Automates community builds of Himmelblau and publishes distro repositories (apt/dnf/zypper) to a web root you host (e.g., Nginx).
This repo wraps a few containerized helpers (notably apt-ftparchive) and a Python driver that builds, signs (if configured), and (re)indexes repos.
-
Install prerequisites
- Host packages:
podman,python3, a web server (e.g. nginx),git - Rust toolchain: via https://rustup.rs/
- Host packages:
-
Clone & build helper containers
git clone https://github.com/himmelblau-idm/build-host cd build-host make -
Choose a publish directory for repos, e.g.
/srv/repos/himmelblau. -
Use a large disk for BOTH containers and the Himmelblau source tree. Build artifact caching lives inside the Himmelblau checkout (e.g.,
target/); container layers are also large. Put container storage and the Himmelblau repo on your big disk (see “Recommended storage layout”). -
Clone Himmelblau somewhere on that large disk:
cd /mnt-build/src git clone https://github.com/himmelblau-idm/himmelblau.git -
Add the cron job (edit paths/groups as needed):
0 */6 * * * sg nginx -c "PATH=$PATH:/home/<you>/.cargo/bin TMPDIR=/mnt/tmp BUILDAH_TMPDIR=/mnt/tmp /usr/bin/python3 /path/to/build-host/himmelblau-auto-build.py --publish-dir=/srv/repos/himmelblau >> /var/log/himmelblau-build.log 2>&1"
- Replace
nginxwith the group your web server uses for write access.
- Replace
-
Serve the publish directory from your web server.
Every six hours the job rebuilds and refreshes repository metadata.
The driver writes distro-specific trees into --publish-dir and generates the appropriate metadata (e.g., containerized apt-ftparchive for Debian/Ubuntu). You can serve or rsync the directory as-is.
If you have a larger, separate disk (e.g., mounted at /mnt-build), move both container storage and your Himmelblau checkout there so all heavy caches land on the big disk.
Container storage — ~/.config/containers/storage.conf:
runroot = "/mnt-build/containers-run/<user>"
graphroot = "/mnt-build/containers/<user>"Himmelblau checkout + build artifacts:
mkdir -p /mnt-build/src /mnt-build/tmp
cd /mnt-build/src
git clone https://github.com/himmelblau-idm/himmelblau.gitTemp dirs for speed/space:
export TMPDIR=/mnt-build/tmp
export BUILDAH_TMPDIR=/mnt-build/tmpWhy both? Container layers are large, and so are Rust build artifacts (target/, incremental). Keeping containers + repo checkout on the big disk prevents your root FS from filling and keeps builds fast.
Give your web server read access to --publish-dir, and your cron user write access (often by sharing a group).
server {
listen 80;
server_name your.host.name;
# Serve /srv/repos/himmelblau at /repos/himmelblau/
location /repos/himmelblau/ {
alias /srv/repos/himmelblau/;
autoindex on; # optional, handy for browsing
add_header Access-Control-Allow-Origin *;
}
}Ensure files created by the cron job land with the right group (via sg <group> in cron, ACLs, or umask).
-
himmelblau-auto-build.py— main driver. Typical run:TMPDIR=/mnt-build/tmp BUILDAH_TMPDIR=/mnt-build/tmp \ python3 himmelblau-auto-build.py --publish-dir=/srv/repos/himmelblau
-
Dockerfile.apt-ftparchive— tiny container so we can runapt-ftparchiveeven on distros that don’t package it. -
Makefile— builds helper containers/one-time prerequisites. Re-run when helper images change. -
crontab— example schedule to copy/paste. -
bin/apt-ftparchive,re-release.sh,key.sh— supporting utilities (read script headers for details).
Builds are very fast (often minutes per distro) because we aggressively cache:
- Container layers, and
- Rust artifacts in the Himmelblau repo (
target/, incremental builds)
Plan ~50 GB per active release branch, plus ~50 GB each time you change base containers. Tracking multiple branches and tweaking containers will grow usage quickly.
Cleanup (when needed):
podman image prune -a
podman container prune
podman volume prune # optional, only if you know what’s unusedCleanup will slow the next build until caches repopulate.
Example (every 6 hours):
0 */6 * * * sg <web-group> -c "PATH=$PATH:/home/<you>/.cargo/bin TMPDIR=/mnt-build/tmp BUILDAH_TMPDIR=/mnt-build/tmp /usr/bin/python3 /path/to/build-host/himmelblau-auto-build.py --publish-dir=/srv/repos/himmelblau >> /var/log/himmelblau-build.log 2>&1"sg <web-group>: ensures files land with a group your web server can read.- Make sure
PATHincludes~/.cargo/bin. - Use big
TMPDIR/BUILDAH_TMPDIRfor speed. - Log stdout/stderr and rotate the log.
Prefer systemd timers? Mirror the env/command in a
*.service+*.timer.
Permission denied writing to publish dir
-
Ensure the cron user can write. Use a shared group and
sg <group>, or set ACLs:setfacl -Rm g:<web-group>:rwx /srv/repos/himmelblau setfacl -Rm d:g:<web-group>:rwx /srv/repos/himmelblau
apt-ftparchive missing / wrong version
- Re-run
maketo (re)build the helper image; the driver calls it viapodman.
Works manually, fails in cron
- Cron has a minimal environment. Export
PATH,TMPDIR, andBUILDAH_TMPDIRexplicitly in the job line (see above).
Disk fills unexpectedly
- Move containers & the Himmelblau repo to the big disk (see “Recommended storage layout”) and prune unused images/containers.
Can I use Apache or another web server? Yes—anything that serves static files is fine.
How often should the job run? Every 6–12 hours is typical for community builds. Tune to your update cadence.
Do I need GPG signing? Optional for community testing. If you enable it, serve the public key and ensure the build user can access the private key.
Kick a one-off build using the big disk:
PATH=$PATH:$HOME/.cargo/bin \
TMPDIR=/mnt-build/tmp BUILDAH_TMPDIR=/mnt-build/tmp \
python3 /path/to/build-host/himmelblau-auto-build.py \
--publish-dir=/srv/repos/himmelblauOne-time workspace setup on the big disk:
sudo mkdir -p /mnt-build/{containers,containers-run,src,tmp}
sudo chown -R "$USER":"$USER" /mnt-build
# Update container storage (edit ~/.config/containers/storage.conf):
# runroot = "/mnt-build/containers-run/<user>"
# graphroot = "/mnt-build/containers/<user>"
cd /mnt-build/src
git clone https://github.com/himmelblau-idm/himmelblau.git