nixos/clamav: add ClamAV on-access scanner support

          '';

        };

      };

      clamonacc = {

        enable = lib.mkOption {

          default = false;

          example = true;

          description = ''

            Whether to enable ClamAV on-access scanner.

            The settings for ClamAV's on-access scanner is configured in `clamd.conf` via `services.clamav.daemon.settings`.

            Refer to <https://docs.clamav.net/manual/OnAccess.html> on how to configure it.

            Example to scan `/home/foo/Downloads` (and block access until scanning is completed) would be:

            ```

            services.clamav = {

              daemon.enable = true;

              clamonacc.enable = true;

              daemon.settings = {

                OnAccessPrevention = true;

                OnAccessIncludePath = "/home/foo/Downloads";

              };

            };

            ```

          '';

          type = lib.types.bool;

        };

      };

      updater = {

        enable = lib.mkEnableOption "ClamAV freshclam updater";

        assertion = cfg.scanner.enable -> cfg.daemon.enable;

        message = "ClamAV scanner requires ClamAV daemon to operate";

      }

      {

        assertion = cfg.clamonacc.enable -> cfg.daemon.enable;

        message = "ClamAV on-access scanner requires ClamAV daemon to operate";

      }

    ];

    environment.systemPackages = [ cfg.package ];

      PidFile = "/run/clamav/clamd.pid";

      User = clamavUser;

      Foreground = true;

      # Prevent infinite recursion in scanning

      OnAccessExcludeUname = clamavUser;

    };

    services.clamav.updater.settings = {

      };

    };

    systemd.services.clamav-clamonacc = lib.mkIf cfg.clamonacc.enable {

      description = "ClamAV on-access scanner (clamonacc)";

      after = [ "clamav-daemon.socket" ];

      requires = [ "clamav-daemon.socket" ];

      wantedBy = [ "multi-user.target" ];

      restartTriggers = [ clamdConfigFile ];

      # This unit must start as root to be able to use fanotify.

      serviceConfig = {

        ExecStart = "${cfg.package}/bin/clamonacc -F --fdpass";

        Slice = "system-clamav.slice";

      };

    };

    systemd.timers.clamav-freshclam = lib.mkIf cfg.updater.enable {

      description = "Timer for ClamAV virus database updater (freshclam)";

      wantedBy = [ "timers.target" ];