Home / , / Custom Debian apt repository

Custom Debian apt repository

774 views 1 min , 30 sec read

Let’s set up a local repository that will host our custom Debian packages using reprepro. We can configure multiple release trees if we want to support multiple distributions. These will be specified in the following file:

/var/www/leuxner.net/apt/debian/conf/distributions

Origin: edi.leuxner.net
Label: Edi-Builds
Suite: edi-bookworm
Codename: bookworm
Architectures: amd64
Components: main
Description: Apt repository edi.leuxner.net
SignWith: 5BAFE291B480790324E60B1E58C127953C5EB05E

Please note that reprepro does not support multiple versions per distribution as of now.

One packages will be signed using a GPG key which will be password protected. We may want to use a dedicated archive key or a sub-key for this purpose so it can be revoked or replaced conveniently.

/var/www/leuxner.net/apt/debian/conf/options

verbose
basedir /var/www/leuxner.net/apt/debian
ask-passphrase

Now is a good time to add some variables to our shell. Not only will it simplify calling reprepro, it is also a hard requirement for gpg2, which will not fire its password prompt without it.

export REPREPRO_BASE_DIR='/var/www/leuxner.net/apt/debian'
export GPG_TTY=$(tty)

Nginx restrictions

We will deny listing the contents of the reprepro internals and discard logging.

location ~ /debian/(db|conf)/ {
        autoindex off;
        #access_log off;
        deny all;
        }

location ~ /debian/dists/(bookworm|sid)/InRelease {
        log_not_found off;
        access_log off;
        }

Add archive key

As we are building the packages ourselves we will use our key to sign them and add it to our repository.

gpg --list-keys
gpg --armor --output archive.key --export 5BAFE291B480790324E60B1E58C127953C5EB05E

We will publish our key by storing it on our web host as debian/archive.key. This way it can be downloaded and added to a specific source definition.

curl https://apt.dev.leuxner.net/debian/archive.key | gpg --dearmor > /usr/share/keyrings/apt-dev-leuxner-net.gpg

Let’s create a source for our new repository. By adding the downloaded key to  this source definition only, we will restrict it from being used with other repositories (trusted globally).

/etc/apt/sources.list.d/leuxner.sources

Types: deb
URIs: https://apt.dev.leuxner.net/debian
Suites: bookworm
Components: main
Signed-By: /usr/share/keyrings/apt-dev-leuxner-net.gpg

We’ll also pin our repository to make sure its packages override other repos.

/etc/apt/preferences.d/edi

package: postfix
Pin: release a=edi-bookworm 
Pin-Priority: 1001

Add packages

We add packages using the following one-liner. This will recursively add our packages to release bookworm:

find /home/builds/postfix -name '*3.5.9*' | xargs reprepro includedeb bookworm

List packages

reprepro listmatched bookworm 'postfix*'
reprepro listfilter bookworm 'Version (% *9.16.8*)'
reprepro --list-format '${package}\n' listfilter bookworm 'Version (% *9.16.8*)'

About tlx@leuxner.net

Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.
View all posts by tlx@leuxner.net