commit 1f66a9c087f3cdb1acbbd5d30602e9b34973a99a
Author: ytshih <ytshih@konchin.com>
Date:   Mon Jul 28 07:00:43 2025 +0800

    Init: bootstrap package

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
new file mode 100644
index 0000000..6b909f7
--- /dev/null
+++ b/.gitea/workflows/build.yml
@@ -0,0 +1,15 @@
+name: Build package
+on: [push]
+
+jobs:
+  build-package:
+    runs-on: pkgbuilder
+    env:
+    steps:
+      - name: Build and push package
+        uses: https://gitea.konchin.com/action/archbuild@main
+        with:
+          minio-accesskey: ${{ secrets.MINIO_ACCESSKEY }}
+          minio-secretkey: ${{ secrets.MINIO_SECRETKEY }}
+          gpg-password: ${{ secrets.GPG_PASSWORD }}
+          gpg-keygrip: ${{ secrets.GPG_KEYGRIP }}
diff --git a/60-sssd.conf b/60-sssd.conf
new file mode 100644
index 0000000..79d5ff9
--- /dev/null
+++ b/60-sssd.conf
@@ -0,0 +1,29 @@
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = LDAP
+
+[nss]
+entry_negative_timeout = 20
+
+[pam]
+offline_credentials_expiration = 3
+
+[domain/LDAP]
+cache_credentials = true
+enumerate = true
+
+id_provider = ldap
+auth_provider = ldap
+sudo_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldaps://ldap.konchin.com
+ldap_search_base = dc=konchin,dc=com
+ldap_sudo_search_base = ou=SUDOers,dc=konchin,dc=com
+entry_cache_timeout = 3600
+entry_cache_netgroup_timeout = 0
+entry_cache_user_timeout = 600
+entry_cache_group_timeout = 3600
+ldap_search_timeout = 50
+ldap_network_timeout = 60
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d33fd98
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,14 @@
+BSD Zero Clause License
+
+Copyright (c) 2025 Yi-Ting Shih
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 0000000..e412f58
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,44 @@
+# Maintainer: Yi-Ting Shih <ytshih@konchin.com>
+pkgname=hl-ldap-env
+pkgver=0.0.1
+pkgrel=1
+pkgdesc="Base environment for konchin.com homelab"
+arch=(any)
+url="https://gitea.konchin.com/package/hl-ldap-env"
+license=('0BSD')
+depends=(
+  'openldap'
+  'sssd'
+  'nfs-utils'
+  'sudo'
+  'pam'
+)
+install="$pkgname.install"
+source=(
+  'ldap.conf'
+  'net-home.mount'
+  'pam-su'
+  'pam-su-l'
+  'pam-sudo'
+  'pam-system-auth'
+  '60-sssd.conf'
+)
+
+package() {
+  cd "$srcdir"
+
+  install -Dm644 ldap.conf "$pkgdir/etc/openldap/ldap.conf"
+  install -Dm644 net-home.mount "$pkgdir/etc/systemd/system/net-home.mount"
+  install -Dm644 pam-su "$pkgdir/etc/pam.d/su"
+  install -Dm644 pam-su-l "$pkgdir/etc/pam.d/su-l"
+  install -Dm644 pam-sudo "$pkgdir/etc/pam.d/sudo"
+  install -Dm644 pam-system-auth "$pkgdir/etc/pam.d/system-auth"
+  install -Dm644 60-sssd.conf "$pkgdir/etc/sssd/60-sssd.conf"
+}
+sha256sums=('62c71fb39d4163e813b1fbbb7594d388d8de20476e69d0822ffd7c3d537b22a5'
+            '1c4a92b809339137fd478c628e4753b849f26059761b1e20377e24c2fb06a555'
+            'c54ddb4dda93149811ccd8c29446ed9e3d75bb01a0e5ca3532b4b6bd1a6099fe'
+            '4dc73ef7fd1640345f0b84191c18bf161f2a79b11c7309ac2f73952b22ddf737'
+            'f664afd3c165da6ce355329021a81ceac562a02a853465188ba9fab919315b71'
+            '6fba778754a1e73eb038481e1e436bbdaa81d7cf4ed26d6763c1f9d2a3122f3a'
+            'f239447e5107f6be09b709b5a33ad23b680bcaafe60162cea11a72e4fe20516d')
diff --git a/hl-ldap-env.install b/hl-ldap-env.install
new file mode 100644
index 0000000..4a60aa1
--- /dev/null
+++ b/hl-ldap-env.install
@@ -0,0 +1,3 @@
+pre_install() {
+
+}
diff --git a/ldap.conf b/ldap.conf
new file mode 100644
index 0000000..1f6e6c6
--- /dev/null
+++ b/ldap.conf
@@ -0,0 +1,5 @@
+BASE          ou=people,dc=konchin,dc=com
+URI           ldaps://ldap
+sudoers_base  ou=SUDOers,dc=konchin,dc=com
+
+TLS_REQCERT   allow
diff --git a/net-home.mount b/net-home.mount
new file mode 100644
index 0000000..10d4acd
--- /dev/null
+++ b/net-home.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Mount /net/home
+
+[Mount]
+What=nfs.konchin.com:/srv/nfs/home
+Where=/net/home
+Type=nfs
+TimeoutSec=30
+
+[Install]
+WantedBy=multi-user.target
diff --git a/pam-su b/pam-su
new file mode 100644
index 0000000..a43dc28
--- /dev/null
+++ b/pam-su
@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth            sufficient        pam_rootok.so
+
+auth sufficient   pam_sss.so      forward_pass
+auth            required        pam_unix.so
+
+account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
+account         required        pam_unix.so
+
+-session         required        pam_mkhomedir.so skel=/etc/skel umask=0077
+session         required        pam_unix.so
+session optional pam_sss.so
+
+password         include        system-auth
diff --git a/pam-su-l b/pam-su-l
new file mode 100644
index 0000000..aeb01df
--- /dev/null
+++ b/pam-su-l
@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+-auth            sufficient      pam_ldap.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+-auth            required        pam_unix.so use_first_pass
+-account         sufficient      pam_ldap.so
+account         required        pam_unix.so
+-session         required        pam_mkhomedir.so skel=/etc/skel umask=0077
+-session         sufficient      pam_ldap.so
+session         required        pam_unix.so
+password        include         system-auth
diff --git a/pam-sudo b/pam-sudo
new file mode 100644
index 0000000..55c5b2f
--- /dev/null
+++ b/pam-sudo
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth            sufficient      pam_sss.so
+auth            required        pam_unix.so try_first_pass
+auth            required        pam_nologin.so
diff --git a/pam-system-auth b/pam-system-auth
new file mode 100644
index 0000000..97166a2
--- /dev/null
+++ b/pam-system-auth
@@ -0,0 +1,21 @@
+#%PAM-1.0
+
+auth sufficient pam_sss.so forward_pass
+auth required pam_unix.so try_first_pass nullok
+auth optional pam_permit.so
+auth required pam_env.so
+
+account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
+account required pam_unix.so
+account optional pam_permit.so
+account required pam_time.so
+
+password sufficient pam_sss.so
+password required pam_unix.so try_first_pass nullok sha512 shadow
+password optional pam_permit.so
+
+session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
+session required pam_limits.so
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_permit.so