chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!

ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-clamd.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=ClamAV virus scanner
+Documentation=man:clamd(1) man:clamd.conf(5) https://docs.clamav.net/
+ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
+ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=clamav
+Group=clamav
+Type=simple
+ExecStart=/usr/local/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf
+ExecReload=/bin/kill -USR2 $MAINPID
+TimeoutStartSec=300
+RuntimeDirectory=clamav
+RuntimeDirectoryMode=0755
+LogsDirectory=clamav
+LogsDirectoryMode=0750
+
+[Install]
+WantedBy=multi-user.target

ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-freshclam.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=ClamAV virus database updater
+Documentation=man:freshclam(1) man:freshclam.conf(5) https://docs.clamav.net/
+ConditionPathExists=!/etc/cron.d/clamav-freshclam
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/freshclam -d --foreground=true --config-file=/etc/clamav/freshclam.conf
+LogsDirectory=clamav
+LogsDirectoryMode=0750
+
+[Install]
+WantedBy=multi-user.target

ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-milter.conf.j2

@@ -0,0 +1,298 @@
+##
+## Example config file for clamav-milter
+##
+
+# Comment or remove the line below.
+Example
+
+
+##
+## Main options
+##
+
+# Define the interface through which we communicate with sendmail
+# This option is mandatory! Possible formats are:
+# [[unix|local]:]/path/to/file - to specify a unix domain socket
+# inet:port@[hostname|ip-address] - to specify an ipv4 socket
+# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
+#
+# Default: no default
+#MilterSocket /run/clamav/clamav-milter.sock
+#MilterSocket /tmp/clamav-milter.sock
+#MilterSocket inet:7357
+
+# Define the group ownership for the (unix) milter socket.
+# Default: disabled (the primary group of the user running clamd)
+#MilterSocketGroup virusgroup
+
+# Sets the permissions on the (unix) milter socket to the specified mode.
+# Default: disabled (obey umask)
+#MilterSocketMode 660
+
+# Remove stale socket after unclean shutdown.
+#
+# Default: yes
+#FixStaleSocket yes
+
+# Run as another user (clamav-milter must be started by root for this option
+# to work)
+#
+# Default: unset (don't drop privileges)
+#User clamav
+
+# Waiting for data from clamd will timeout after this time (seconds).
+# Value of 0 disables the timeout.
+#
+# Default: 120
+#ReadTimeout 300
+
+# Don't fork into background.
+#
+# Default: no
+#Foreground yes
+
+# Chroot to the specified directory.
+# Chrooting is performed just after reading the config file and before
+# dropping privileges.
+#
+# Default: unset (don't chroot)
+#Chroot /newroot
+
+# This option allows you to save a process identifier of the listening
+# daemon.
+# This file will be owned by root, as long as clamav-milter was started by
+# root.  It is recommended that the directory where this file is stored is
+# also owned by root to keep other users from tampering with it.
+#
+# Default: disabled
+#PidFile /run/clamav/clamav-milter.pid
+
+# Optional path to the global temporary directory.
+# Default: system specific (usually /tmp or /var/tmp).
+#
+#TemporaryDirectory /var/tmp
+
+##
+## Clamd options
+##
+
+# Define the clamd socket to connect to for scanning.
+# This option is mandatory! Syntax:
+# ClamdSocket unix:path
+# ClamdSocket tcp:host:port
+# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
+#     ClamdSocket unix:/run/clamav/clamd.sock
+# The second syntax specifies a tcp local or remote tcp socket: the
+# host can be a hostname or an ip address; the ":port" field is only required
+# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
+#     ClamdSocket tcp:192.168.0.1
+#
+# This option can be repeated several times with different sockets or even
+# with the same socket: clamd servers will be selected in a round-robin
+# fashion.
+#
+# Default: no default
+#ClamdSocket tcp:scanner.mydomain:7357
+#ClamdSocket unix:/run/clamav/clamd.sock
+
+
+##
+## Exclusions
+##
+
+# Messages originating from these hosts/networks will not be scanned
+# This option takes a host(name)/mask pair in CIRD notation and can be
+# repeated several times. If "/mask" is omitted, a host is assumed.
+# To specify a locally originated, non-smtp, email use the keyword "local"
+#
+# Default: unset (scan everything regardless of the origin)
+#LocalNet local
+#LocalNet 192.168.0.0/24
+#LocalNet 1111:2222:3333::/48
+
+# This option specifies a file which contains a list of basic POSIX regular
+# expressions. Addresses (sent to or from - see below) matching these regexes
+# will not be scanned.  Optionally each line can start with the string "From:"
+# or "To:" (note: no whitespace after the colon) indicating if it is,
+# respectively, the sender or recipient that is to be allowed.
+# If the field is missing, "To:" is assumed.
+# Lines starting with #, : or ! are ignored.
+#
+# Default unset (no exclusion applied)
+#AllowList /etc/allowed_addresses
+
+# Messages from authenticated SMTP users matching this extended POSIX
+# regular expression (egrep-like) will not be scanned.
+# As an alternative, a file containing a plain (not regex) list of names (one
+# per line) can be specified using the prefix "file:".
+# e.g. SkipAuthenticated file:/etc/good_guys
+#
+# Note: this is the AUTH login name!
