Enterprise Features¶
Stout includes features designed for enterprise environments.
Private Index Hosting¶
Host your own package index for internal packages or to control available software.
Setup¶
- Fork the stout-index repository
- Add your formulas
Add formula JSON files to the index.
- Sign the index
Generate a signing key and sign the index:
# Generate key pair
openssl genpkey -algorithm ED25519 -out signing-key.pem
# Sign the index
./scripts/sign-index.py --key signing-key.pem
- Host the index
Options: - GitHub (public or private repository) - S3 bucket - Any static file server (nginx, Apache) - Internal package registry
- Configure clients
[index]
base_url = "https://packages.internal.company.com/stout-index"
[security]
trusted_keys = ["your-public-key-base64"]
Self-Signed Index¶
For internal use, you can generate and trust your own signing keys:
# Generate key pair
openssl genpkey -algorithm ED25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem
# Get base64 public key for config
cat public.pem | base64 -w0
Add to client configuration:
Multi-Prefix Environments¶
Isolate package installations per project or team.
Create a Prefix¶
Install to Prefix¶
stout --prefix=~/projects/webapp/.stout install node@20 [email protected]
Set Default Prefix¶
List Prefixes¶
Environment Variable¶
You can also set the default prefix via environment variable:
Use Cases¶
- Project isolation: Each project has its own dependencies
- Team environments: Shared dependencies for a team
- Version testing: Test different versions side-by-side
- Reproducible builds: Lock down exact package versions
Air-Gapped Deployments¶
Run Stout in environments without internet access.
Create a Mirror¶
On a connected machine:
stout mirror create ./mirror jq curl wget git [email protected] node@20
This downloads: - Package index - All specified packages and their dependencies - Checksums and signatures
Transfer to Air-Gapped Environment¶
Copy the mirror directory to the isolated environment:
Serve Locally¶
On the air-gapped machine:
Configure Clients¶
Or use file:// URLs:
Verify Mirror Integrity¶
CI/CD Integration¶
Lock Files¶
Create reproducible builds with lock files:
Lock files include: - Exact package versions - SHA256 checksums - Dependency tree
Brewfile Support¶
Use existing Brewfiles:
CI Configuration Examples¶
GitHub Actions:
- name: Install dependencies
run: |
curl -fsSL https://raw.githubusercontent.com/neul-labs/stout/main/install.sh | bash
stout bundle install
GitLab CI:
before_script:
- curl -fsSL https://raw.githubusercontent.com/neul-labs/stout/main/install.sh | bash
- stout bundle install
Caching¶
Cache the stout directory for faster CI:
# GitHub Actions
- uses: actions/cache@v3
with:
path: ~/.stout/cache
key: stout-${{ hashFiles('Brewfile.lock') }}
Quiet Mode for CI¶
Or in configuration:
Audit Logging¶
Track package operations for compliance.
Enable Audit Logging¶
Log Format¶
{
"timestamp": "2024-01-15T10:30:00Z",
"action": "install",
"package": "jq",
"version": "1.7.1",
"user": "developer",
"success": true
}
Integration with SIEM¶
Forward logs to your security information and event management system:
Approved Package Lists¶
Restrict which packages can be installed.
Configuration¶
[policy]
# Only allow these packages
allowed_packages = [
"git",
"node@20",
"[email protected]",
"jq",
]
# Or block specific packages
blocked_packages = [
"dangerous-package",
]
Enforcement¶
Attempts to install non-approved packages fail:
Deployment Strategies¶
Centralized Management¶
- Host private index
- Distribute configuration via configuration management (Ansible, Puppet, Chef)
- Use approved package lists
- Enable audit logging
Decentralized with Standards¶
- Provide base configuration template
- Allow project-specific prefixes
- Require lock files for production
- Audit via CI/CD pipelines
Support¶
For enterprise support inquiries:
- Email: [email protected]
- Documentation: https://docs.neullabs.com/stout/enterprise