I wished to do the same thing, but I chose using a private repository made using reprepro
over PPAs. All my clients are on the same LAN, so it's simpler for me.
I think this is pretty workable irrespective of whether you use PPAs or a private repository.
- Modifying existing configuration files is best handled by using
dpkg
diversions, IMO. config-package-dev
is a blessing for this. The Debian Wiki is a good starting point for information on this.
- Adding script files or your own software isn't that difficult by packaging them. There are plenty of packaging guides. Again, the Debian wiki is a great starting point. It's simpler to make binary packages than the intro, which will be the case with scripts and configuration files.
- Adding new software from other repositories can be done by making them dependencies of your packages. Specify an exact version or use
apt
pinning.
- Unattended upgrades for custom repositories is already handled: How to enable silent automatic updates for any repository? I don't know of any way a server can push updates to a client. You might want to consider
puppet
(via kick
ing) or its ilk. Or you might write a script on the server which uses SSH to run updates on the client. Or have a script which checks for updates when the network comes up.
- Above all, ensure that your package maintenance scripts (
preinst, postinst, prerm, postrm
) are idempotent and that package removal undoes all changes. These scripts can do a lot of things, but do not do anything affects apt
or dkpg
in them. Minimise the work done in these scripts.
In my case, I use a package to configure LDAP and NTP, add a custom global vimrc
enabling common options, make various configuration changes (like enabling sudo
for a group, banning shutdown), adding an unprivileged local user/group, etc. Another package adds our self-generated CA certificate and repository signing key and marks them trusted in the postinst
script, and adds an entry in sources.list.d
for our repository.
I haven't yet converted all the systems to this process, so I can't comment yet about its effectiveness.