Project

General

Profile

Actions

Debian Repository

Content

Since Buster we document here the reason for having custom/ported packages in this repository.

Sid

lxd Packaging of LXD (unsuitable for official Debian upload)

Bullseye

Packages Reason
spoolinger DC tool, packaging in Debian WIP
xl2tpd fixed upstream release
openldap backport for N-Way Sync and better cn=config management
python-ldap
python-certbot-dns-rfc2136 certbot DNS plugin with workaround since the CNAME resolution patch is not being merged and no solution in sight
lxd Packaging of LXD (unsuitable for official Debian upload), and related backports
lxc
dqlite
criu Backport for live migrations with LXD

Buster

Packages Reason
ftp-ssl missing in Buster
m2crypto dependency for srv_cert_tlsa_gen
molly-guard backported fix for Debian#914716
usrmerge
phpmyadmin phpmyadmin is missing from Buster and previous version was broken (#670), simple backport with a few dependencies
google-recaptcha
phpmyadmin-motranslator
phpmyadmin-shapefile
phpmyadmin-sql-parser
tcpdf
twig-extensions
python-acme certbot with CNAME resolution patch
python-certbot
python-certbot-dns-rfc2136
roundcube port of the 1.4 series to get important improvements
php-masterminds-html5
spoolinger DC tool, packaging in Debian WIP
inspircd patched to be able to reload the TLS certificate without restarting (not supported in v2)
xl2tpd fixed upstream release
openldap backport for N-Way Sync and better cn=config management
python-ldap

Administration

All files are stored into /srv/www/sites/repository.duckcorp.org (config, packages, upload zone…). The user dc-repository has been created to handle all the necessary tasks with only limited rights.

Regular administration is to be done using the adm_dc-repository script as root. This script is able to sudo and pass local configuration options to reprepro, and avoid messing with the rights.

For example:

# adm_dc-repository list jessie
jessie|dc-net|amd64: libiksemel-dev 1.4-2+dc1
jessie|dc-net|amd64: libiksemel-utils 1.4-2+dc1
jessie|dc-net|amd64: libiksemel3 1.4-2+dc1
jessie|dc-net|amd64: zabbix-agent 1:2.4.6+dfsg-1+dc1
…
jessie|dc-net|i386: zabbix-agent 1:2.4.6+dfsg-1+dc1
…
jessie|dc-net|source: libiksemel 1.4-2+dc1
jessie|dc-net|source: zabbix 1:2.4.6+dfsg-1+dc1

Adding Contributors

The list of uploader is setup into data/duckcorp/debian_repository/reprepro_conf/dc-incoming-uploaders. Use the playbooks/tenants/duckcorp/debian_repository.yml playbook to deploy it.

Renewing Signing Key

gpg expects to have full control over the tty, so temporarily give the tty's ownership over to the dc-repository user (or document here a better solution).

Key creation:

chown dc-repository $(tty)
su - dc-repository
gpg --full-generate-key
# default key is fine
# expiration: 5y
# Real name: DuckCorp Archive Automatic Signing Key
# Email address: admin_at_duckcorp.org
# note the new <key-id>
gpg --armor --export <key-id> >duckcorp_repository.gpg.key
chown root $(tty)

Update the <key_id> in host_vars/Toushirou/debian_repository.yml and redeploy the repository configuration:

ansible-playbook --diff playbooks/tenants/duckcorp/debian_repository.yml

Force resigning with the new key:

adm_dc-repository --export=lookedat export

Then update the APT trusted keys on all hosts:

ansible-playbook --diff -t apt playbooks/common.yml

Updated by Marc Dequènes about 5 hours ago · 16 revisions