# repo.zapolski.nyc — maintainer guide

Two package repositories served over HTTP by **nginx** on this host
(`192.168.7.45:80`); TLS for `https://repo.zapolski.nyc` is terminated upstream
by Nginx Proxy Manager.

| Repo | Tool (free software) | Public path                  |
|------|----------------------|------------------------------|
| deb  | `reprepro`           | `https://repo.zapolski.nyc/deb`     |
| rpm  | `createrepo_c` + `rpmsign` | `https://repo.zapolski.nyc/rpm` |

Everything is signed with one GPG key kept in `/srv/repo-keyring`
(root-only). The public key is published at
`https://repo.zapolski.nyc/pubkey.asc` (armored) and `/pubkey.gpg` (binary).

## Layout

```
/srv/repo/                 nginx document root (public)
├── index.html             landing page with client setup
├── README.md              this file
├── pubkey.asc /.gpg       public signing key
├── deb/                   reprepro outdir
│   ├── conf/              distributions config   (blocked in nginx)
│   ├── db/                reprepro state         (blocked in nginx)
│   ├── dists/  pool/      the actual apt repo    (served)
└── rpm/
    ├── *.rpm
    └── repodata/          createrepo_c metadata + repomd.xml.asc
/srv/repo-keyring/         private GPG keyring (chmod 700, root)
/usr/local/bin/repo-*      helper commands
```

## Uploading new package versions

Copy the package to the server, then run the matching helper. Both helpers
re-sign metadata automatically; clients only need to refresh.

### From your workstation

```bash
# .deb
scp mytool_1.2.3_amd64.deb root@192.168.7.45:/tmp/
ssh root@192.168.7.45 repo-add-deb /tmp/mytool_1.2.3_amd64.deb

# .rpm
scp mytool-1.2.3-1.x86_64.rpm root@192.168.7.45:/tmp/
ssh root@192.168.7.45 repo-add-rpm /tmp/mytool-1.2.3-1.x86_64.rpm
```

You can pass several files at once: `repo-add-deb a.deb b.deb`.

## Helper commands (on the server)

| Command | What it does |
|---------|--------------|
| `repo-add-deb <pkg.deb...> [--suite stable]` | Add .deb(s); re-signs `Release`. |
| `repo-remove-deb <name...> [--suite stable]` | Remove a .deb by package name. |
| `repo-add-rpm <pkg.rpm...>` | Sign .rpm(s), rebuild + sign `repomd.xml`. |
| `repo-list [deb\|rpm]` | List repository contents. |

Notes:
- A package **name+version+arch** is unique. reprepro refuses to overwrite an
  identical version — bump the version to publish an update.
- `reprepro` only keeps the latest version per name/arch by default; older
  files are pruned from `pool/`.
- The default deb suite is `stable`. To publish to another codename, add a
  block to `/srv/repo/deb/conf/distributions` and pass `--suite <codename>`.

## Building packages (quick reference)

- **.deb**: `dpkg-deb --build <dir>` or `dpkg-buildpackage -b -us -uc`
  (the repo signs the *Release*, so building unsigned with `-us -uc` is fine).
- **.rpm**: `rpmbuild -bb mypkg.spec` — `repo-add-rpm` signs it for you.

## Key management

```bash
export GNUPGHOME=/srv/repo-keyring
gpg --list-keys                       # show the signing key
gpg --armor --export zapolski@gmail.com > /srv/repo/pubkey.asc   # re-publish
```

Back up `/srv/repo-keyring` somewhere safe — losing it means every client must
re-import a new key.