Getting started

Overview of APT repository instances

The debops.reprepro role sets up and manages APT repositories in one or multiple "instances". A single GPnuG keyring is used to manage GPG keys of uploaders and the key used to sign the repository. Public contents of the APT repositories are published using the debops.nginx role. Each repository is configured with an upload queue using WebDAV which allows package maintainers to upload signed .deb packages using the dput command.

Each instance consists of the repository data files located in /var/local/reprepro/repositories/<instance>/ directory, an incoming queue in /var/spool/reprepro/<instance>/incoming/ directory and public contents of the APT repository stored in /srv/www/reprepro/sites/<instance>/public/ directory. The root paths for these directories can be changed using default variables, if necessary.

By default APT repositories are accessible publicly. Each instance can be configured to disable public access and require HTTP Basic Authentication to access the repository contents; this can be utilized to provide controlled access to the software packages.

Important configuration variables

reprepro__gpg_uploaders_keys
The default configuration sets up a simple APT repository for recent Debian releases, including the next Testing release. To allow developers to upload packages to it, their GPG keys need to be added to the repository keyring. You can specify them using the reprepro__gpg_uploaders_keys list. The keys are managed using the debops.keyring role, and can be stored either on a keyserver network, or in the local ansible/keyring/ directory on the Ansible Controller. See the role documentation for more details.
reprepro__origin
This variable is used to create the GPG key used to sign the APT repositories, and is added to the repository metadata in the Origin: field which can be used by apt_preferences(5) to control package policy. It's derived by default from the debops.machine role configuration, or lacking that, from the DNS domain of the host.

Reprepro maintenance, SSH access

Some operations on the APT repositories require manual access to them to execute reprepro commands. The role configures the UNIX account to allow SSH access by administrators. List of the SSH keys added to the account is defined in the reprepro__admin_sshkeys variable and by default will include the SSH keys of the person executing the role.

Package uploading using dput

You can use the dput(1) command to upload the build .deb packages to the repository over HTTPS. An example ~/.dput.cf configuration file:

[repo]
fqdn = repo.example.org
incoming = /upload
method = https
allow_unsigned_uploads = 0
progress_indicator = 2
allowed_distributions = .*

Example inventory

To install and configure reprepro on a given host, it should be included in a specific Ansible inventory group:

[debops_all_hosts]
hostname

[debops_service_reprepro]
hostname

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.reprepro role:

---

- name: Manage reprepro repositories
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_reprepro' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  pre_tasks:

    - name: Prepare reprepro environment
      import_role:
        name: 'reprepro'
        tasks_from: 'main_env'
      tags: [ 'role::reprepro', 'role::nginx' ]

  roles:

    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx', 'role::reprepro' ]
      keyring__dependent_apt_keys:
        - '{{ nginx__keyring__dependent_apt_keys }}'
      keyring__dependent_gpg_user: '{{ reprepro__keyring__dependent_gpg_user }}'
      keyring__dependent_gpg_keys:
        - '{{ reprepro__keyring__dependent_gpg_keys }}'

    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ nginx__apt_preferences__dependent_list }}'

    - role: ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
      ferm__dependent_rules:
        - '{{ nginx__ferm__dependent_rules }}'

    - role: python
      tags: [ 'role::python', 'skip::python' ]
      python__dependent_packages3:
        - '{{ nginx__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ nginx__python__dependent_packages2 }}'

    - role: nginx
      tags: [ 'role::nginx', 'skip::nginx' ]
      nginx__dependent_servers:
        - '{{ reprepro__nginx__dependent_servers }}'

    - role: reprepro
      tags: [ 'role::reprepro', 'skip::reprepro' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::reprepro
Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.reprepro Ansible role: