Getting started
Overview of APT repository instances
The debops.reprepro role sets up and manages APT repositories in one or
multiple "instances". A single GPnuG keyring is used to manage GPG keys of
uploaders and the key used to sign the repository. Public contents of the APT
repositories are published using the debops.nginx role. Each repository
is configured with an upload queue using WebDAV which allows package
maintainers to upload signed .deb
packages using the dput
command.
Each instance consists of the repository data files
located in /var/local/reprepro/repositories/<instance>/
directory, an
incoming queue in /var/spool/reprepro/<instance>/incoming/
directory
and public contents of the APT repository stored in
/srv/www/reprepro/sites/<instance>/public/
directory. The root paths
for these directories can be changed using default variables, if necessary.
By default APT repositories are accessible publicly. Each instance can be configured to disable public access and require HTTP Basic Authentication to access the repository contents; this can be utilized to provide controlled access to the software packages.
Important configuration variables
reprepro__gpg_uploaders_keys
The default configuration sets up a simple APT repository for recent Debian releases, including the next Testing release. To allow developers to upload packages to it, their GPG keys need to be added to the repository keyring. You can specify them using the
reprepro__gpg_uploaders_keys
list. The keys are managed using the debops.keyring role, and can be stored either on a keyserver network, or in the localansible/keyring/
directory on the Ansible Controller. See the role documentation for more details.reprepro__origin
This variable is used to create the GPG key used to sign the APT repositories, and is added to the repository metadata in the
Origin:
field which can be used by apt_preferences(5) to control package policy. It's derived by default from the debops.machine role configuration, or lacking that, from the DNS domain of the host.
Reprepro maintenance, SSH access
Some operations on the APT repositories require manual access to them to
execute reprepro commands. The role configures the UNIX account to
allow SSH access by administrators. List of the SSH keys added to the account
is defined in the reprepro__admin_sshkeys
variable and by default
will include the SSH keys of the person executing the role.
Package uploading using dput
You can use the dput(1) command to upload the build .deb
packages to
the repository over HTTPS. An example ~/.dput.cf
configuration file:
[repo]
fqdn = repo.example.org
incoming = /upload
method = https
allow_unsigned_uploads = 0
progress_indicator = 2
allowed_distributions = .*
Example inventory
To install and configure reprepro
on a given host, it should be included in
a specific Ansible inventory group:
[debops_all_hosts]
hostname
[debops_service_reprepro]
hostname
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.reprepro
role:
---
- name: Manage reprepro repositories
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_reprepro' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
pre_tasks:
- name: Prepare reprepro environment
ansible.builtin.import_role:
name: 'reprepro'
tasks_from: 'main_env'
tags: [ 'role::reprepro', 'role::nginx' ]
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::nginx', 'role::reprepro' ]
keyring__dependent_apt_keys:
- '{{ nginx__keyring__dependent_apt_keys }}'
keyring__dependent_gpg_user: '{{ reprepro__keyring__dependent_gpg_user }}'
keyring__dependent_gpg_keys:
- '{{ reprepro__keyring__dependent_gpg_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ nginx__apt_preferences__dependent_list }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ nginx__ferm__dependent_rules }}'
- role: python
tags: [ 'role::python', 'skip::python' ]
python__dependent_packages3:
- '{{ nginx__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ nginx__python__dependent_packages2 }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]
nginx__dependent_servers:
- '{{ reprepro__nginx__dependent_servers }}'
- role: reprepro
tags: [ 'role::reprepro', 'skip::reprepro' ]
Other resources
List of other useful resources related to the debops.reprepro
Ansible role:
Manual pages: reprepro(1), sources.list(5), apt_auth.conf(5), dput(1), dput.cf(5)
Creating an APT repository with reprepro on Debian Wiki
Example of creation and maintenance of an APT repository mirror