This repository contains sample config files and documentation how to setup your own instance of Rebuilderd. The endresult will be something similiar like reproduce.debian.net or reproduce.algiz.nu but only for Debian Trixie and your architecture. It was tested with three Debian Trixie VMs (one main/control node, two workers) under ProxmoxVE 9.0, but should also work for Debian Forky and Unstable on any virtualization or cloud plattform.
If you wonder what's the point of this I will quote reproduce.debian.net:
We want more and independent rebuilders Do you have hardware idling? Because, for sure, Debian rebuilding Debian is superb and it's something we've been working on for years! Yet we still want more: we also want independent rebuilders, and we want them in a diverse variety of setups and settings...! And then we'll want anyone to be able to act on this data too... Oh, and in case you are wondering why we are doing this, then hopefully the Reproducible Builds website will explain why this is useful.
The config files were mainly taken from Debians gitlab instance with the configuration used for reproduce.debian.net:
(https://salsa.debian.org/qa/jenkins.debian.net/-/tree/master/hosts/osuosl5-amd64/etc/rebuilderd?ref_type=heads )
Since it uses a lot of different nodes and workers to build stuff for different architectures and debian releases that setup is not really suitable for some homelab or homeuser who just want to reproduce his own release. So I "stole" from the gitlab for my own setup, tweaked it for my needs and replicate it here ;) The result is a rebuilderd instance who targets Debian trixie packages of the main suite for the architectures amd64 and main
Contact me ( @johannesst ) if you have any questions or join the #debian-reproducible irc channel on oftc
Before I started I asked in #debian-reproducible irc channel for any recommendations. The recommendations were like this:
- If you want to have everything on one node have at least 2-4 cpu cores, 16 GB RAM (64 GB recommended) and 1 TB of disc storage
- If you want to split on different nodes, something like 16 GB RAM and 150-200 GB disc space per should do
- Realworld Examples:
- reproduce.debian.net eight workers plus rebuilderd 64 GB RAM
- The Archlinux instance runs with 4 GB RAm and one vCPU
We will create three VMs with following with the latest cloudinit image debian-13-generic-amd64.qcow2 from cloud.debian.org. Configure cloudinit to your preference, you will at least configure your login data (user, password, ssh keys). The default image will result in a quite small root disc (around 3 GB), resize it to 15 GB to have some headspace. Also add following virtual hardware:
- One 5 GB disc as storage dir for rebuilderds datadir /srv/rebuilderd (REBUILDERD_DATA_DISK). Can be reduced to 1 GB or ommited on worker nodes
- One 120 GB disc for the rebuilderd worker cache (REBUILDERD_CACHE_DISK). can be ommited on the main node if you don't want to run a worker on it
- One 100 GB disc as swap storage (SWAP_DISK)
The benefit of this approach is that you can tell your virtualization plattform, that you only need a backup of your root disc and the rebuilderd database storage. Since the swap disc and the cache storage are on different virtual discs, they can be ommited in the backup job (no point in backing up temporary data) to save backup space. We will also setup a 100 GB large RAM disc to use as storage for temporary files. Most builds will then just save their temporary data in RAM, only for the larger builds the swap space will be used.
- Boot your vm, do everything else as root user or with sudo
- If you use KVM as hypervisor (ProxmoxVE, virt-manager, vserver) install the qemu guest tools:
apt install qemu-guest-agent - Install the dependencies and the build toolchain
apt install pkg-config liblzma-dev libsqlite3-dev libzstd-dev cargo make scdoc sqlite3 devscripts sbuild mmdebstrap uidmap diffoscope-minimal - Create system user for the rebuilderd services:
# Create rebuilderd system user and group adduser --system --group --home /var/lib/rebuilderd --uid 212 rebuilderd # Create subuids and subgids, otherwise sbuild (and thus rebuilderd) won't work: usermod --add-subuids 100000-165535 --add-subgids 100000-165535 rebuilderd - Create swap partition and filesystems:
mkfs.ext4 /dev/REBUILDERD_DB_DISK mkfs.ext4 /dev/REBUILDERD_CACHE_DISK mkswap /dev/SWAP_DISK - Edit /etc/fstab to contain following entries, the UUID is the one printed out by the mkfs.ext4 and mkswap commands. Alternatively you can probe with blkid /dev/device for it.
