Architecture
System Overview
Subscriber
│
▼
Traefik (TLS termination, forwardAuth, routing)
│
├── /rpm/ → nginx (RPM repodata + packages)
├── /deb/ → nginx → Aptly (signed DEB snapshots)
├── /oci/ → Zot (OCI registry, cosign signatures)
├── /gpg/ → nginx (public keys — unauthenticated)
└── /api/ → auth service (admin API, internal :8088)
│
└── auth service (forwardAuth + key management)
│
└── SQLite (subscription key store)
Promotion pipeline (GitHub Actions):
RustFS (staging) → sign → publish → rpm/deb/zot
Services
| Service | Image | Role |
|---|---|---|
traefik | traefik:3.6.12 | TLS, routing, forwardAuth middleware |
auth | built from ./auth | Subscription key validation, admin API, Prometheus metrics |
rpm | built from ./rpm | nginx serving signed RPM repos |
deb | nginx:alpine | nginx serving Aptly-published DEB repos |
zot | ghcr.io/project-zot/zot-linux-amd64:v2.1.2 | OCI registry with cosign signatures |
aptly | ghcr.io/no42-org/packyard-aptly:1.6.2 | DEB repo management and signing (multi-arch: amd64 + arm64) |
rustfs | rustfs/rustfs:latest | S3-compatible staging storage for promotion pipeline |
static | nginx:alpine | Public GPG/cosign key hosting |
backup | keinos/sqlite3:latest | Daily SQLite backup of the key store |
Repository Layout
auth/ Go service — subscription key auth + admin API
aptly/ Aptly configuration and DEB repo scripts
deb/ nginx configuration for DEB serving
rpm/ nginx + createrepo_c for RPM serving
zot/ Zot OCI registry configuration
traefik/ Traefik static and dynamic configuration
rustfs/ RustFS staging storage configuration
static/ Public static files (GPG/cosign keys)
scripts/ Operator scripts (backup, stage-artifact, health-check)
docs/ops/ Operational runbooks
tests/e2e/ End-to-end subscriber tests (RPM, DEB, OCI, observability)
tests/load/ k6 load tests for NFR validation
.github/workflows/ Promotion pipeline (RPM, DEB, OCI)