How to set up a
private APT repository
A private APT repository lets you control exactly which Debian and Ubuntu packages reach your servers — with signing, versioning, and (optionally) CVE screening built in. This guide covers your options and shows you the fastest path to a production-ready setup.
Why you need a private APT repository
The default apt-get install fetches packages directly from public Debian or Ubuntu mirrors.
This is convenient, but it creates several problems for infrastructure teams:
- No version control. A package that worked in staging may differ from what ships to production tomorrow. Public mirrors update continuously.
- No vulnerability gate. A package with a critical CVE is served the same way as a clean one. There is no mechanism to block vulnerable versions.
- No audit trail. You cannot prove what was installed, on which server, at what time. This is a hard requirement for NIS2 Article 21 and ISO 27001.
- Air-gap incompatibility. Servers in isolated networks cannot reach public mirrors. A private repository solves this without per-package workarounds.
Your options compared
Best for: Security-focused teams, NIS2 compliance
- +Built-in CVE scanning + EPSS + CISA KEV
- +CISO approval workflow
- +Single Docker Compose deploy
- +GPG auto-signing
- +Full audit trail
- +NIS2 compliance mode
- −DEB, RPM & APK only — no Maven/npm
Best for: Multi-format repos (Maven, npm, APT…)
- +Universal format support
- +Large ecosystem
- +LDAP integration
- −No built-in CVE scanning
- −Heavy JVM deployment
- −No NIS2 mode
Best for: Simple mirroring, no UI needed
- +Lightweight, no dependencies
- +Scriptable
- +Battle-tested
- −CLI only, no web UI
- −No CVE scanning
- −No access control
- −Manual key management
Best for: Snapshot-based workflows
- +Snapshot model for immutable releases
- +CLI-driven
- +Good mirroring
- −Maintenance mode since 2023
- −No CVE scanning
- −No web UI
- −No audit trail
Quick start with RepoD
RepoD Community Edition is the fastest path to a production-grade private APT repository with GPG signing and CVE scanning. You need Docker and Docker Compose — nothing else.
git clone https://github.com/getautoflow/repod.git cd repod cp .env.example .env cp backend.env.example backend.env # Edit backend.env: set JWT_SECRET_KEY and ADMIN_PASSWORD_HASH
docker compose up -d # Wait ~30 seconds for ClamAV to initialise # Web UI: http://localhost:3103 # APT repo: http://localhost:8180 # API: http://localhost:8100
curl -fsSL http://your-repod-host/repos/depot.gpg \ | sudo gpg --dearmor -o /usr/share/keyrings/repod.gpg
# /etc/apt/sources.list.d/repod.list
deb [arch=amd64 signed-by=/usr/share/keyrings/repod.gpg] \
http://your-repod-host/repos jammy main # Via API curl -X POST http://localhost:8100/upload/ \ -H "Authorization: Bearer $TOKEN" \ -F "file=@./mypackage_1.0_amd64.deb" \ -F "distribution=jammy" # Or drag & drop in the web UI
Supported distributions
RepoD supports four APT distributions out of the box:
jammy noble focal bookworm
Need custom distributions? Edit the reprepro configuration — see the
documentation.
Security features
Every package uploaded to RepoD passes through an automatic security pipeline before it can be installed by any client:
- 1 ClamAV scans the binary for malware
- 2 Grype checks all package contents against the NVD CVE database
- 3 EPSS scores are fetched from FIRST.org (probability of exploitation in 30 days)
- 4 CISA KEV catalogue is cross-referenced to flag actively exploited vulnerabilities
- 5 Enterprise: CISO must approve before the package is promoted to a distribution
- 6 GPG signature is applied automatically using the repository key
- 7 All events are logged to an immutable audit trail