UUID=UUID_REBUILDERD_DATA_DISK /srv/rebuilderd ext4 defaults 0 2 UUID=UUID_REBUILDERD_DATA_DISK /srv/rebuilderd/cache ext4 defaults,discard 0 2 UUID=2964a51b-ea30-4090-aeff-1ced63449a98 swap swap defaults,discard 0 0 tmpfs /srv/rebuilderd/tmp tmpfs defaults,uid=212,gid=212,mode=1777,size=100g,nr_inodes=1m 0 0 - Run
systemctl daemon-reloadso systemd can reload the fstab - Activate swap:
swapon -a swapon -s Filename Type Size Used Priority /dev/sdb partition 104857596 23508 -2 - Mount rebuilderd data disc, create directories for the cache storage and tmp-files-ramdisc:
mount /srv/rebuilderd
# Create mount points
mkdir /srv/rebuilderd/tmp /srv/rebuilderd/cache
# Change owner to the system user we will use later
chown -R rebuilderd:rebuilderd /srv/rebuilderd
# Mount everything and control it's now available
mount -a
# Note that the numbers might be different, depending on your setup
df -h|grep /srv/rebuilderd
/dev/sdd 4.9KG 8K 4.9G 0% /srv/rebuilderd
tmpfs 100G 8K 100G 0% /srv/rebuilderd/tmp
/dev/sda 118G 8KG 118G 0% /srv/rebuilderd/cache
zramswap allows using part of your memory as swap. It can be used beside your regular swap, but will be preferred as long as enough memory is available. The result is that normally /srv/rebuilderd/tmp will live in your normal ram, if this is not sufficient the compressed ram disc will be used. Your regular swap device will then only be used as last resort. The effect it that in most cases the build will happen completly in your RAM at the cost of additional cpu load for compression:
apt install zram-tools
# If you want to use more than 50% of your system memory
$EDITOR /etc/default/zramswap
systemctl reload zramswap
sudo zramswap status
NAME ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
/dev/zram0 lz4 7G 267.4M 169.5M 176.3M 6 [SWAP]
sudo swapon -s
Filename Type Size Used Priority
/dev/sdb partition 104857596 22256 -2
/dev/zram0 partition 7295028 274208 100
Read (https://wiki.debian.org/ZRam#zram-tools) and (https://wiki.archlinux.org/title/Zram) for more information
- Read the official README at github
-
# Checkout current source to your homedir as non-root-user git clone https://github.com/kpcyrd/rebuilderd/ cd rebuilderd # change to latest release tag e.g. v0.25.0 git checkout v0.25.0 # build and install to /opt/rebuilderd make sudo make DESTDIR=/opt/rebuilderd install
The setup consists of multiple steps:
- Configuring rebuilderd systemd services
- Configuring nginx as reverse proxy for https access
- Starting the services The needed config files are in the etc directory in this repo.
- Copy the files from etc/systemd/system to /etc/systemd/system on your vms
- Copy the files from etc/rebuilderd to /etc/rebuilderd on your vms
- The workers need a "signup_secret" to connect to the main service:
SIGNUP_SECRET=$(pwgen -1s 32) echo $SIGNUP_SECRET # Note this down for the worker nodes sed -i 's/#signup_secret = "INSECURE"/signup_secret = "'"$SIGNUP_SECRET"'"/' /etc/rebuilderd/rebuilderd.conf /etc/rebuilderd/rebuilderd-worker.conf sed -i 's/REBUILDERD-MAIN-NODE.YOUR.DOMAIN/YOUR_ACTUAL_MAIN_NODE_FQDN/g' /etc/rebuilderd/rebuilderd-worker.conf - The sample config files assume a working reverse proxy config, edit /etc/rebuilderd/rebuilderd.conf and /etc/rebuilderd/rebuilderd-worker.conf if you want to change your setup to a http- or localhost-only setup
- Copy the resulting config files to all your worker nodes
We will use nginx as reverse proxy for rebuilderd and also to serve the statistic pages. For ssl we use letsencrypt with acme.sh
# Install nginx (otherwise we will get an error at the install-cert step
# Add acme.sh system user
sudo adduser --system --group --home /opt/acme acme
# Copy etc/sudoers.d/80-acme-reload-nginx to /etc/sudoers.d/80-acme-reload-nginx on the main node, afterwards ensure that permissions and owner are ok
chown root:root /etc/sudoers.d/80-acme-reload-nginx
chmod 600 /etc/sudoers.d/80-acme-reload-nginx
visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/80-acme-reload-nginx: parsed OK
/etc/sudoers.d/90-cloud-init-users: parsed OK
/etc/sudoers.d/README: parsed O
# Install a cron daemon (needed by acme.sh) of your choice
apt install systemd-cron # or cron cronie
# Switch to acme user
sudo su - acme -s /bin/bash -l
