Default variable details
Some of debops.reprepro
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
reprepro__instances
The reprepro__*_instances
variables define the "instances" of APT
repositories managed by reprepro. Each "instance" consists of an APT
repository and corresponding debops.nginx configuration to provide
HTTP/HTTPS access for package retrieval and upload. The debops.nginx
configuration is optional and will be created only when specific configuration
parameters are present.
Examples
Restrict allowed GPG keys for specific APT repositories
Modify the default configuration by adding a new set of uploaders for specific APT repositories. The role configuration will be updated via the Universal Configuration system, so there's no need to copy the entire contents of default variables to modify them through the inventory.
reprepro__instances:
- name: 'main'
uploaders:
- name: 'ci-builders'
raw: |
allow * by key 5833EC7492A6E482D742F7FF729ABA78462947AA+
distributions:
- name: 'bookworm'
Uploaders: 'uploaders/ci-builders'
- name: 'bullseye'
Uploaders: 'uploaders/ci-builders'
Mirrors of Debian and Ubuntu APT repositories
Create two mirrors of APT repositories for stable Debian and Ubuntu releases, available under the same FQDN address. The repositories are available publicly and new packages can be uploaded to them, but this configuration is only provided as an example and more secure configuration should be used instead.
reprepro__instances:
# Disable the default instance
- name: 'main'
state: 'absent'
- name: 'mirror'
fqdn: '{{ ansible_fqdn }}'
upload_map:
'/upload': ''
'/upload-ubuntu': '/var/spool/reprepro/mirror-ubuntu/incoming'
incoming:
- name: 'incoming'
Allow:
- 'bullseye'
- 'stable>bullseye'
Options:
- 'multiple_distributions'
Cleanup:
- 'on_deny'
- 'on_error'
distributions:
- name: 'bullseye'
Origin: '{{ reprepro__origin }}'
Codename: 'bullseye'
Suite: 'stable'
Architectures: [ 'source', 'amd64', 'i386', 'ppc64el', 's390x',
'armel', 'armhf', 'arm64', 'mipsel', 'mips64el' ]
Components: [ 'main', 'contrib', 'non-free' ]
Update: 'bullseye'
updates:
- name: 'bullseye'
Method: 'http://deb.debian.org/debian'
Suite: 'bullseye'
Components: [ 'main', 'contrib', 'non-free' ]
Architectures: [ 'source', 'amd64', 'i386', 'ppc64el', 's390x',
'armel', 'armhf', 'arm64', 'mipsel', 'mips64el' ]
VerifyRelease: 'blindtrust'
uploaders:
- name: 'anybody'
raw: |
allow * by any key
- name: 'mirror-ubuntu'
outdir: '{{ reprepro__public_root + "/sites/mirror/public/ubuntu" }}'
incoming:
- name: 'incoming'
Allow:
- 'focal'
- 'lts>focal'
Options:
- 'multiple_distributions'
Cleanup:
- 'on_deny'
- 'on_error'
distributions:
- name: 'focal'
Origin: '{{ reprepro__origin }}'
Suite: 'lts'
Architectures: [ 'source', 'amd64', 'i386' ]
Components: [ 'main', 'restricted', 'universe', 'multiverse' ]
Update: 'focal'
updates:
- name: 'focal'
Method: 'http://us.archive.ubuntu.com/ubuntu'
Suite: 'focal'
Components: [ 'main', 'restricted', 'universe', 'multiverse' ]
Architectures: [ 'amd64', 'i386' ]
VerifyRelease: 'blindtrust'
uploaders:
- name: 'anybody'
raw: |
allow * by any key
After the role has set up repositories, login to the reprepro
account,
cd into the repository directory and run reprepro update
to download the archive.
Local APT repositories with restricted access
Create a set of two APT repository instances, each one with its own
authentication using HTTP Basic Auth passwords, which are stored in the
secret/
directory on Ansible Controller.
# Create access policies with HTTP Basic Auth
nginx_access_policy_auth_basic_map:
'repo_alpha_access': 'alpha_access'
'repo_beta_access': 'beta_access'
# Create password files with passwords for specified users
nginx__htpasswd:
- name: 'alpha_access'
users: [ 'client1', 'client2', 'client3' ]
- name: 'beta_access'
users: [ 'client1', 'client2', 'client3' ]
# Custom variable which holds the "conf/incoming" configuration
incoming_sets:
- name: 'incoming'
Allow:
- 'bullseye'
- 'stable>bullseye'
Options:
- 'multiple_distributions'
Cleanup:
- 'on_deny'
- 'on_error'
# Custom variable which holds the "conf/distributions" configuration
distributions_sets:
- name: 'bullseye'
Origin: '{{ reprepro__origin }}'
Suite: 'stable'
Architectures: [ 'source', 'amd64' ]
Components: [ 'main' ]
SignWith: 'default'
DebIndices: [ 'Packages', 'Release', '.', '.gz', '.xz' ]
DscIndices: [ 'Sources', 'Release', '.gz', '.xz' ]
Uploaders: 'uploaders/anybody'
Log: |
packages.bullseye.log
--type=dsc email-changes.sh
# Custom variable which holds the "conf/uploaders" configuration
uploaders_sets:
- name: 'anybody'
raw: |
allow * by any key
# List of GPG keys which are allowed to upload APT packages
reprepro__gpg_uploaders_keys:
# Automatic Signing Key <ci-builder@example.org>
- '5833EC7492A6E482D742F7FF729ABA78462947AA'
# Configuration of repository instances
reprepro__instances:
# Disable the default configuration provided by the role
- name: 'main'
state: 'absent'
- name: 'alpha'
fqdn: 'alpha.{{ ansible_domain }}'
public: False
access_policy: 'repo_alpha_access'
incoming: '{{ incoming_sets }}'
distributions: '{{ distributions_sets }}'
uploaders: '{{ uploaders_sets }}'
- name: 'beta'
fqdn: 'beta.{{ ansible_domain }}'
public: False
access_policy: 'repo_beta_access'
incoming: '{{ incoming_sets }}'
distributions: '{{ distributions_sets }}'
uploaders: '{{ uploaders_sets }}'
You can see more configuration examples in the
reprepro__default_instances
variable in the role defaults.
