Inofficial Icinga 2 Archlinux Mirror Server

I only run Archlinux on my home network. The only problem I have is getting Icinga 2. There are no official packages provided by Archlinux. Archlinux hast the Arch User Repository (short: AUR) where you can get additional software. The downside of the AUR ist that you have to compile it yourself. Doing this on every machine is just consuming to much CPU and you have to install the required libs everywhere and so on. So this way was not practical. I then developed an ansible role to compile Icinga 2 for Archlinux on one machine and distribute the package then onto every machine.

This sucks less but is not the best way to distribute packages. I decided to set up my own inofficial Archlinux mirror server so I can upgrade the package with pacman. You can find it under https://icinga2.mirror.veloc1ty.de. You can use it with https and http. The TLS certificate is provided by Let’s Encrypt.

How to use it

Every package on that mirrir is signed with this PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEWmeG0BYJKwYBBAHaRw8BAQdAB4Nqjcv6Sl92cKMniAhyNooTP5aguawkM7WY
mj1/wqK0ZUljaW5nYTIgQXJjaCBNaXJyb3IgKFNpZ25pbmcga2V5IGZvciB0aGUg
aW5vZmZpY2lhbCBpY2luZ2EyIGFyY2hsaW51eCBwYWNrYWdlcykgPGljaW5nYTJA
dmVsb2MxdHkuZGU+iJYEExYIAD4WIQTq7bpQImslrsFIA0Ub4Uxy2Q5sAAUCWmeG
0AIbAwUJCWYBgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAb4Uxy2Q5sAMY2
AQDw7ulabkF8fP0DZCNNuIGW0HSRNmBaCNzqhENp533h7AD+PxY9sSHxk8Zt+4gE
HVVQLpy5y1WHtr3vIV30XfDXtgA=
=tobr
-----END PGP PUBLIC KEY BLOCK-----

Yes it’s short, but it’s not an RSA key but an ECC one. Save the key for example under /root/icinga2.pub. Now you can import it (of course being root):

pacman-key --add /root/icinga2.pub

Now we have to trust it. Here is how that’s done:

[root@mineralwasser logs]# gpg --homedir /etc/pacman.d/gnupg --edit-key 1BE14C72D90E6C00
gpg: WARNING: unsafe permissions on homedir '/etc/pacman.d/gnupg'

pub ed25519/1BE14C72D90E6C00
 created: 2018-01-23 expires: 2023-01-22 usage: SC
 trust: undefined validity: unknown
[ unknown] (1). Icinga2 Arch Mirror (Signing key for the inofficial icinga2 archlinux packages) <icinga2@veloc1ty.de>

gpg> trust
pub ed25519/1BE14C72D90E6C00
 created: 2018-01-23 expires: 2023-01-22 usage: SC
 trust: undefined validity: unknown
[ unknown] (1). Icinga2 Arch Mirror (Signing key for the inofficial icinga2 archlinux packages) <icinga2@veloc1ty.de>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub ed25519/1BE14C72D90E6C00
 created: 2018-01-23 expires: 2023-01-22 usage: SC
 trust: ultimate validity: unknown
[ unknown] (1). Icinga2 Arch Mirror (Signing key for the inofficial icinga2 archlinux packages) <icinga2@veloc1ty.de>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save
Key not changed so no update needed.

Now you have to add this to /etc/pacman.conf:

[icinga2]
Server = https://icinga2.mirror.veloc1ty.de

That’s it. This has to be done on every server where you want to use the mirror. You can automate this. I’ve written it up on GitHub under „Protip: Distribute the mirror key to other clients“: https://github.com/vlcty/ansible-role-arch-mirror


Du hast einen Kommentar, einen Wunsch oder eine Verbeserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)
Zurück