+#
+# Default: unset (no allowing based on SMTP auth)
+#SkipAuthenticated ^(tom|dick|henry)$
+
+# Messages larger than this value won't be scanned.
+# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
+#
+# Default: 25M
+#MaxFileSize 10M
+
+
+##
+## Actions
+##
+
+# The following group of options controls the delivery process under
+# different circumstances.
+# The following actions are available:
+# - Accept
+#   The message is accepted for delivery
+# - Reject
+#   Immediately refuse delivery (a 5xx error is returned to the peer)
+# - Defer
+#   Return a temporary failure message (4xx) to the peer
+# - Blackhole (not available for OnFail)
+#   Like Accept but the message is sent to oblivion
+# - Quarantine (not available for OnFail)
+#   Like Accept but message is quarantined instead of being delivered
+#
+# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
+# For Postfix this causes the message to be placed on hold
+#
+# Action to be performed on clean messages (mostly useful for testing)
+# Default: Accept
+#OnClean Accept
+
+# Action to be performed on infected messages
+# Default: Quarantine
+#OnInfected Quarantine
+
+# Action to be performed on error conditions (this includes failure to
+# allocate data structures, no scanners available, network timeouts,
+# unknown scanner replies and the like)
+# Default: Defer
+#OnFail Defer
+
+# This option allows to set a specific rejection reason for infected messages
+# and it's therefore only useful together with "OnInfected Reject"
+# The string "%v", if present, will be replaced with the virus name.
+# Default: MTA specific
+#RejectMsg
+
+# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
+# "X-Virus-Status" headers will be attached to each processed message, possibly
+# replacing existing headers.
+# If it is set to Add, the X-Virus headers are added possibly on top of the
+# existing ones.
+# Note that while "Replace" can potentially break DKIM signatures, "Add" may
+# confuse procmail and similar filters.
+# Default: no
+#AddHeader Replace
+
+# When AddHeader is in use, this option allows to arbitrary set the reported
+# hostname. This may be desirable in order to avoid leaking internal names.
+# If unset the real machine name is used.
+# Default: disabled
+#ReportHostname my.mail.server.name
+
+# Execute a command (possibly searching PATH) when an infected message is
+# found.
+# The following parameters are passed to the invoked program in this order:
+# virus name, queue id, sender, destination, subject, message id, message date.
+# Note #1: this requires MTA macroes to be available (see LogInfected below)
+# Note #2: the process is invoked in the context of clamav-milter
+# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
+# avoid unnecessary delays in email delivery
+# Default: disabled
+#VirusAction /usr/local/bin/my_infected_message_handler
+
+##
+## Logging options
+##
+
+# Uncomment this option to enable logging.
+# LogFile must be writable for the user running daemon.
+# A full path is required.
+#
+# Default: disabled
+#LogFile /tmp/clamav-milter.log
+
+# By default the log file is locked for writing - the lock protects against
+# running clamav-milter multiple times.
+# This option disables log file locking.
+#
+# Default: no
+#LogFileUnlock yes
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
+# rotation (the LogRotate option) will always be enabled.
+#
+# Default: 1M
+#LogFileMaxSize 2M
+
+# Log time with each message.
+#
+# Default: no
+#LogTime yes
+
+# Use system logger (can work together with LogFile).
+#
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+#
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable verbose logging.
+#
+# Default: no
+#LogVerbose yes
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows to tune what is logged when a message is infected.
+# Possible values are Off (the default - nothing is logged),
+# Basic (minimal info logged), Full (verbose info logged)
+# Note:
+# For this to work properly in sendmail, make sure the msg_id, mail_addr,
+# rcpt_addr and i macroes are available in eom. In other words add a line like:
+# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
+# to your .cf file. Alternatively use the macro:
+# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
+# Postfix should be working fine with the default settings.
+#
+# Default: disabled
+#LogInfected Basic
+
+# This option allows to tune what is logged when no threat is found in
+# a scanned message.
+# See LogInfected for possible values and caveats.
+# Useful in debugging but drastically increases the log size.
+# Default: disabled
+#LogClean Basic
+
+# This option affects the behaviour of LogInfected, LogClean and VirusAction
+# when a message with multiple recipients is scanned:
+# If SupportMultipleRecipients is off (the default)
+# then one single log entry is generated for the message and, in case the
+# message is determined to be malicious, the command indicated by VirusAction
+# is executed just once. In both cases only the last recipient is reported.
+# If SupportMultipleRecipients is on:
+# then one line is logged for each recipient and the command indicated
+# by VirusAction is also executed once for each recipient.
+#
+# Note: although it's probably a good idea to enable this option, the default
+# value
+# is currently set to off for legacy reasons.
+# Default: no
+#SupportMultipleRecipients yes

ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamd.conf.j2

@@ -0,0 +1,250 @@
+LogFile /var/log/clamav/clamd.log
+LogFileUnlock no
+LogFileMaxSize 2M
+LogTime yes
+LogClean no
+LogSyslog no
+LogFacility LOG_LOCAL6
+LogVerbose no
+LogRotate no
+PreludeEnable no
+PreludeAnalyzerName ClamAV
+ExtendedDetectionInfo yes
+TemporaryDirectory /tmp
+DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly no
+#FailIfCvdOlderThan 7
+
+User clamav
+# Default: disabled (must be specified by a user)
+LocalSocket /var/run/clamav/clamd.sock
+#LocalSocket /tmp/clamd.sock
+# Default: disabled (the primary group of the user running clamd)
+LocalSocketGroup clamav
+# Default: disabled (socket is world accessible)
+#LocalSocketMode 660
+#FixStaleSocket yes
+
+# Default: no
+#TCPSocket 3310
+# Default: no
+#TCPAddr localhost
+# Default: 200
+#MaxConnectionQueueLength 30
+# Default: 100M
+#StreamMaxLength 25M
+# Default: 1024
+#StreamMinPort 30000
+# Default: 2048
+#StreamMaxPort 32000
+# Default: 10
+#MaxThreads 20
+# Default: 120
+#ReadTimeout 300
+CommandReadTimeout 30
+# Default: 500
+#SendBufTimeout 200
+
+# Maximum number of queued items (including those being processed by
+# MaxThreads threads).
+# It is recommended to have this value at least twice MaxThreads if possible.
+# WARNING: you shouldn't increase this too much to avoid running out  of file
+# descriptors, the following condition should hold:
+# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
+# max is 1024).
+#
+# Default: 100
+#MaxQueue 200
+
+# Default: 30
+#IdleTimeout 60
+# Default: scan all
+ExcludePath ^/proc/
+ExcludePath ^/sys/
+MaxDirectoryRecursion 20
+# Default: no
+#FollowDirectorySymlinks yes
+# Default: no
+#FollowFileSymlinks yes
+CrossFilesystems yes
+SelfCheck 600
+# Default: yes
+#ConcurrentDatabaseReload no
+# Default: no
+#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
+#ExitOnOOM yes
+# Default: no
+#Foreground yes
+# Default: no
+#Debug yes
+# Default: no
+#LeaveTemporaryFiles yes
+# Default: no
+#GenerateMetadataJson yes
+# Default: yes
+#AllowAllMatchScan no
+DetectPUA yes
+# Default: Load all categories (if DetectPUA is activated)
+ExcludePUA Tool
+ForceToDisk no
+# Default: no
+#DisableCache yes
+#CacheSize 65536
+HeuristicAlerts yes
+# Default: no
+#HeuristicScanPrecedence yes
+
+##
+## Heuristic Alerts
+##
+# Default: no
+#AlertBrokenExecutables yes
+# Default: no
+#AlertBrokenMedia yes
+# Default: no
+#AlertEncrypted yes
+# Default: no
+#AlertEncryptedArchive yes
+# Default: no
+#AlertEncryptedDoc yes
+# Default: no
+AlertOLE2Macros yes
+# Default: no
+#AlertPhishingSSLMismatch yes
+# Default: no
+#AlertPhishingCloak yes
+# Default: no
+#AlertPartitionIntersection yes
+
+##
+## Executable files
+##
+# Default: yes
+ScanPE yes
