← home · plain text: README.md

repo.zapolski.nyc — maintainer guide

Two package repositories served over HTTP by nginx on this host (192.168.7.45:80); TLS for https://repo.zapolski.nyc is terminated upstream by Nginx Proxy Manager.

Repo	Tool (free software)	Public path
deb	`reprepro`	`https://repo.zapolski.nyc/deb`
rpm	`createrepo_c` + `rpmsign`	`https://repo.zapolski.nyc/rpm`

Everything is signed with one GPG key kept in /srv/repo-keyring (root-only). The public key is published at /pubkey.asc (armored) and /pubkey.gpg (binary).

Layout

/srv/repo/                 nginx document root (public)
├── index.html             landing page with client setup
├── README.md              maintainer guide (text)
├── maintainers.html       maintainer guide (this page)
├── pubkey.asc /.gpg       public signing key
├── deb/                   reprepro outdir
│   ├── conf/              distributions config   (blocked in nginx)
│   ├── db/                reprepro state         (blocked in nginx)
│   ├── dists/  pool/      the actual apt repo    (served)
└── rpm/
    ├── *.rpm
    └── repodata/          createrepo_c metadata + repomd.xml.asc
/srv/repo-keyring/         private GPG keyring (chmod 700, root)
/usr/local/bin/repo-*      helper commands

Uploading new package versions

Copy the package to the server, then run the matching helper. Both helpers re-sign metadata automatically; clients only need to refresh.

# .deb
scp mytool_1.2.3_amd64.deb root@192.168.7.45:/tmp/
ssh root@192.168.7.45 repo-add-deb /tmp/mytool_1.2.3_amd64.deb

# .rpm
scp mytool-1.2.3-1.x86_64.rpm root@192.168.7.45:/tmp/
ssh root@192.168.7.45 repo-add-rpm /tmp/mytool-1.2.3-1.x86_64.rpm

You can pass several files at once: repo-add-deb a.deb b.deb.

Helper commands (on the server)

Command	What it does
`repo-add-deb <pkg.deb...> [--suite stable]`	Add .deb(s); re-signs `Release`.
`repo-remove-deb <name...> [--suite stable]`	Remove a .deb by package name.
`repo-add-rpm <pkg.rpm...>`	Sign .rpm(s), rebuild + sign `repomd.xml`.
`repo-list [deb\|rpm]`	List repository contents.

A package name+version+arch is unique. reprepro refuses to overwrite an identical version — bump the version to publish an update.
reprepro keeps the latest version per name/arch by default; older files are pruned from pool/.
.deb packages must carry a Section: field or reprepro rejects them (normal dpkg-buildpackage output always has one).
The default deb suite is stable. To publish to another codename, add a block to /srv/repo/deb/conf/distributions and pass --suite <codename>.

Building packages (quick reference)

.deb: dpkg-deb --build <dir> or dpkg-buildpackage -b -us -uc (the repo signs the Release, so building unsigned is fine).
.rpm: rpmbuild -bb mypkg.spec — repo-add-rpm signs it for you.

Key management

export GNUPGHOME=/srv/repo-keyring
gpg --list-keys                       # show the signing key
gpg --armor --export zapolski@gmail.com > /srv/repo/pubkey.asc   # re-publish

Back up /srv/repo-keyring somewhere safe — losing it means every client must re-import a new key.