No Description
esell fd111501fe
check for dpkg in makefile
1 month ago
DEBIAN add deb target. fixes #23 1 month ago
samples Support for signed Releases file (#26) 1 month ago
vendor update dep info 1 month ago
.gitignore Support for signed Releases file (#26) 1 month ago
.travis.yml update sample conf 1 month ago
Gopkg.lock update dep info 1 month ago
Gopkg.toml back to dep 1 year ago
LICENSE.txt add license 2 years ago
Makefile check for dpkg in makefile 1 month ago
README.md move away from self-hosted :( 1 month ago
http.go Static Analysis / Restructure (#27) 1 month ago
http_test.go Static Analysis / Restructure (#27) 1 month ago
main.go Static Analysis / Restructure (#27) 1 month ago
main_test.go Static Analysis / Restructure (#27) 1 month ago
packages.go Static Analysis / Restructure (#27) 1 month ago
packages_test.go Static Analysis / Restructure (#27) 1 month ago
sample_conf.json update sample conf 1 month ago
signing.go Static Analysis / Restructure (#27) 1 month ago
signing_test.go Static Analysis / Restructure (#27) 1 month ago

README.md

Build Status Coverage Status

deb-simple (get it? dead simple.. deb simple…)

A lightweight, bare-bones apt repository server.

Purpose

This project came from a need I had to be able to serve up already created deb packages without a lot of fuss. Most of the existing solutions I found were either geared at mirroring existing “official” repos or for providing your packages to the public. My need was just something that I could use internally to install already built deb packages via apt-get. I didn’t care about change files, signed packages, etc. Since this was to be used in a CI pipeline it had to support remote uploads and be able to update the package list after each upload.

What it does:

  • Supports multiple versions of packages
  • Supports multi-arch repos (i386, amd64, custom, etc)
  • Supports uploading via HTTP/HTTPS POST requests
  • Supports removing packages via HTTP/HTTPS DELETE requests
  • Does NOT require a changes file
  • Supports uploads from various locations without corrupting the repo
  • Supports API keys to protect who can upload/delete packages
  • Supports signing package release files

What it doesn’t do:

  • Create actual packages
  • Mirror existing repos

General Usage:

This project is now using the native Go vendoring feature so you will need to build with Go >1.7 or if using 1.5/1.6 you will need to make sure GO15VENDOREXPERIMENT is set to 1.

If you do not want to build from source you can just download a pre-built binary from the Releases section.

Fill out the conf.json file with the values you want, it should be pretty self-explanatory, then fire it up!

Once it is running POST a file to the /upload endpoint:

curl -XPOST 'http://localhost:9090/upload?arch=amd64&distro=stable&section=main' -F "file=@myapp.deb"

Or delete an existing file:

curl -XDELETE 'http://localhost:9090/delete' -d '{"filename":"myapp.deb","distroName":"stable","arch":"amd64", "section":"main"}'

To use your new repo you will have to add a line like this to your sources.list file:

deb http://my-hostname:listenPort/ stable main

my-hostname should be the actual hostname/IP where you are running deb-simple and listenPort will be whatever you set in the config. By default deb-simple puts everything into the stable distro and main section but these can be changed in the config. If you have enabled SSL you will want to swap http for https.

Package Signing

deb-simple can sign the package release file for you, which will stop apt-get from complaining about insecure sources when you update. To do this you need to enable it in the config file by setting enableSigning to true, and privateKey to the path to your GPG signing key.

If you don’t have an existing key deb-simple can help generate one for you. Run:

./deb-simple -k -kn "My Name" -ke "my.email@provider.com"

This will produce two files in the current directory: public.key and private.key. I suggest putting public.key in the repository root somewhere so it can be downloaded by clients that need it, and putting private.key somewhere relatively secure on the file system.

To add your new key on a client run the following command:

wget -qO - http://my-hostname:listenPort/public.key | sudo apt-key add -

This uses Go’s native openpgp library, so key support is cross platform, and doesn’t require or interact with any existing keyring on the system.

Using API keys:

deb-simple supports the idea of an API key to limit who can upload and delete packages. To use the API keys feature you first need to enable it in the config file by setting enableAPIKeys to true. Once that is done you’ll need to generate at least one API key. To do that just run deb-simpled -g and an API key will be printed to stdout.

Now that you have a key you’ll need to include it in your POST and DELETE requests by simply adding on the key URL parameter. An example for an upload might look like:

curl -XPOST 'http://localhost:9090/upload?arch=amd64&distro=stable&section=main&key=MY_BIG_API_KEY' -F "file=@myapp.deb"

A delete would look like:

curl -XDELETE 'http://localhost:9090/delete?key=MY_BIG_API_KEY' -d '{"filename":"myapp.deb","distroName":"stable","arch":"amd64", "section":"main"}'

If you want an automatable service which builds you packages, either manualy or via CI/CD, checkout debpkg, which makes it very easy to create complex packages with almost no work.

If you want to continuous deliver created packages to deb-simple server, it is not recommended to place the key somewhere others could find it. You can use deb-simple-cd-helper, which allows you to place a plaintext file with the api key somewhere on your build server without the need to expose it.

Do you use this?

If you use deb-simple somewhere I’d love to hear about it! Make a PR to add your company/group/cult :)

License:

MIT so go crazy