|
|
|
|
@ -1,19 +1,59 @@
|
|
|
|
|
#!/bin/bash
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
|
|
# Configuration
|
|
|
|
|
GPG_KEY_NAME="example"
|
|
|
|
|
KEY_PUBLIC="/workspace/apt-repo/pgp-key.public"
|
|
|
|
|
# ============================================================
|
|
|
|
|
# CONFIGURATION — modifiez ces variables selon vos besoins
|
|
|
|
|
# ============================================================
|
|
|
|
|
DOMAIN="deb.legaragenumerique.fr" # adresse du dépôt
|
|
|
|
|
GPG_KEY_NAME="gn-depot"
|
|
|
|
|
EMAIL="admin@lgn.dev"
|
|
|
|
|
|
|
|
|
|
DIST_NAME="stable" # Nom de la distribution : stable, focal, bookworm, etc.
|
|
|
|
|
COMPONENT="main" # Composante : main, contrib, non-free, etc.
|
|
|
|
|
ARCH="amd64" # Architecture : amd64, arm64, all, etc.
|
|
|
|
|
|
|
|
|
|
REPO_ORIGIN="GN-depot" # Nom affiché dans le fichier Release
|
|
|
|
|
REPO_LABEL="GN-depot" # Label affiché dans le fichier Release
|
|
|
|
|
REPO_DESCRIPTION="Dépôt du garage numérique"
|
|
|
|
|
|
|
|
|
|
# Priorité du dépôt recommandée pour les clients (générée dans le fichier .pref)
|
|
|
|
|
# < 0 : jamais installé
|
|
|
|
|
# 100 : installé seulement si absent ailleurs
|
|
|
|
|
# 500 : priorité normale (dépôts standards)
|
|
|
|
|
# 990 : priorité élevée
|
|
|
|
|
# >1000 : installe même en régression de version
|
|
|
|
|
REPO_PRIORITY=500
|
|
|
|
|
|
|
|
|
|
# ============================================================
|
|
|
|
|
# CHEMINS (ne pas modifier sauf besoin spécifique)
|
|
|
|
|
# ============================================================
|
|
|
|
|
KEY_PUBLIC="./depot/pgp-key.public"
|
|
|
|
|
KEY_PRIVATE="/workspace/secret/pgp-key.private"
|
|
|
|
|
EMAIL="test@exemple.com"
|
|
|
|
|
|
|
|
|
|
POOL_DIR="./apt-repo/pool/$COMPONENT/binary-$ARCH"
|
|
|
|
|
DISTS_DIR="./apt-repo/dists/$DIST_NAME/$COMPONENT/binary-$ARCH"
|
|
|
|
|
|
|
|
|
|
# ============================================================
|
|
|
|
|
|
|
|
|
|
echo "📦 Création du dépôt APT"
|
|
|
|
|
mkdir -p ./apt-repo/pool/main/binary-amd64
|
|
|
|
|
mkdir -p ./apt-repo/dists/stable/main/binary-amd64
|
|
|
|
|
echo " Distribution : $DIST_NAME"
|
|
|
|
|
echo " Composante : $COMPONENT"
|
|
|
|
|
echo " Architecture : $ARCH"
|
|
|
|
|
echo " Priorité : $REPO_PRIORITY"
|
|
|
|
|
|
|
|
|
|
# Génération des clés seulement si elles n'existent pas
|
|
|
|
|
mkdir -p "$POOL_DIR"
|
|
|
|
|
mkdir -p "$DISTS_DIR"
|
|
|
|
|
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
# Génération des clés GPG (seulement si absentes)
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
make_keys() {
|
|
|
|
|
echo "🔐 Génération des clés GPG"
|
|
|
|
|
|
|
|
|
|
# S'assurer que le dossier destination existe
|
|
|
|
|
mkdir -p "$(dirname "$KEY_PUBLIC")"
|
|
|
|
|
mkdir -p "$(dirname "$KEY_PRIVATE")"
|
|
|
|
|
|
|
|
|
|
cat > example-pgp-key.batch <<EOF
|
|
|
|
|
Key-Type: RSA
|
