Unfortunately, nowadays if the remote has a collection ID set (which flathub does),
ostree pull --mirror will do something a bit different than what you want by putting the pulled refs under
refs/mirrors/org.flathub.Stable instead of
refs/heads. What you need to do is set the collection ID of your mirror to match flathub’s. Like so:
ostree --repo=repo init --mode=archive --collection-id=org.flathub.Stable
ostree --repo=repo remote add --set gpg-verify-summary=true --gpg-import /path/to/flathub/gpg/keyring flathub https://dl.flathub.org/repo/
ostree --repo=repo pull --mirror flathub
However, note that you won’t be able to mirror flathub’s summary file in that way and you’ll need to regenerate your own summary after pulling with
flatpak build-update-repo. Then you have 2 options:
Specify your own GPG key to sign your summary with and make sure that your clients have it in their trusted keyring for your mirrored flathub remote.
Leave the summary unsigned and ensure that clients don’t try to verify the summary. Unfortunately, flatpak only has a single --gpg-verify option that would enable or disable verification for both commits and summary. You’d want to continue to verifying the commits with flathub’s GPG key, though. In that case, you have to use ostree’s config handling manually like
ostree config set 'remote "flathub-mirror".gpg-verify-summary' false assuming your clients use a remote name of
For the second option, simply running
flatpak build-update-repo repo is what you want.
ostree also has support for a mirrorlist which you could maybe configure your clients to add your mirror in, but I’ve never used it.