Debian package repository.

• Based upon: the guide for setting up a private debian repository.

$ ./create-image.sh

Now all that needs to be done is to provide the authorized_keys and gpg keys to the config folder structure

The config folder is assumed to be located at ~/reprepro-config

create the folder structures

mkdir -p ~/reprepro-config/home/debian/.ssh/
mkdir -p ~/reprepro-config/home/debian/.gnupg/

The keys are required for adding packages to the system, and should be added to;

$CONFIG_FOLDER/home/debian/.ssh/authorized_keys

Assuming you have generated a ssh key-set on the machine, you can do this by running;

$ export CONFIG_FOLDER=/home/config_here
$ cp ~/.ssh/id_rsa.pub $CONFIG_FOLDER/home/debian/.ssh/authorized_keys

Generating a ssh key-set can be done by running;

$ ssh-keygen

And following the instructions.

The GPG keys are used for signing packages, they can be provided to;

$CONFIG_FOLDER/home/debian/.gnupg/master_pub.gpg
$CONFIG_FOLDER/home/debian/.gnupg/signing_sec.pgp

Generating gpg keys can be done by running;

$ gpg --gen-key

I suggest making a master with a long time to expire, then a signing sub key with a shorter time to expire. Keep the master offline, and backed up. Export the master pub and the signing key Then if your signing key is exposed, you can revoke it, and issue a new one with your safe offline master key.

Right now you can only see the subkey key ids when you are in edit mode: gpg --edit-key

See a good how to here https://www.debuntu.org/how-to-importexport-gpg-key-pair/ But remember to only export the master public key and the sub key private key. Export the master key at a different time to back it up.

The first time, we need to provide some configuration parameters run

./prawnos-repo-first-run.sh

This will give log output for you to ensure everything is correct and create the appropriate files in

$CONFIG_FOLDER/var/
$CONFIG_FOLDER/etc/

Once those are created, you can simply run

./prawnos-repo-run.sh

which will run the docker in the background

place they new keys in

$CONFIG_FOLDER/home/debian/.gnupg/master_pub.gpg
$CONFIG_FOLDER/home/debian/.gnupg/signing_sec.pgp

depending on how your new signing key is configured you may then have to manually import the key

docker exec -it --user debian <container-id> /bin/bash

sudo cp /srv/home/debian/.gnupg/signing_sec.gpg .
gpg --pinentry-mode loopback --import signing_sec.gpg

then update the repo

docker exec -it --user debian <container-id> /bin/bash

reprepro -b /var/www/repos/apt/debian/ export bullseye

you may have to request that your users re-import your public key as well using the instructions on the repos webpage

rm -rf ~/reprepro-config/etc/
rm -rf ~/reprepro-config/var/

inoticoming is used to watch an incoming folder for any new .changes files

https://github.com/SolidHal/reprepro-docker-http

Assuming the configuration is done, you can start the server as;

$ export CONFIG_FOLDER=/home/config_here
$ export WEBSERVER_PORT=8080
$ export SSH_PORT=2222
$ docker run -v $CONFIG_FOLDER:/srv/ -p $WEBSERVER_PORT:80 -p $SSH_PORT:22 -d solidhal/reprepro

There are three ways to configurate the image;

• Interactive
• Environmental
• Manual

Stand-alone (Interactive configuration);

$ export CONFIG_FOLDER=/home/config_here
$ export WEBSERVER_PORT=8080
$ export SSH_PORT=2222
$ docker run -v $CONFIG_FOLDER:/srv/ -p $WEBSERVER_PORT:80 -p $SSH_PORT:22 -it solidhal/reprepro

Stand-alone (Environemental configuration);

$ export CONFIG_FOLDER=/home/config_here
$ export WEBSERVER_PORT=8080
$ export SSH_PORT=2222
$ export HOSTNAME="{{YOUR-DOMAIN-NAME}}"
$ export PROJECT_NAME="{{NAME-OF-APT-REPO}}" 
$ export CODE_NAME="{{CODENAME-OF-OS-RELEASE}}" 
$ docker run -v $CONFIG_FOLDER:/srv/ -p $WEBSERVER_PORT:80 -p $SSH_PORT:22 \
             -e HOSTNAME=$HOSTNAME \
             -e PROJECT_NAME=$PROJECT_NAME -e CODE_NAME=$CODE_NAME \
             -it solidhal/reprepro

Stand-alone (Manual); The same as 'Configuration done'

• $CONFIG_FOLDER: The folder in which the reprepro configuration is stored.
• $WEBSERVER_PORT: The exposed nginx port (where packages are served).
• $SSH_PORT: The exposed openssh-port (which is used for uploading packages).

