Private Composer repository with Satis – Part 1

Everyone in PHP world knows what Packagist is. Whenever you need to pull some PHP library with composer, you’ll probably pull it from Packagist. But, what to do with your code that shouldn’t be publicly available? Something reusable, private, and self-hosted? You can pay for private Packagist, but if you already have your own infrastructure, maybe a lightweight free solution is good enough for your needs. That’s where Satis comes in.

Yes, there is a documentation page and there are some guides on the Internet about how you can setup Satis, but when it comes to actually installing, configuring and using it – there are a couple of more steps which you’ll need to do than those written in the guide. This article will hopefully guide you through the whole process – from installing prerequisites to using it in your projects. The guide will be based on the following system:

We’ll assume that you already have these installed and configured and focus on what Satis needs.

Installing prerequisites

You can skip reading about prerequisites which you already have.

PHP extensions

Satis needs ext-dom PHP extension, but you probably have this one installed already. However, if you don’t have it, then you need to install it.

To check if the ext-dom is installed, you can use the following command:

yum list | grep php71w-xml

If it’s not installed, you’ll need to:

sudo yum -y install php71w-xml

Git and Composer

The next two prerequisites are Git and Composer. To install Git, simply use:

sudo yum install git

Composer has several installation methods and you can take a look at them here: https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx. We’ll use this one:

sudo curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer

Installing Satis

Set up Apache virtual host

We will install Satis on a subdomain (satis.yoursite.com).

First, create directories for Satis Apache logs and document root.

sudo mkdir -p /var/www/satis/html
sudo mkdir -p /var/www/satis/logs

After, you need to create virtual host configuration file for satis.yoursite.com

sudo vim /etc/httpd/conf.d/satis.conf
ServerName satis.yoursite.com
DocumentRoot /var/www/satis/html
ErrorLog /var/www/satis/logs/error.log
CustomLog /var/www/satis/logs/access.log combined

Close the text editor and restart httpd service

sudo systemctl restart httpd

Install Satis

To install Satis, simply pull the project witll Composer. To keep everything related to Satis in one place, we’ll install Satis in /var/www/satis/app directory:

mkdir /var/www/satis/app
cd /var/www/satis/app
composer create-project composer/satis --stability=dev --keep-vcs

Secure document root with Apache password authentication

If you are using publicly available subdomain, you’ll need to secure your document root. After Satis runs and picks up your Git repositories, as a result it will be accessible through a web browser. You can see all your repositories and download zip archives of each of their versions directly from the web interface. So, let’s protect it with htpasswd.

Open your Satis Apache configuration file and add configuration for htpasswd authentication. Your virtual host configuration file for Satis should look like this:

sudo vim /etc/httpd/conf.d/satis.conf
<VirtualHost *:80>
ServerName satis.yoursite.com
DocumentRoot /var/www/satis/html
ErrorLog /var/www/satis/logs/error.log
CustomLog /var/www/satis/logs/access.log combined
    <Directory "/var/www/satis/html>
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile "/var/www/satis/html/.htpasswd"
        Require valid-user
    </Directory>
</VirtualHost>

Don’t restart Apache just yet. We’ll need to create .htpasswd file first and add the first user to it.

sudo htpasswd -c /var/www/satis/html/.htpasswd your_first_user

You will be asked to supply a password for your_first_user. The -c flag is for creating a new file. If you want to add more users later, you can use the same command but without -c flag.

You can now restart Apache to apply the changes:

sudo systemctl restart httpd

Add htpasswd authentication to Composer

Since your Satis server will use Composer to distribute packages, Composer on the server needs to be configured to be able to use your password protected site. Composer stores authentiucation credentials in ~/.composer/auth.json file which you’ll need to edit and add htpasswd credentials:

vim ~/.composer/auth.json
{
    "http-basic": {
        "satis.yoursite.com": {
        "username": "your_first_user",
        "password": "your_first_users_password"
        }
    }
}

Add https – Let’s Encrypt with certbot

If you don’t already have a wildcard SSL certificate for your domain, it would be a good idea to secure communication with your Satis server by enabling https. Fortunatelly, that’s easy and free by using Let’s Encrypt (https://letsencrypt.org/).

First, let’s install prerequisites. We will be using certbot (https://certbot.eff.org/) to generate and apply Let’s encrypt certificate. Certbot is available in the EPEL repository. In order to use SSL certificates, we will also need mod_ssl.

sudo yum -y install epel-release mod_ssl
sudo yum install python-certbot-apache

The next thing to do is to check whether default HTTPS port is open in firewalld:

sudo firewall-cmd --zone=public --permanent --list-services

If https is not listed in your public services, you’ll need to:

sudo firewall-cmd --zone=public --permanent --add-service=https

Aa an alternative, you can lookup and open HTTPS port (instead of a service):

sudo firewall-cmd --zone=public --permanent --list-ports
sudo firewall-cmd --zone=public --permanent --add-port=443/tcp

Now we can use certbot to install our SSL certificate and enable it on satis.yoursite.com

cd ~
certbot --apache -d satis.yoursite.com
sudo systemctl restart httpd

Certbot will ask a series of questions during the setup, but they are all pretty much self-explanatory. The only advice is to always enable HTTPS and disable HTTP entirely when certbot asks you about it.

The last step is to make sure that the certificate is auto-renewed:

sudo su
crontab -e

Furthermore, you’ll need to add the following entry in crontab:

0 0 * * 1 /usr/bin/certbot renew >> /var/log/lets_encrypt_renew.log

Conclusion

If you have followed this guide properly, you should now have the following:

However, we still haven’t added any repositories which Satis should monitor. Since this article is long enough, we’ll cover adding repositeories and day-to-day use of Satis in Part 2 of the article.