|
|
|
|
Key-Length: 4096
|
|
|
|
|
@ -28,26 +68,165 @@ EOF
|
|
|
|
|
gpg --batch --gen-key example-pgp-key.batch
|
|
|
|
|
gpg --armor --export "$GPG_KEY_NAME" > "$KEY_PUBLIC"
|
|
|
|
|
gpg --armor --export-secret-keys "$GPG_KEY_NAME" > "$KEY_PRIVATE"
|
|
|
|
|
chmod 600 $KEY_PRIVATE
|
|
|
|
|
cp "$KEY_PUBLIC" ./apt-repo/pgp-key.public
|
|
|
|
|
chmod 600 "$KEY_PRIVATE"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sign_packages() {
|
|
|
|
|
cd ./apt-repo
|
|
|
|
|
dpkg-scanpackages --arch amd64 pool/ > dists/stable/main/binary-amd64/Packages
|
|
|
|
|
gzip -9 < dists/stable/main/binary-amd64/Packages > dists/stable/main/binary-amd64/Packages.gz
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
# Génération du fichier Release
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
generate_release() {
|
|
|
|
|
local base="$1" # = chemin vers ./apt-repo
|
|
|
|
|
local dist_path="$base/dists/$DIST_NAME"
|
|
|
|
|
local packages_file="$COMPONENT/binary-$ARCH/Packages"
|
|
|
|
|
local packages_gz="$COMPONENT/binary-$ARCH/Packages.gz"
|
|
|
|
|
|
|
|
|
|
# Les checksums sont calculés depuis dist_path
|
|
|
|
|
MD5_PKG=$(md5sum "$dist_path/$packages_file" | cut -d' ' -f1)
|
|
|
|
|
SHA1_PKG=$(sha1sum "$dist_path/$packages_file" | cut -d' ' -f1)
|
|
|
|
|
SHA256_PKG=$(sha256sum "$dist_path/$packages_file" | cut -d' ' -f1)
|
|
|
|
|
SIZE_PKG=$(wc -c < "$dist_path/$packages_file")
|
|
|
|
|
|
|
|
|
|
MD5_GZ=$(md5sum "$dist_path/$packages_gz" | cut -d' ' -f1)
|
|
|
|
|
SHA1_GZ=$(sha1sum "$dist_path/$packages_gz" | cut -d' ' -f1)
|
|
|
|
|
SHA256_GZ=$(sha256sum "$dist_path/$packages_gz" | cut -d' ' -f1)
|
|
|
|
|
SIZE_GZ=$(wc -c < "$dist_path/$packages_gz")
|
|
|
|
|
|
|
|
|
|
cat <<EOF
|
|
|
|
|
Origin: $REPO_ORIGIN
|
|
|
|
|
Label: $REPO_LABEL
|
|
|
|
|
Suite: $DIST_NAME
|
|
|
|
|
Codename: $DIST_NAME
|
|
|
|
|
Architectures: $ARCH
|
|
|
|
|
Components: $COMPONENT
|
|
|
|
|
Description: $REPO_DESCRIPTION
|
|
|
|
|
Date: $(date -Ru)
|
|
|
|
|
MD5Sum:
|
|
|
|
|
$MD5_PKG $SIZE_PKG $packages_file
|
|
|
|
|
$MD5_GZ $SIZE_GZ $packages_gz
|
|
|
|
|
SHA1:
|
|
|
|
|
$SHA1_PKG $SIZE_PKG $packages_file
|
|
|
|
|
$SHA1_GZ $SIZE_GZ $packages_gz
|
|
|
|
|
SHA256:
|
|
|
|
|
$SHA256_PKG $SIZE_PKG $packages_file
|
|
|
|
|
$SHA256_GZ $SIZE_GZ $packages_gz
|
|
|
|
|
EOF
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
# Scan, compression et signature des paquets
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
sign_packages() {
|
|
|
|
|
# Sauvegarder le répertoire de départ
|
|
|
|
|
local WORKDIR
|
|
|
|
|
WORKDIR=$(pwd)
|
|
|
|
|
|
|
|
|
|
cd ./apt-repo
|
|
|
|
|
|
|
|
|
|
echo "📋 Scan des paquets"
|
|
|
|
|
dpkg-scanpackages --arch "$ARCH" pool/ > "dists/$DIST_NAME/$COMPONENT/binary-$ARCH/Packages"
|
|
|
|
|
gzip -9 < "dists/$DIST_NAME/$COMPONENT/binary-$ARCH/Packages" \
|
|
|
|
|
> "dists/$DIST_NAME/$COMPONENT/binary-$ARCH/Packages.gz"