Note: Running in interactive configuration mode will prompth the user for this information.

Note: For manual configuration see the bottom of this file.

• Gpg key information lower down

• $HOSTNAME: The hostname of the server (i.e. the url on which it's reached).

• $PROJECT_NAME: The name of the apt repository (can be anything).

• $CODE_NAME: The code-name of the os release for which packages will be served (wheezy/jessie/ect).

While most of the configuration can be done inside the container.

The authorized_keys file (for uploading packages) must be supplied from outside the container.

The keys are required for adding packages to the system, and should be added to;

$CONFIG_FOLDER/home/debian/.ssh/authorized_keys

Assuming you have generated a ssh key-set on the machine, you can do this by running;

$ export CONFIG_FOLDER=/home/config_here
$ cp ~/.ssh/id_rsa.pub $CONFIG_FOLDER/home/debian/.ssh/authorized_keys

Generating a ssh key-set can be done by running;

$ ssh-keygen

And following the instructions.

Note: The image is able to run without authorized_keys being in place, however uploading packages will not be an option then.

The below assumes that you are in the folder of your .deb package.

The example is based upon uploading kicad*.deb (multiple packages).

$ export SSH_PORT=2222
$ export HOSTNAME="{{YOUR-DOMAIN-NAME}}"
$ export CODE_NAME="{{CODENAME-OF-OS-RELEASE}}"
$ scp -P SSH_PORT kicad*.deb debian@$HOSTNAME:
$ ssh -p SSH_PORT debian@$HOSTNAME "sudo chmod -R 777 /var/www/repos/"
$ ssh -p SSH_PORT debian@$HOSTNAME "reprepro -b /var/www/repos/apt/debian includedeb $CODE_NAME *.deb"

Once the repository is up and running, clients will need to be configured to use it.

The nginx webserver (which hosts the repository) has an index page with configuration information.

Assuming your hostname is $HOSTNAME head over to http://$HOSTNAME/, and these two commands will be shown;

$ wget -O - http://$HOSTNAME/$HOSTNAME.gpg.key | apt-key add - 

$ echo "deb http://$HOSTNAME/ $CODE_NAME main" > /etc/apt/sources.list.d/$HOSTNAME.list 

At this point the repository is added, and you can run;

$ apt-get update
$ apt-get install $PACKAGE_NAME

To install $PACKAGE_NAME from your own repository to the client system.

Note: The repository is non-functional until the first package has been added.

Instead of using the interactive or environmental configuration, you can simply provide your own configuration files inside $CONFIG_FOLDER, alike how it was done with the authorized_keys file.

See the section above.

The GPG keys are used for signing packages, they can be provided to;

$CONFIG_FOLDER/home/debian/.gnupg/master_pub.gpg
$CONFIG_FOLDER/home/debian/.gnupg/signing_sec.pgp

Generating gpg keys can be done by running;

$ gpg --gen-key

I suggest making a master with a long time to expire, then a signing sub key with a shorter time to expire. Keep the master offline, and backed up. Export the master pub and the signing key Then if your signing key is exposed, you can revoke it, and issue a new one with your safe offline master key.

Right now you can only see the subkey key ids when you are in edit mode: gpg --edit-key

See a good how to here https://www.debuntu.org/how-to-importexport-gpg-key-pair/ But remember to only export the master public key and the sub key private key. Export the master key at a different time to back it up.

The nginx sites-enabled file can be provided as:

$CONFIG_FOLDER/etc/nginx/sites-enabled/reprepro-repository

The reprepro configuration file can be provided as;

$CONFIG_FOLDER/var/www/repos/apt/debian/conf/options