Syntax
The variables are defined as a list of YAML dictionaires, each dictionary defines an "instance" using specific parameters:
name
Required. An identifier for a particular APT repository instance. The value is used in the filesystem paths and should be a simple alphanumeric string. Configuration entries with the same
name
parameters are merged during role execution and can affect each other via Universal Configuration principles.state
Optional. If not specified or
present
, a given APT repository instance will be configured on the host. Ifabsent
, the repository will not be configured (some configuration like nginx server configuration will be automatically removed). Ifignore
, a given configuration entry will not be evaluated during role execution.fqdn
Optional. Fully Qualified Domain Name under which the APT repository will be served over HTTP/HTTPS using nginx webserver, via the debops.nginx Ansible role. Presence of this parameter enables the nginx configuration.
This parameter shouldn't be used when the
outdir
parameter is specified, to not create a duplicate nginx configuration which can interfere with the other APT repository instances.public
Optional, boolean. If not present or
True
, the APT repository will be accessible over HTTP and HTTPS without any specific restrictions (subnet access can still affect this).If
False
, HTTP access is disabled entirely. Theaccess_policy
parameter can then specify the "access policy" configured in the debops.nginx role which can enforce password authentication for a given APT repository.allow
Optional. List of IP addresses or CIDR subnets which are allowed to access the APT repository over HTTP or HTTPS. If not specified, any host can connect to the repository.
allow_upload
Optional. List of IP addresses or CIDR subnets which are allowed to upload content to the APT repository using WebDAV. If not specified, any host can upload content to the repository.
access_policy
Optional. Name of the "access policy" defined in the debops.nginx role which should be used for a given APT repository to control access. This can be used to allow or deny access per client using login/password combination or X.509 client certificates (planned). See apt_auth.conf(5) for details about configuring password-based access to the APT repository.
auth_realm
Optional. The string presented to the HTTP clients during authentication. If not specified, the value of the
reprepro__auth_realm
variable will be used by default.max_body_size
Optional. Specify the maximum size of the uploaded content, including the suffix. If not specified, the value of the
reprepro__max_body_size
variable is used,50M
by default.pki_realm
Optional. Name of the PKI realm managed by the debops.pki Ansible role to use for the HTTPS configuration in the nginx configuration. Normally the debops.nginx role detects the PKI realm to use based on the FQDN and domain of the server; this parameter can be used to override that detection if needed.
outdir
Optional. Override the public directory where reprepro manages the APT repository contents. This can be used to combine multiple APT repository "instances" under one FQDN to, for example, provide Debian and Ubuntu packages under one FQDN. If the parameter is not specified, the role will generate the path automatically based on the instance name and use
/debian
as the suffix to indicate that the repository is for the Debian distribution.Repository instances that use the
outdir
parameter don't need separate nginx configuration (nofqdn
parameter), since that can interfere with the configuration of the "parent" instance.os
Optional. Specify the suffix of the autogenerated output dir, used if the
outdir
parameter is not set. If not specified,debian
will be used by default.upload_map
Optional. By default the
/upload
subdirectory of the APT repository URL is used for uploading APT packages to be processed by reprepro. In case of multiple repositories using the same FQDN with theoutdir
parameter or if the default path should be different, theupload_map
parameter can define a YAML dictionary. Each key should be a subdirectory off of the APT repository URL, and the value should be an absolute path to the filesystem directory monitored for new uploads. An empty value (''
) can be used to let the role generate the directory path automatically, based on the standardized directory structure maintained by the debops.reprepro role.mail_name
Optional. Specify the mail sender name used in e-mails generated by email-changes.sh script executed by reprepro on any repository modifications. If not specified, a sensible name will be generated automatically.
