Setting Up An APT Repository With reprepro And nginx On Debian Wheezy

This tutorial explains how to set up an apt repository with the tool reprepro and a Debian Wheezy system. The repository will be served by an nginx server.

 

1 Preliminary Note

In this tutorial I want to set up a small apt repository for the nginx packages that I built in the tutorial Using ngx_pagespeed With nginx On Debian Jessie/testing. Therefore my repository will be fpr Debian testing, not stable, so you have to adjust this tutorial where appropriate.

 

2 Generating A Key For Signing Packages

We will have to create a key for signing packages. This key can be generated with gnupg which we install as follows:

apt-get install gnupg

On servers, when generating a key, you might see this common error:

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

To avoid this, we install rng-tools: 

apt-get install rng-tools

Open /etc/default/rng-tools...

vi /etc/default/rng-tools

... and make sure you have the following line in it:

[...]
HRNGDEVICE=/dev/urandom
[...]

Then start rng-tools...

/etc/init.d/rng-tools start

... and generate your key:

gpg --gen-key

 

3 Configuring Your Repository

Install reprepro:

apt-get install reprepro

Let's use the directory /var/packages as the root directory for our repository. Create the directory /var/packages/debian/conf:

mkdir -p /var/packages/debian/conf

Let's find out about the key we have created in chapter 1:

gpg --list-keys

[email protected]:~# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/434433F2 2014-02-05
uid                  Falko Timme (Falko Timme) <[email protected]>
sub   2048R/C7C1365D 2014-02-05

[email protected]:~#

Our public key is C7C1365D. We have to use this from now on.

Create the file /var/packages/debian/conf/distributions as follows:

vi /var/packages/debian/conf/distributions

The address of our apt repository will be apt.example.com, so we use this in the Origin and Label lines. In the SignWith line, we add our public key (C7C1365D): 

Origin: apt.example.com
Label: apt.example.com
Codename: testing
Architectures: amd64
Components: main
Description: Example APT Repository
SignWith: C7C1365D
DebOverride: override.testing
DscOverride: override.testing

Create the (empty) file /var/packages/debian/conf/override.testing:

touch /var/packages/debian/conf/override.testing

Then create the file /var/packages/debian/conf/options:

vi /var/packages/debian/conf/options
verbose
ask-passphrase
basedir /var/packages/debian

To sign our deb packages with our public key, we need the package dpkg-sig:

apt-get install dpkg-sig

My nginx deb packages that I want to import into the apt repository are located in the /usr/src/pagespeed directory. Let's sign those packages as follows (again, make sure you use the correct public key):

dpkg-sig -k C7C1365D --sign builder /usr/src/pagespeed/*.deb

Now we import the deb packages into our apt repository:

cd /var/packages/debian
reprepro includedeb testing /usr/src/pagespeed/*.deb

 

4 Configuring nginx

We need a webserver to serve our apt repository. In this example I'm using an nginx webserver.

apt-get install nginx

Configure a vhost for apt.example.com: 

vi /etc/nginx/sites-available/apt.example.com.vhost     
server {
  listen 80;
  server_name apt.example.com;

  access_log /var/log/nginx/packages-error.log;
  error_log /var/log/nginx/packages-error.log;

  location / {
    root /var/packages;
    index index.html;
    autoindex on;
  }

  location ~ /(.*)/conf {
    deny all;
  }

  location ~ /(.*)/db {
    deny all;
  }
}

Enable the vhost and reload nginx:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/apt.example.com.vhost .
/etc/init.d/nginx reload

Let's create a GPG key for the repository:

gpg --armor --output /var/packages/apt.example.com.gpg.key --export C7C1365D

 

5 Using The Repository

To use the repository, place the following line in your /etc/apt/sources.list:

vi /etc/apt/sources.list
[...]
deb http://apt.example.com/debian/ testing main
[...]

If you want this repository to always have precedence over other repositories, you should have this line right at the beginning of your /etc/apt/sources.list and add the following entry to /etc/apt/preferences (check out our A Short Introduction To Apt-Pinning tutorial):

vi /etc/apt/preferences
Package: *
Pin: origin apt.example.com
Pin-Priority: 1001

Before we can use the repository, we must import its key:

wget -O - -q http://apt.example.com/apt.example.com.gpg.key | apt-key add -

Then update your package database:

apt-get update

Now you can start using the repository and install packages from it, e.g. like this:

apt-get install nginx

 

6 Links

Share this page:

Suggested articles

3 Comment(s)

Add comment

Comments

By: KBDCALLS
Reply  

Habe das mal mit Debian Jessie probiert. reprepro funktionierte nur als Root und auf der Textkonsole. Vom KDE aus war nichts zu machen. Selbst ein su - half nicht. Es wurden zwar die Debs kopiert da wo sie hingehörten, aber das Signieren scheiterte. Es erschien noch nicht mal der Dialog zur Abfrage der Passphrase. Das andere Problem war da ich trotz eines AMD64 Systems einige i386 Pakete nutze . Mußte ich aus dem Grunde i386 amd64 als Architekturen eintragen. Ansonten beschwerte sich Aptitude wegen nicht auffindbarer i386 Packagedatei. Daraus resultierend wurde ein missgestalter Eintrag in der Sources.list angeckert. Was definitiv falsch war. Dann noch eine Anmerkung zu Nginx. Da meistens schon Apache installiert ist, macht Nginx nicht wirklich Sinn. Er läßt sich zwar installieren. Läuft dann aber nicht. Da beide Port 80 haben wollen. Und da Apache als erster gestartet wird , hat NGINX das Nachsehen. Da mir Apache zu aufwendeig war einzurichten, bin ich kurzerhand auf proftp ausgewichen.

By:
Reply  





You could use this instead (in Debian/Ubuntu) server IP: 192.168.1.102.

 apt-get install apt-cacher-ng

Then just tell your clients to use this APT configuration in /etc/apt/apt.conf.d/

 Ubuntu based conf /etc/apt/apt.conf.d/01proxy

 Acquire::http::Proxy "http://192.168.1.102:3142";

 Debian uses this instead /etc/apt/apt.conf.d/90httpproxy

 Acquire::http { Proxy "http://[10.0.1.102]:3142"; };

By: oj88
Reply  

Great guide. Please keep it, but it needs an update now that Debian and Ubuntu have stricter rules for keys. See:

https://wiki.ubuntu.com/SecurityTeam/GPGMigration

If you follow this guide without the above link, you will get a SHA1 key which will give a warning on "apt-get update" or the new "apt update" that the key is weak.