection false
+DetectPUA true
+ScanPartialMessages false
+HeuristicScanPrecedence false
+StructuredDataDetection false
+CommandReadTimeout 30
+SendBufTimeout 200
+MaxQueue 100
+ExtendedDetectionInfo true
+OLE2BlockMacros false
+AllowAllMatchScan true
+ForceToDisk false
+DisableCertCheck false
+DisableCache false
+MaxScanTime 120000
+MaxScanSize 100M
+MaxFileSize 25M
+MaxRecursion 16
+MaxFiles 10000
+MaxPartitions 50
+MaxIconsPE 100
+PCREMatchLimit 10000
+PCRERecMatchLimit 5000
+PCREMaxFileSize 25M
+ScanXMLDOCS true
+ScanHWP3 true
+MaxRecHWP3 16
+StreamMaxLength 25M
+LogFile /var/log/clamav.log
+LogTime true
+LogFileUnlock false
+LogFileMaxSize 250M
+Bytecode true
+BytecodeSecurity TrustSigned
+BytecodeTimeout 60000
+OnAccessMaxFileSize 5M

roles/deploy-clamd/templates/freshclam-config.j2

@@ -0,0 +1,38 @@
+DatabaseOwner clamav
+UpdateLogFile /var/log/freshclam.log
+LogVerbose false
+LogSyslog false
+LogFacility LOG_LOCAL6
+LogFileMaxSize 0
+LogRotate true
+LogTime true
+Foreground false
+Debug false
+MaxAttempts 5
+DatabaseDirectory /var/lib/clamav
+DNSDatabaseInfo current.cvd.clamav.net
+ConnectTimeout 30
+ReceiveTimeout 0
+TestDatabases yes
+ScriptedUpdates yes
+CompressLocalDatabase no
+Bytecode true
+NotifyClamd /etc/clamav/clamd.conf
+# Check for new database 24 times a day
+Checks 24
+DatabaseMirror db.local.clamav.net
+DatabaseMirror database.clamav.net
+
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfo.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfo.ign2
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/javascript.ndb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/spam_marketing.ndb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfohtml.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfoascii.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfoandroid.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfoold.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfopdf.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfo0hour.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfo.mdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfo.yara
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/a7ef4fbe00e1d0f06492174e93ca2ae8906316d6759eb755c2afd26c5967503d548a5c9502ae78f7903aa618985a55d1284df9b7757128530d523e712bc42ce5/securiteinfo.pdb

roles/deploy-clamd/templates/systemd-clamav-service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=ClamAV Daemon (clamd)
+Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
+After=network.target
+ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
+ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
+
+[Service]
+User=clamav
+Group=clamav
+ExecStart=/usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf
+ExecReload=/bin/kill -USR2 $MAINPID
+Restart=on-failure
+TimeoutStartSec=420
+ProtectSystem=full
+PrivateTmp=true
+RuntimeDirectory=clamav
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target

roles/deploy-clamd/templates/systemd-freshclam-service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=ClamAV Signatur-Updater (freshclam)
+Documentation=man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents/
+Wants=network-online.target
+After=network-online.target
+ConditionPathExists=!/etc/cron.d/clamav-freshclam
+
+[Service]
+User=clamav
+Group=clamav
+ExecStart=/usr/bin/freshclam -d --foreground=true --config-file /etc/clamav/freshclam.conf
+Restart=on-failure
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target