# If you trust scripts fromt the internet
curl https://get.acme.sh | sh -s email=my@example.com
# or if you are more paranoid :)
git clone https://github.com/acmesh-official/acme.sh.git
# Review acme.sh/./acme.sh in your editor
# then install acme.sh
cd ./acme.sh
./acme.sh --install -m my@example.com
# Optional: Enable auto upgrade
~/.acme.sh/acme.sh --upgrade --auto-upgrade
# Deploy certificates, I use INWX with DNS challenge and letsencrypt for this:
export INWX_User="<yourusername>"
export INWX_Password="<password>"
~/.acme.sh/acme.sh --issue --dns dns_inwx -d REBUILDERD-MAIN-NODE.YOUR.DOMAIN -d $(hostname -f) --server letsencrypt # Add and remove -d options as you need them
mkdir -p /opt/acme/certs/$(hostname -f)
/opt/acme/.acme.sh/acme.sh --install-cert -d $(hostname -f) -d rebuilderd-trixie.vpn.jstarosta.de --key-file /opt/acme/certs/$(hostname -f)/key.pem --fullchain-file /opt/acme/certs/$(hostname -f)/cert.pem --reloadcmd "/usr/bin/sudo /usr/bin/systemctl reload nginx.service
-
Copy the files etc/nginx/sites-available/proxy, etc/nginx/snippets/acme.conf and etc/nginx/snippets/ssl_param.conf to the coresponding path on your main node etc/nginx/sites-available/proxy
-
Replace default sites installed by nginx package and replace with our proxy config:
rm -rvf /etc/nginx/sites/enabled/* ln -s /etc/nginx/sites-available/proxy etc/nginx/sites-enabled/proxy -
Edit /etc/nginx/snipptes/acme.conf to change the path to the certs generated by acme.sh:
ssl_certificate /opt/acme/certs/REBUILDERD-MAIN-NODE-FQDN/cert.pem ; ssl_certificate_key /opt/acme/certs/REBUILDERD-MAIN-NODE-FQDN/key.pem ; -
Create Diffie-Hellman-Parameters
sudo mkdir -p /etc/nginx/dhparams openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 4096 -
Restart nginx:
systemctl restart nginx -
Note: Depending how you want to setup acme.sh you might need to change the nginx configuration before or after the acme.sh setup
systemctl enable --now rebuilderd.service
systemctl enable --now rebuilderd-worker@main.service # The name after @ can be freely choosen
systemctl enable --now rebuilderd-cache-cleanup.timer
systemctl enable --now rebuilderd-pkgsync.timer
# Start one manual sync, any sync after this one will be launched by the timer
systemctl start rebuilderd-pkgsync.service
# after the first syncs randomize queue see https://github.com/kpcyrd/rebuilderd/issues/152
echo "update queue set priority = ABS(RANDOM()) % 10000;" |sqlite3 /srv/rebuilderd/rebuilderd.db
Note/Fixme: My current setup only contains the packages for main and the amd64/all architectures. I welcome suggestions how to contain also other suites (security/updates/nonfree/nonfree-firmware etc)
First copy your config and systemd files from your main node to the worker nodes, afterwards launch the services:
systemctl enable --now rebuilderd-worker@node1.service # The name after @ can be freely choosen
systemctl enable --now rebuilderd-cache-cleanup.timer
- Note: This part is still not finished, since I basically just "borrowed" the official page from reproduce.debian.net and @Nihlus rebuilderd instance
- For replicating reproduce.debian.net page:
- Copy var/www/html/rdn.html to /var/www/html/rdn.html on your main node
- Replace YOUR_MAIN_FQDN in /var/www/html/rdn.html with the actual FQDN of your rebuilderd main node
- For using Nihlus statistic site:
git clone https://github.com/Nihlus/rebuilderd-website-ts/
apt install npm node-typescript
cd rebuilderd-website-ts
sed -i 's/bookworm/trixie/g' src/App.tsx
sed -i 's/reproduce.algiz.nu/YOUR_MAIN_FQDN/g' src/config/config.json
npm install
npm audit fix
npm install vite
npx vite build
cd dist
sudo cp -rv * /var/www/html/
Trixie ships rebuilderd, so if you just want to test rebuilding Trixie you actually don't need to build from source.
The Trixie package uses /var/lib/ instead of /srv as data directory though, so not all parts of this tutorial are directly applicable.
For testing or unstable it's propably still the best way to go to use the upstream repository by kpycrd.
I myself used the upstream repo to setup my Trixie rebuilderd main and worker nodes. It was simply less work to build and setup from scratch instead
of figuring out where I would have to change Debians default configuration.
This tutorial was written by Johannes Starosta and last changed on 2025-10-27 11:08 UTC +01:00