Init: bootstrap package

.gitea/workflows/build.yml

@@ -0,0 +1,15 @@
+name: Build package
+on: [push]
+
+jobs:
+  build-package:
+    runs-on: pkgbuilder
+    env:
+    steps:
+      - name: Build and push package
+        uses: https://gitea.konchin.com/action/archbuild@main
+        with:
+          minio-accesskey: ${{ secrets.MINIO_ACCESSKEY }}
+          minio-secretkey: ${{ secrets.MINIO_SECRETKEY }}
+          gpg-password: ${{ secrets.GPG_PASSWORD }}
+          gpg-keygrip: ${{ secrets.GPG_KEYGRIP }}

60-sssd.conf

@@ -0,0 +1,29 @@
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = LDAP
+
+[nss]
+entry_negative_timeout = 20
+
+[pam]
+offline_credentials_expiration = 3
+
+[domain/LDAP]
+cache_credentials = true
+enumerate = true
+
+id_provider = ldap
+auth_provider = ldap
+sudo_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldaps://ldap.konchin.com
+ldap_search_base = dc=konchin,dc=com
+ldap_sudo_search_base = ou=SUDOers,dc=konchin,dc=com
+entry_cache_timeout = 3600
+entry_cache_netgroup_timeout = 0
+entry_cache_user_timeout = 600
+entry_cache_group_timeout = 3600
+ldap_search_timeout = 50
+ldap_network_timeout = 60

LICENSE

@@ -0,0 +1,14 @@
+BSD Zero Clause License
+
+Copyright (c) 2025 Yi-Ting Shih
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

PKGBUILD

@@ -0,0 +1,44 @@
+# Maintainer: Yi-Ting Shih <ytshih@konchin.com>
+pkgname=hl-ldap-env
+pkgver=0.0.1
+pkgrel=1
+pkgdesc="Base environment for konchin.com homelab"
+arch=(any)
+url="https://gitea.konchin.com/package/hl-ldap-env"
+license=('0BSD')
+depends=(
+  'openldap'
+  'sssd'
+  'nfs-utils'
+  'sudo'
+  'pam'
+)
+install="$pkgname.install"
+source=(
+  'ldap.conf'
+  'net-home.mount'
+  'pam-su'
+  'pam-su-l'
+  'pam-sudo'
+  'pam-system-auth'
+  '60-sssd.conf'
+)
+
+package() {
+  cd "$srcdir"
+
+  install -Dm644 ldap.conf "$pkgdir/etc/openldap/ldap.conf"
+  install -Dm644 net-home.mount "$pkgdir/etc/systemd/system/net-home.mount"
+  install -Dm644 pam-su "$pkgdir/etc/pam.d/su"
+  install -Dm644 pam-su-l "$pkgdir/etc/pam.d/su-l"
+  install -Dm644 pam-sudo "$pkgdir/etc/pam.d/sudo"
+  install -Dm644 pam-system-auth "$pkgdir/etc/pam.d/system-auth"
+  install -Dm644 60-sssd.conf "$pkgdir/etc/sssd/60-sssd.conf"
+}
+sha256sums=('62c71fb39d4163e813b1fbbb7594d388d8de20476e69d0822ffd7c3d537b22a5'
+            '1c4a92b809339137fd478c628e4753b849f26059761b1e20377e24c2fb06a555'
+            'c54ddb4dda93149811ccd8c29446ed9e3d75bb01a0e5ca3532b4b6bd1a6099fe'
+            '4dc73ef7fd1640345f0b84191c18bf161f2a79b11c7309ac2f73952b22ddf737'
+            'f664afd3c165da6ce355329021a81ceac562a02a853465188ba9fab919315b71'
+            '6fba778754a1e73eb038481e1e436bbdaa81d7cf4ed26d6763c1f9d2a3122f3a'
+            'f239447e5107f6be09b709b5a33ad23b680bcaafe60162cea11a72e4fe20516d')

hl-ldap-env.install

@@ -0,0 +1,3 @@
+pre_install() {
+
+}

ldap.conf

@@ -0,0 +1,5 @@
+BASE          ou=people,dc=konchin,dc=com
+URI           ldaps://ldap
+sudoers_base  ou=SUDOers,dc=konchin,dc=com
+
+TLS_REQCERT   allow

net-home.mount

@@ -0,0 +1,11 @@
+[Unit]
+Description=Mount /net/home
+
+[Mount]
+What=nfs.konchin.com:/srv/nfs/home
+Where=/net/home
+Type=nfs
+TimeoutSec=30
+
+[Install]
+WantedBy=multi-user.target

pam-su

@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth            sufficient        pam_rootok.so
+
+auth sufficient   pam_sss.so      forward_pass
+auth            required        pam_unix.so
+
+account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
+account         required        pam_unix.so
+
+-session         required        pam_mkhomedir.so skel=/etc/skel umask=0077
+session         required        pam_unix.so
+session optional pam_sss.so
+
+password         include        system-auth

pam-su-l

@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+-auth            sufficient      pam_ldap.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+-auth            required        pam_unix.so use_first_pass
+-account         sufficient      pam_ldap.so
+account         required        pam_unix.so
+-session         required        pam_mkhomedir.so skel=/etc/skel umask=0077
+-session         sufficient      pam_ldap.so
+session         required        pam_unix.so
+password        include         system-auth

pam-sudo

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth            sufficient      pam_sss.so
+auth            required        pam_unix.so try_first_pass
+auth            required        pam_nologin.so

pam-system-auth

@@ -0,0 +1,21 @@
+#%PAM-1.0
+
+auth sufficient pam_sss.so forward_pass
+auth required pam_unix.so try_first_pass nullok
+auth optional pam_permit.so
+auth required pam_env.so
+
+account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
+account required pam_unix.so
+account optional pam_permit.so
+account required pam_time.so
+
+password sufficient pam_sss.so
+password required pam_unix.so try_first_pass nullok sha512 shadow
+password optional pam_permit.so
+
+session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
+session required pam_limits.so
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_permit.so