Let’s set up a local repository that will host our custom Debian packages using reprepro. We can configure multiple release trees in
reprepro does not support multiple versions per distribution as of now.
Origin: edi.leuxner.net Label: Edi-Builds Suite: edi-bookworm Codename: bookworm Architectures: amd64 Components: main Description: Apt repository edi.leuxner.net SignWith: 5BAFE291B480790324E60B1E58C127953C5EB05E
The packages will be signed using a GPG key which will be password protected. The file
We may want to use a dedicated archive key or a sub-key for this purpose so it can be revoked or replaced conveniently.
verbose basedir /var/www/leuxner.net/apt/debian ask-passphrase
Now is a good time to add some variables to our shell. Not only will it simplify calling reprepro, it is also a hard requirement for gpg2, which will not fire its password prompt without it.
export REPREPRO_BASE_DIR='/var/www/leuxner.net/apt/debian' export GPG_TTY=$(tty)
Nginx restrictions
We will deny listing the contents of the reprepro internals and discard logging.
location ~ /debian/(db|conf)/ { autoindex off; #access_log off; deny all; } location ~ /debian/dists/(bookworm|sid)/InRelease { log_not_found off; access_log off; }
Add archive key
As we are building the packages ourselves we will use our key to sign them and add it to our repository.
gpg --list-keys gpg --armor --output archive.key --export 5BAFE291B480790324E60B1E58C127953C5EB05E
We will publish our key by storing it on our web host as debian/archive.key
. This way it can be downloaded and added to a specific source definition.
curl https://apt.dev.leuxner.net/debian/archive.key | gpg --dearmor > /usr/share/keyrings/apt-dev-leuxner-net.gpg
Let’s create a source for our new repository and call it
TTypes: deb URIs: https://apt.dev.leuxner.net/debian Suites: bookworm Components: main Signed-By: /usr/share/keyrings/apt-dev-leuxner-net.gpg
We’ll also pin our repository using
package: postfix Pin: releasea=edi-bookworm Pin-Priority: 1001
Add packages
We add packages using the following one-liner. This will recursively add our packages to release bookworm:
find /home/builds/postfix -name '*3.5.9*' | xargs reprepro includedeb bookworm
List packages
reprepro listmatched bookworm 'postfix*' reprepro listfilter bookworm 'Version (% *9.16.8*)' reprepro --list-format '${package}\n' listfilter bookworm 'Version (% *9.16.8*)'