I only run Archlinux on my home network. The only problem I have is getting Icinga 2. There are no official packages provided by Archlinux. Archlinux hast the Arch User Repository (short: AUR) where you can get additional software. The downside of the AUR ist that you have to compile it yourself. Doing this on every machine is just consuming to much CPU and you have to install the required libs everywhere and so on. So this way was not practical. I then developed an ansible role to compile Icinga 2 for Archlinux on one machine and distribute the package then onto every machine.
This sucks less but is not the best way to distribute packages. I decided to set up my own inofficial Archlinux mirror server so I can upgrade the package with pacman. You can find it under https://icinga2.mirror.veloc1ty.de. You can use it with https and http. The TLS certificate is provided by Let’s Encrypt.
How to use it
Every package on that mirrir is signed with this PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEWmeG0BYJKwYBBAHaRw8BAQdAB4Nqjcv6Sl92cKMniAhyNooTP5aguawkM7WY mj1/wqK0ZUljaW5nYTIgQXJjaCBNaXJyb3IgKFNpZ25pbmcga2V5IGZvciB0aGUg aW5vZmZpY2lhbCBpY2luZ2EyIGFyY2hsaW51eCBwYWNrYWdlcykgPGljaW5nYTJA dmVsb2MxdHkuZGU+iJYEExYIAD4WIQTq7bpQImslrsFIA0Ub4Uxy2Q5sAAUCWmeG 0AIbAwUJCWYBgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAb4Uxy2Q5sAMY2 AQDw7ulabkF8fP0DZCNNuIGW0HSRNmBaCNzqhENp533h7AD+PxY9sSHxk8Zt+4gE HVVQLpy5y1WHtr3vIV30XfDXtgA= =tobr -----END PGP PUBLIC KEY BLOCK-----
Yes it’s short, but it’s not an RSA key but an ECC one. Save the key for example under /root/icinga2.pub. Now you can import it (of course being root):
pacman-key --add /root/icinga2.pub
Now we have to trust it. Here is how that’s done:
[root@mineralwasser logs]# gpg --homedir /etc/pacman.d/gnupg --edit-key 1BE14C72D90E6C00 gpg: WARNING: unsafe permissions on homedir '/etc/pacman.d/gnupg' pub ed25519/1BE14C72D90E6C00 created: 2018-01-23 expires: 2023-01-22 usage: SC trust: undefined validity: unknown [ unknown] (1). Icinga2 Arch Mirror (Signing key for the inofficial icinga2 archlinux packages) <firstname.lastname@example.org> gpg> trust pub ed25519/1BE14C72D90E6C00 created: 2018-01-23 expires: 2023-01-22 usage: SC trust: undefined validity: unknown [ unknown] (1). Icinga2 Arch Mirror (Signing key for the inofficial icinga2 archlinux packages) <email@example.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub ed25519/1BE14C72D90E6C00 created: 2018-01-23 expires: 2023-01-22 usage: SC trust: ultimate validity: unknown [ unknown] (1). Icinga2 Arch Mirror (Signing key for the inofficial icinga2 archlinux packages) <firstname.lastname@example.org> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> save Key not changed so no update needed.
Now you have to add this to /etc/pacman.conf:
[icinga2] Server = https://icinga2.mirror.veloc1ty.de
That’s it. This has to be done on every server where you want to use the mirror. You can automate this. I’ve written it up on GitHub under „Protip: Distribute the mirror key to other clients“: https://github.com/vlcty/ansible-role-arch-mirror