Getting Started

Get Repod running in 5 minutes and upload your first package.

Prerequisites

• Docker 20.10+
• Docker Compose v2
• A Linux or macOS machine (Windows: use WSL2)

---

Step 1 — Clone and configure

git clone https://github.com/your-org/repod
cd repod
cp backend.env.example backend.env

Open backend.env and set two values:

backend.env

# Generate a secure secret:
# openssl rand -hex 32
JWT_SECRET_KEY=your-secret-here

# Generate the bcrypt hash of your admin password:
# docker run --rm python:3.11-slim python -c \
#   "from passlib.hash import bcrypt; print(bcrypt.hash('YourPassword1!'))"
ADMIN_PASSWORD_HASH=$2b$12$...

One-liner to generate the hash

docker run --rm python:3.11-slim python -c \
  "from passlib.hash import bcrypt; print(bcrypt.hash('MyPassword1!'))"

---

Step 2 — Start the stack

docker compose up -d

Three containers start:

Container	Role	Default port
depot-apt	Nginx — serves packages via APT	80
backend-api	FastAPI — API + security pipeline	8000
frontend-ui	React — web interface	3003

Watch the logs:

docker compose logs -f backend-api

Wait for:

INFO:     Application startup complete.

---

Step 3 — Open the interface

Navigate to http://localhost:3003

Sign in with:

• Username: admin
• Password: the password you hashed in Step 1

Change the default password immediately

Go to Account → Change password on first login.

---

Step 4 — Generate a GPG signing key

Your APT repository needs a GPG key to sign package indexes.

1. Go to Settings → GPG
2. Click Generate key
3. The public key appears — you'll use it in Step 6

---

Step 5 — Upload your first package

Web interfacecurl / API

1. Go to Upload in the sidebar
2. Drag and drop your .deb file
3. Select a distribution (e.g. jammy)
4. Click Upload

The pipeline runs in real time:

✅ Format validation
✅ SHA-256 checksum
✅ ClamAV — clean
✅ Grype — no CVEs found
✅ GPG signature
✅ Dependencies resolved

# Get a token
TOKEN=$(curl -s -X POST http://localhost:8000/auth/token \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"YourPassword1!"}' \
  | jq -r .access_token)

# Upload
curl -X POST http://localhost:8000/upload/ \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@mypackage_1.0.0_amd64.deb" \
  -F "distribution=jammy"

---

Step 6 — Configure a client machine

On any machine that should install from your repo:

AutomaticManual

curl -s http://YOUR_REPO_HOST:8000/install | bash

# 1. Import the GPG public key
curl -sL http://YOUR_REPO_HOST/repos/dists/jammy/Release.gpg \
  | gpg --dearmor \
  > /etc/apt/trusted.gpg.d/repod.gpg

# 2. Add the source
echo "deb http://YOUR_REPO_HOST/repos jammy main" \
  > /etc/apt/sources.list.d/repod.list

# 3. Update and install
apt update
apt install mypackage

---

You're done! 🎉

In 5 minutes you have:

• A private APT repository with TLS-ready reverse proxy support
• An antivirus + CVE scanning pipeline on every upload
• A signed repository trusted by apt
• A web UI for operators and security teams

What's next

• Security pipeline explained

  Understand the 7-step validation pipeline.

• Set up a reverse proxy

  HTTPS with Let's Encrypt, Traefik, or Caddy.

• Integrate with CI/CD

  Publish packages from GitHub Actions or GitLab CI.

• Production installation

  Full production checklist with firewall and backups.