mail_from
Optional. Specify the mail sender address used in e-mails generated by email-changes.sh script executed by reprepro on any repository modifications. If not specified, the value from the
reprepro__mail_from
variable will be used by default.mail_to
Optional. Specify the mail recipient address used in e-mails generated by email-changes.sh script executed by reprepro on any repository modifications. If not specified, the value from the
reprepro__mail_to
variable will be used by default.options
Optional. This parameter defines the contents of the
conf/options
configuration file in the reprepro repository. Theoptions
parameters from configuration entries with the samename
parameter are merged together and can affect each other.The
basedir
,outdir
,waitforlock
andverbose
options are defined by default but can be modified. See the reprepro(1) manual page for possible options.The configuration is defined as a list of YAML dictionaries, each dictionary key being the option name and its value being the option value. Alternatively you can use specific parameters to control each option:
name
The name of the option.
value
The value of the option, can be a number or a string.
state
If not specified or
present
, the option is included in the configuration file. Ifabsent
, the option will be removed from the configuration file.
distributions
Optional. This parameter defines the contents of the
conf/distributions
configuration file in the reprepro repository. Thedistributions
parameters from configuration entries with the samename
parameter are merged together and can affect each other. See the reprepro(1) manual page for possible options.The configuration is defined as a list of YAML dictionaries, each dictionary can define a single distribution. The
name
parameter is used to define a distribution but can be overridden by theCodename
parameter. Other options should be specified as defined in the manual page and will be added to the configuration as-is. There are special parameters ignored by the configuration template, used to manage the configuration entry itself:name
The name of the distribution, can be overridden by the
Codename
parameter.state
If not specified or
present
, the distribution is included in the configuration file. Ifabsent
, the distribution will be removed from the configuration file.comment
String or YAML text block with a comment added before the distribution.
raw
YAML text block with configuration which will be included in the configuration file as-is. Other parameters of a given distribution will not be processed by the role.
incoming
Optional. This parameter defines the contents of the
conf/incoming
configuration file in the reprepro repository. Theincoming
parameters from configuration entries with the samename
parameter are merged together and can affect each other. See the reprepro(1) manual page for possible options.The configuration is defined as a list of YAML dictionaries, each dictionary can define a single incoming ruleset. The
name
parameter is used to define the ruleset name. Other options should be specified as defined in the manual page and will be added to the configuration as-is. There are special parameters ignored by the configuration template, used to manage the configuration entry itself:name
The name of the ruleset, stored as
Name
in the configuration file.state
If not specified or
present
, the ruleset is included in the configuration file. Ifabsent
, the ruleset will be removed from the configuration file.comment
String or YAML text block with a comment added before the ruleset.
raw
YAML text block with configuration which will be included in the configuration file as-is. Other parameters of a given ruleset will not be processed by the role.
uploaders
Optional. This parameter defines the contents of the
conf/uploaders/*
configuration file in the reprepro repository. Theuploaders
parameters from configuration entries with the samename
parameter are merged together and can affect each other. See the reprepro(1) manual page for possible options.The configuration is defined as a list of YAML dictionaries, each dictionary can define a single configuration file in the
conf/uploaders/
directory. Thename
parameter is used to define the file name. Other options should be specified as defined in the manual page using theraw
parameter and will be added to the configuration as-is. There are special parameters ignored by the configuration template, used to manage the configuration entry itself:name
The name of the ruleset file.
state
If not specified or
present
, the ruleset file is generated by the role. Ifabsent
, the ruleset file won't be generated, existing files are not removed.comment
String or YAML text block with a comment added before the ruleset.
raw
YAML text block with configuration which will be included in the configuration file as-is.
updates
Optional. This parameter defines the contents of the
conf/updates
configuration file in the reprepro repository. Theupdates
parameters from configuration entries with the samename
parameter are merged together and can affect each other. See the reprepro(1) manual page for possible options.The configuration is defined as a list of YAML dictionaries, each dictionary can define a single update ruleset. The
name
parameter is used to define the ruleset name. Other options should be specified as defined in the manual page and will be added to the configuration as-is. There are special parameters ignored by the configuration template, used to manage the configuration entry itself:name
The name of the ruleset, stored as
Name
in the configuration file.state
If not specified or
present
, the ruleset is included in the configuration file. Ifabsent
, the ruleset will be removed from the configuration file.comment
String or YAML text block with a comment added before the ruleset.
raw
YAML text block with configuration which will be included in the configuration file as-is. Other parameters of a given ruleset will not be processed by the role.
pulls
Optional. This parameter defines the contents of the
conf/pulls
configuration file in the reprepro repository. Thepulls
parameters from configuration entries with the samename
parameter are merged together and can affect each other. See the reprepro(1) manual page for possible options.The configuration is defined as a list of YAML dictionaries, each dictionary can define a single pull ruleset. The
name
parameter is used to define the ruleset name. Other options should be specified as defined in the manual page and will be added to the configuration as-is. There are special parameters ignored by the configuration template, used to manage the configuration entry itself:name
The name of the ruleset, stored as
Name
in the configuration file.state
If not specified or
present
, the ruleset is included in the configuration file. Ifabsent
, the ruleset will be removed from the configuration file.comment
String or YAML text block with a comment added before the ruleset.
raw
YAML text block with configuration which will be included in the configuration file as-is. Other parameters of a given ruleset will not be processed by the role.