#!/bin/bash
# One-shot installer for ClamAV with on-access scanning (clamonacc).
# Run as a regular user — individual commands use sudo where root is required.
# Requires: clamav package, and files in this directory (./clamav-sudoer etc.).

# Install the clamav package (provides clamd, clamonacc, freshclam, clamdscan).
sudo pacman -S clamav

# Deploy the sudoers drop-in that allows the clamav user to run freshclam
# without a password — needed for automated signature updates.
# -fr: force-overwrite + recursive (safe for single files too).
sudo cp -fr ./clamav-sudoer /etc/sudoers.d/clamav

# Deploy the custom daemon config (see clamd.conf in this directory for details
# on on-access mount path, scan settings, and VirusEvent hook).
sudo cp -fr ./clamd.conf /etc/clamav/clamd.conf

# Deploy the virus-event script that clamd calls when a threat is detected;
# typically sends a desktop notification or logs the event.
sudo cp -fr ./virus-event.bash /etc/clamav/virus-event.bash

# Deploy the custom systemd service unit for clamonacc (the on-access daemon).
# Placed in /usr/lib/systemd/system/ so it survives package upgrades without
# manual intervention (unit files in /etc/systemd/ take precedence but are
# overwritten by the package on reinstall).
sudo cp -fr ./clamav-clamonacc.service /usr/lib/systemd/system/clamav-clamonacc.service

# aa-complain clamd
# (AppArmor complain-mode left commented out — uncomment if AppArmor is active
#  and clamonacc is blocked; complain mode logs denials without enforcing them.)

# Enable all four related units at boot:
#   clamav-clamonacc  : on-access real-time scanner (requires clamd to be up first)
#   clamav-daemon     : the clamd background scan service
#   clamav-freshclam  : daily signature update service
#   clamav-freshclam-once.timer : one-shot timer that fires freshclam at boot
sudo systemctl enable clamav-clamonacc.service
sudo systemctl enable clamav-daemon.service
sudo systemctl enable clamav-freshclam.service
sudo systemctl enable clamav-freshclam-once.timer

# Perform an initial signature database download before the first boot into clamd.
# Without this, clamd will refuse to start because /var/lib/clamav is empty.
freshclam

# A reboot is required for on-access scanning to take full effect — the fanotify
# kernel API used by clamonacc needs a clean mount namespace with the watcher
# registered from the start.
reboot