How to Setup a Private Composer Satis Package Server

Assumptions

This how-to assumes that you are using Ubuntu 14.04

Contents

User Setup

You will need to enter passwords for both of these users.

adduser admin_user_name_of_your_choice
adduser composer
visudo

Add the following lines to visudo:

admin_user_name_of_your_choice ALL=(ALL:ALL) ALL

SSH

Create an authorized keys file then move it to the ~/.ssh/ directory.

Set Permissions SSH Directory

chown -R example_user:example_user ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
service ssh restart

Set Permissions SSH Directory

chown -R example_user:example_user ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
service ssh restart

Change sshd_config

  1. Open /etc/ssh/sshd_config in your favorite text editor
  2. Change the following lines to these values:
PermitRootLogin no
PasswordAuthentication no
Port 20000

You can change the port number to whatever you would like to use.

Installations

Note: you will need root permissions in order to perform these installations. You will need to either prepend sudo to these commands or sudo su.

apt-get update
apt-get upgrade

Apache and PHP

 apt-get install apache2
 apt-get install apache2-utils # needed for htpasswd
 apt-get install php5 libapache2-mod-php5 php5-mcrypt php5-cli php5-cgi

Firewall

apt-get install ufw # should be there already

Git

 add-apt-repository ppa:git-core/ppa
 apt-get update
 apt-get install git

Composer

curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer

Configure Apache

Enable Site

a2dissite 000-default.conf
cd /etc/apache2/sites-available
cp default-ssl.conf default-ssl.conf.back
a2ensite default-ssl.conf

SSL

Install and Enable SSL

apt-get install openssl
mkdir /etc/ssl/localcerts
a2enmod ssl
service apache2 restart

Create SSL Key

openssl req -new -x509 -sha256 -days 30000 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
chmod 600 /etc/ssl/localcerts/apache*

Make Password File

The password file is used when client is downloading the packages.

htpasswd -c /etc/apache2/passwords username

Change Apache SSL Conf

Make appropriate changes or additions. File was created via cp of /var/etc/sites-available/default-ssl.conf


ServerAdmin me@example.com
ServerName example.com
DocumentRoot /var/www

SSLCertificateFile     /etc/ssl/localcerts/apache.pem
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key

DocumentRoot /var/www/
<Directory "/var/www/">
        SSLOptions +StdEnvVars
        AuthType Basic
        AuthName "Restricted Files"
        # (Following line optional)
        AuthBasicProvider file
        AuthUserFile /etc/apache2/passwords
        Require valid-user
        Options Indexes FollowSymLinks
</Directory>

SFTP Jail

Modify /etc/ssh/sshd_config

Match group filetransfer
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Set Permissions on Composer User Directory

addgroup --system filetransfer
usermod -G filetransfer composer
chown root:root /home/composer
chmod 755 /home/composer
chmod 600 /home/composer/.ssh/authorized_keys
chmod 700 /home/composer/.ssh

Writeable Directory

cd /home/composer
mkdir packages
chown -R composer:filetransfer /home/composer

Setup Satis

Install Satis


cd /home/composer
composer create-project composer/satis --stability=dev --keep-vcs

Create statis.json


cd /home/composer
nano satis.json

statis.json Content


{
    "name": "Private Repos",
    "homepage": "https://username:password@example.com",
    "repositories": [
        { "type": "vcs", "url": "git@bitbucket.org:username/repo.git"
        }
    ],
    "require-all": true,
    "archive": {
        "directory": "dist",
        "skip-dev": true,
        "prefix-url": "https://username:password@example.com"
    },
    "require-dependencies": true,
    "require-dev-dependencies": true
}

Run Satis Build


php /home/composer/satis/bin/satis build /home/composer/satis.json /home/composer/
chown -R composer:filetransfer /home/composer/*

Files have to have the filetransfer group applied to them. May need to also set perms via chmod.

Must be done after the satis build!


ln -s /home/composer/dist/ /var/www/dist

FireWall


ufw default deny incoming
ufw default allow outgoing
ufw allow 20000/tcp
ufw allow https

ufw enable
ufw status verbose

Set Hostname

Set to your desired hostname


nano /etc/hostname

SSH keys for private repos

Put them in /root/.ssh and set the appropriate permissions.



Written on January 28, 2015