Self-hosted package
distribution for the
LTS releases you ship.
Packyard serves RPM, DEB, and OCI artefacts behind subscription-key auth. One docker-compose stack — Traefik, a Go forward-auth service, nginx, Zot, Aptly, RustFS — with a GitHub Actions promotion pipeline that signs and publishes from CI.
quick start
stand up the stack on a docker compose hostgit clone https://github.com/no42-org/packyard.gitcd packyarddocker compose \
-f compose.yml \
-f compose.override.ci.yml \
up -dcurl -X POST http://localhost:8080/api/v1/keys \
-H 'Content-Type: application/json' \
-d '{"component":"core","label":"dev-key"}'what's in the box
six pillarsOne server, three repository formats. dnf, apt, and docker pull all hit the same Traefik front door with subscription-key auth.
Per-subscriber keys scoped per-component. Traefik forwardAuth middleware calls the Go auth service before every request — no client cert dance.
GPG signs RPM and DEB indices; cosign signs OCI manifests. Public keys served unauthenticated at /gpg for client-side verification.
GitHub Actions stage artefacts to RustFS (S3-compatible), sign them, then publish to the rpm / deb / oci backends in one workflow.
Prometheus metrics on the auth service, structured admin API with Code + Message error responses, daily SQLite backup of the key store.
docker compose v2 stack — Traefik, auth, nginx, Zot, Aptly, RustFS. No SaaS dependency, no per-subscriber licensing meter.
documentation map
jump inStand up the stack locally and run your first authenticated request.
Deploy in production, promote releases, restore the keystore, plan manual tests.
Architecture, admin API, configuration, subscriber integration, promotion pipeline.
Run your own authenticated package mirror.
GPL-3.0. No SaaS, no per-subscriber meter. A docker-compose stack and a CI workflow you read end-to-end in an afternoon.