#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "ClamAV (clamav-daemon) installieren/konfigurieren …"

# Flags laden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}"

# Pakete
if ! dpkg -s clamav-daemon >/dev/null 2>&1; then
  apt-get update -qq
  apt-get install -y clamav clamav-daemon
fi

# Signaturen aktualisieren (erst Freshclam starten)
systemctl stop clamav-freshclam 2>/dev/null || true
freshclam || true
systemctl start clamav-freshclam || true

# clamd LocalSocket setzen
sed -i 's|^#\?LocalSocket .*|LocalSocket /run/clamav/clamd.ctl|' /etc/clamav/clamd.conf || true
install -d -m 0755 /run/clamav
chown clamav:clamav /run/clamav

# Dienst nach Flag
if [[ "$CLAMAV_ENABLE" = "1" ]]; then
  systemctl enable --now clamav-daemon
else
  systemctl disable --now clamav-daemon || true
fi

# Rspamd-Integration (nur wenn aktiv)
AV_CONF="/etc/rspamd/local.d/antivirus.conf"
if [[ "$CLAMAV_ENABLE" = "1" ]]; then
  cat >"$AV_CONF" <<'EOF'
clamav {
  symbol = "CLAM_VIRUS";
  type = "clamav";
  servers = "/run/clamav/clamd.ctl";
  scan_mime_parts = true;
  scan_text_mime = true;
  max_size = 50mb;
  log_clean = false;
  action = "reject";
}
EOF
  chown root:_rspamd "$AV_CONF" || true
  chmod 0640 "$AV_CONF" || true
  systemctl reload rspamd || systemctl restart rspamd
else
  rm -f "$AV_CONF" || true
  systemctl reload rspamd || true
fi

log "[✓] ClamAV (ENABLE=${CLAMAV_ENABLE}) konfiguriert."