|
|
|
|
|
|
|
|
|
|
cd dists/stable
|
|
|
|
|
gpg --import /workspace/secret/pgp-key.private
|
|
|
|
|
|
|
|
|
|
echo "⚙️ Génération de Release"
|
|
|
|
|
/workspace/generate-release.sh > Release
|
|
|
|
|
echo "⚙️ Génération de Release"
|
|
|
|
|
generate_release "$(pwd)" > "dists/$DIST_NAME/Release"
|
|
|
|
|
|
|
|
|
|
echo "🔏 Signature du Release"
|
|
|
|
|
gpg --default-key "$GPG_KEY_NAME" -abs < Release > Release.gpg
|
|
|
|
|
gpg --default-key "$GPG_KEY_NAME" --clearsign < Release > InRelease
|
|
|
|
|
gpg --default-key "$GPG_KEY_NAME" -abs \
|
|
|
|
|
< "dists/$DIST_NAME/Release" \
|
|
|
|
|
> "dists/$DIST_NAME/Release.gpg"
|
|
|
|
|
|
|
|
|
|
gpg --default-key "$GPG_KEY_NAME" --clearsign \
|
|
|
|
|
< "dists/$DIST_NAME/Release" \
|
|
|
|
|
> "dists/$DIST_NAME/InRelease"
|
|
|
|
|
|
|
|
|
|
cd "$WORKDIR"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
# Génération du fichier de priorité pour les clients
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
generate_client_pref() {
|
|
|
|
|
local pref_file="./apt-repo/gn-depot.pref"
|
|
|
|
|
cat > "$pref_file" <<EOF
|
|
|
|
|
# Copiez ce fichier dans /etc/apt/preferences.d/ sur vos machines clientes
|
|
|
|
|
# pour définir la priorité de ce dépôt.
|
|
|
|
|
#
|
|
|
|
|
# Valeurs utiles :
|
|
|
|
|
# < 0 → jamais installé
|
|
|
|
|
# 100 → seulement si absent ailleurs
|
|
|
|
|
# 500 → priorité normale (équivalent dépôts standards)
|
|
|
|
|
# 990 → priorité élevée (favorisé sur les autres dépôts)
|
|
|
|
|
# >1000 → installe même en cas de régression de version
|
|
|
|
|
|
|
|
|
|
Package: *
|
|
|
|
|
Pin: origin $DOMAIN
|
|
|
|
|
Pin-Priority: $REPO_PRIORITY
|
|
|
|
|
EOF
|
|
|
|
|
echo "📄 Fichier de priorité client généré : $pref_file"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
# Génération du sources.list pour les clients
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
generate_client_sources() {
|
|
|
|
|
local sources_file="./apt-repo/gn-depot.list"
|
|
|
|
|
|
|
|
|
|
cat > "$sources_file" <<EOF
|
|
|
|
|
# Copiez ce fichier dans /etc/apt/sources.list.d/ sur vos machines clientes
|
|
|
|
|
deb [arch=$ARCH signed-by=/usr/share/keyrings/gn-depot.gpg] https://$DOMAIN $DIST_NAME $COMPONENT
|
|
|
|
|
EOF
|
|
|
|
|
echo "📄 Fichier sources.list client généré : $sources_file"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
# Génération du script d'installation du dépôt pour les clients
|
|
|
|
|
# ------------------------------------------------------------
|
|
|
|
|
generate_install_script() {
|
|
|
|
|
|
|
|
|
|
cat > ./apt-repo/install-repo.sh <<EOF
|
|
|
|
|
#!/bin/bash
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
|
|
DOMAIN="$DOMAIN"
|
|
|
|
|
DIST="$DIST_NAME"
|
|
|
|
|
COMPONENT="$COMPONENT"
|
|
|
|
|
ARCH="$ARCH"
|
|
|
|
|
PRIORITY="$REPO_PRIORITY"
|
|
|
|
|
LABEL="$REPO_LABEL"
|
|
|
|
|
|
|
|
|
|
echo "🔑 Ajout de la clé GPG..."