+# Default: no
+#DisableCertCheck yes
+# Default: yes
+ScanELF yes
+
+##
+## Documents
+##
+ScanOLE2 yes
+ScanPDF yes
+ScanSWF yes
+ScanXMLDOCS yes
+ScanHWP3 yes
+
+##
+## Mail files
+##
+ScanMail yes
+# Default: no
+#ScanPartialMessages yes
+PhishingSignatures yes
+PhishingScanURLs yes
+
+##
+## Data Loss Prevention (DLP)
+##
+# Default: No
+#StructuredDataDetection yes
+# Default: 3
+StructuredMinCreditCardCount 5
+# Default: no
+#StructuredCCOnly yes
+# Default: 3
+StructuredMinSSNCount 5
+StructuredSSNFormatNormal yes
+StructuredSSNFormatStripped yes
+
+##
+## HTML
+##
+ScanHTML yes
+
+##
+## Archives
+##
+ScanArchive yes
+
+##
+## Limits
+##
+# Default: 120000
+#MaxScanTime 300000
+# Default: 400M
+MaxScanSize 500M
+# Default: 100M
+MaxFileSize 400M
+# Default: 17
+#MaxRecursion 10
+# Default: 10000
+#MaxFiles 15000
+# Default: 40M
+MaxEmbeddedPE 80M
+# Default: 40M
+#MaxHTMLNormalize 100M
+# Default: 8M
+#MaxHTMLNoTags 16M
+# Default: 20M
+#MaxScriptNormalize 50M
+# Default: 1M
+#MaxZipTypeRcg 1M
+# Default: 50
+#MaxPartitions 128
+# Default: 100
+#MaxIconsPE 200
+# Default: 16
+#MaxRecHWP3 16
+# Default: 100000
+#PCREMatchLimit 20000
+# Default: 2000
+#PCRERecMatchLimit 10000
+# Default: 100M
+#PCREMaxFileSize 400M
+# Default: no
+AlertExceedsMax yes
+
+##
+## On-access Scan Settings
+##
+# Default: 5M
+#OnAccessMaxFileSize 10M
+# Default: 5
+#OnAccessMaxThreads 10
+# Default: 5000 (5 seconds)
+# OnAccessCurlTimeout 10000
+# Default: no
+#OnAccessDisableDDD yes
+# Default: disabled
+#OnAccessIncludePath /home
+#OnAccessIncludePath /students
+# Default: disabled
+#OnAccessExcludePath /home/user
+# Default: no
+OnAccessPrevention yes
+# Default: no
+#OnAccessDenyOnError yes
+# Default: no
+#OnAccessExtraScanning yes
+# Default: disabled
+#OnAccessMountPath /
+#OnAccessMountPath /home/user
+# Default: no
+#OnAccessExcludeRootUID no
+# Default: disabled
+#OnAccessExcludeUID -1
+# Default: disabled
+OnAccessExcludeUname clamav
+# Default: 0
+#OnAccessRetryAttempts 3
+
+##
+## Bytecode
+##
+Bytecode yes
+BytecodeSecurity TrustSigned
+BytecodeUnsigned no
+# Default: 10000
+# BytecodeTimeout 1000

ansible_collections/nullified/infrastructure/roles/security/templates/clamav/freshclam.conf.j2

@@ -0,0 +1,23 @@
+DatabaseOwner clamav
+UpdateLogFile /var/log/clamav/freshclam.log
+LogVerbose false
+LogSyslog false
+LogFacility LOG_LOCAL6
+LogFileMaxSize 0
+LogRotate true
+LogTime true
+Foreground false
+Debug false
+MaxAttempts 5
+DatabaseDirectory /var/lib/clamav
+DNSDatabaseInfo current.cvd.clamav.net
+ConnectTimeout 30
+ReceiveTimeout 0
+TestDatabases yes
+ScriptedUpdates yes
+CompressLocalDatabase no
+Bytecode true
+NotifyClamd /etc/clamav/clamd.conf
+Checks 24
+DatabaseMirror db.local.clamav.net
+DatabaseMirror database.clamav.net