# This is an example PKGBUILD file. Use this as a start to creating your own,
# and remove these comments. For more information, see 'man PKGBUILD'.
# NOTE: Please fill out the license field for your package! If it is unknown,
# then please put 'unknown'.

# Maintainer: Future Linux Team <future_linux@163.com>
pkgname=linux-pam-base
pkgver=20240314
pkgrel=1
pkgdesc="Base PAM configuration for services"
arch=('x86_64')
url="https://futurelinux.github.io"
license=('GPL-3.0-or-later')
backup=(etc/pam.d/system-account
	etc/pam.d/system-auth
	etc/pam.d/system-session
	etc/pam.d/system-password
	etc/pam.d/other)

package() {

	install -vdm755 ${pkgdir}/etc/pam.d

	cat > ${pkgdir}/etc/pam.d/system-account << "EOF"
# Begin /etc/pam.d/system-account

account   required    pam_unix.so

# End /etc/pam.d/system-account
EOF

	cat > ${pkgdir}/etc/pam.d/system-auth << "EOF"
# Begin /etc/pam.d/system-auth

auth      required    pam_unix.so
auth      optional    pam_cap.so

# End /etc/pam.d/system-auth
EOF

	cat > ${pkgdir}/etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session

session   required    pam_unix.so
session   required    pam_loginuid.so
session   optional    pam_systemd.so

session   required    pam_loginuid.so
session   optional    pam_systemd.so

# End /etc/pam.d/system-session
EOF

	cat > ${pkgdir}/etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_pwquality)
password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                         minlen=8 dcredit=0 ucredit=0      \
                                         lcredit=0 ocredit=0 minclass=1    \
                                         maxrepeat=0 maxsequence=0         \
                                         maxclassrepeat=0 gecoscheck=0     \
                                         dictcheck=1 usercheck=1           \
                                         enforcing=1 badwords=""           \
                                         dictpath=/usr/share/cracklib/pw_dict

# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password  required    pam_unix.so       yescrypt shadow try_first_pass

# End /etc/pam.d/system-password
EOF

	cat > ${pkgdir}/etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so

# End /etc/pam.d/other
EOF
}