|
|
|
|
|
wget -qO /etc/apt/trusted.gpg.d/gn-depot.asc "https://\$DOMAIN/pgp-key.public"
|
|
|
|
|
|
|
|
|
|
echo "📋 Ajout du dépôt..."
|
|
|
|
|
echo "deb [arch=\$ARCH signed-by=/etc/apt/trusted.gpg.d/gn-depot.asc] https://\$DOMAIN \$DIST \$COMPONENT" \
|
|
|
|
|
> /etc/apt/sources.list.d/gn-depot.list
|
|
|
|
|
|
|
|
|
|
echo "⚙️ Définition de la priorité (\$PRIORITY)..."
|
|
|
|
|
cat > /etc/apt/preferences.d/gn-depot.pref <<PREF
|
|
|
|
|
Package: *
|
|
|
|
|
Pin: release l=\$LABEL
|
|
|
|
|
Pin-Priority: \$PRIORITY
|
|
|
|
|
PREF
|
|
|
|
|
|
|
|
|
|
echo "🔄 Mise à jour des dépôts..."
|
|
|
|
|
apt update
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
|
echo "✅ Dépôt installé avec succès !"
|
|
|
|
|
echo " Priorité : \$PRIORITY"
|
|
|
|
|
echo " Utilisez : sudo apt install <paquet>"
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
chmod +x ./apt-repo/install-repo.sh
|
|
|
|
|
echo "📄 Script d'installation client généré : install-repo.sh"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ============================================================
|
|
|
|
|
# MAIN
|
|
|
|
|
# ============================================================
|
|
|
|
|
|
|
|
|
|
if [ ! -f "$KEY_PUBLIC" ]; then
|
|
|
|
|
make_keys
|
|
|
|
|
else
|
|
|
|
|
@ -55,14 +234,21 @@ else
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "🚚 Copie des paquets"
|
|
|
|
|
cp ./depot/* ./apt-repo/pool/main/binary-amd64/ || true
|
|
|
|
|
cp ./depot/* "$POOL_DIR/" 2>/dev/null || true
|
|
|
|
|
|
|
|
|
|
sign_packages
|
|
|
|
|
generate_client_pref
|
|
|
|
|
generate_client_sources
|
|
|
|
|
generate_install_script
|
|
|
|
|
|
|
|
|
|
# Lancement serveur
|
|
|
|
|
echo "🚀 Lancement du serveur Gunicorn"
|
|
|
|
|
cd /workspace
|
|
|
|
|
cp index.html logo.png apt-repo/
|
|
|
|
|
gunicorn -b 0.0.0.0:8000 server:app
|
|
|
|
|
echo "📡 Dépôt APT disponible sur https://votre-domaine.tld"
|
|
|
|
|
echo "🔑 Clé publique disponible sur https://votre-domaine.tld/pgp-key.public"
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
|
echo "✅ Dépôt APT disponible"
|
|
|
|
|
echo " 📡 URL : https://${DOMAIN}"
|
|
|
|
|
echo " 🔑 Clé pub : https://${DOMAIN}/pgp-key.public"
|
|
|
|
|
echo " 📋 Sources : https://${DOMAIN}/gn-depot.list"
|
|
|
|
|
echo " ⚙️ Priorité : https://${DOMAIN}/gn-depot.pref"
|
