DuckCorp » DuckCorp Infrastructure

h1. Debian Repository

h2. Content

Since Buster we document here the reason for having custom/ported packages in this repository.

h3. Sid

| lxd | Packaging of LXD (unsuitable for official Debian upload) |

h3. Bullseye

|_. Packages |_. Reason |

| spoolinger | DC tool, packaging in Debian WIP |

| xl2tpd | fixed upstream release|

| openldap |/2. backport for N-Way Sync and better cn=config management|

| python-ldap |

| python-certbot-dns-rfc2136 | certbot DNS plugin with workaround since the "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244 is not being merged and no solution in sight |

| lxd |/3. Packaging of LXD (unsuitable for official Debian upload), and related backports |

| lxc |

| dqlite |

| criu | Backport for live migrations with LXD |

| roundcube | back for newer version |

h3. Buster

|_. Packages |_. Reason |

| ftp-ssl | missing in Buster |

| m2crypto|dependency for *srv_cert_tlsa_gen*|

| molly-guard|/2. backported "fix for Debian#914716":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914716 |

| usrmerge|

| phpmyadmin|/7. phpmyadmin is missing from Buster and previous version was broken (#670), simple backport with a few dependencies |

| google-recaptcha|

| phpmyadmin-motranslator|

| phpmyadmin-shapefile|

| phpmyadmin-sql-parser|

| tcpdf|

| twig-extensions|

| python-acme |/3. certbot with "CNAME resolution patch":https://github.com/certbot/certbot/pull/7244 |

| python-certbot |

| python-certbot-dns-rfc2136 |

| roundcube |/2. port of the 1.4 series to get important improvements  |

| php-masterminds-html5 |

| spoolinger | DC tool, packaging in Debian WIP |

| inspircd | patched to be able to reload the TLS certificate without restarting (not supported in v2) |

| xl2tpd | fixed upstream release |

| openldap |/2. backport for N-Way Sync and better cn=config management |

| python-ldap|

| ruby-httpclient | backport to fix #995448

h2. Administration

All files are stored into */srv/www/sites/repository.duckcorp.org* (config, packages, upload zone…). The user *dc-repository* has been created to handle all the necessary tasks with only limited rights.

Regular administration is to be done using the *adm_dc-repository* script as root. This script is able to sudo and pass local configuration options to reprepro, and avoid messing with the rights.

For example:

<pre>

# adm_dc-repository list jessie

jessie|dc-net|amd64: libiksemel-dev 1.4-2+dc1

jessie|dc-net|amd64: libiksemel-utils 1.4-2+dc1

jessie|dc-net|amd64: libiksemel3 1.4-2+dc1

jessie|dc-net|amd64: zabbix-agent 1:2.4.6+dfsg-1+dc1

…

jessie|dc-net|i386: zabbix-agent 1:2.4.6+dfsg-1+dc1

…

jessie|dc-net|source: libiksemel 1.4-2+dc1

jessie|dc-net|source: zabbix 1:2.4.6+dfsg-1+dc1

</pre>

h2. Adding Contributors

The list of uploader is setup into *data/duckcorp/debian_repository/reprepro_conf/dc-incoming-uploaders*. Use the _playbooks/tenants/duckcorp/debian_repository.yml_ playbook to deploy it.

h2. Renewing Signing Key

gpg expects to have full control over the tty, so temporarily give the tty's ownership over to the _dc-repository_ user (or document here a better solution).

Key creation:

<pre>

chown dc-repository $(tty)

su - dc-repository

gpg --full-generate-key

# default key is fine

# expiration: 5y

# Real name: DuckCorp Archive Automatic Signing Key

# Email address: admin_at_duckcorp.org

# note the new <key-id>

gpg --armor --export <key-id> >duckcorp_repository.gpg.key

chown root $(tty)

</pre>

Update the <key_id> in _host_vars/Toushirou/debian_repository.yml_ and redeploy the repository configuration:

    ansible-playbook --diff playbooks/tenants/duckcorp/debian_repository.yml

Force resigning with the new key:

    adm_dc-repository --export=lookedat export

Then update the APT trusted keys on all hosts:

    ansible-playbook --diff -t apt playbooks/common.yml