puppet: Generalize install-wal-g to be arbitrary tarballs.

puppet/zulip/lib/puppet/parser/functions/keys.rb

@@ -0,0 +1,27 @@
+# Taken from https://github.com/puppetlabs/puppetlabs-stdlib/blob/19cdf29f27c3e5005ee441d1ec46d7da27a0f777/lib/puppet/parser/functions/keys.rb
+#
+# keys.rb
+#
+module Puppet::Parser::Functions
+  newfunction(:keys, :type => :rvalue, :doc => <<-DOC
+    Returns the keys of a hash as an array.
+    Note: from Puppet 5.5.0, the compatible function with the same name in Puppet core
+    will be used instead of this function.
+    DOC
+             ) do |arguments|
+
+    raise(Puppet::ParseError, "keys(): Wrong number of arguments given (#{arguments.size} for 1)") if arguments.empty?
+
+    hash = arguments[0]
+
+    unless hash.is_a?(Hash)
+      raise(Puppet::ParseError, 'keys(): Requires hash to work with')
+    end
+
+    result = hash.keys
+
+    return result
+  end
+end
+
+# vim: set ts=2 sw=2 et :

puppet/zulip/manifests/postgres_backups.pp

@@ -1,11 +1,15 @@
+# @summary Use wal-g to take daily backups of PostgreSQL
+#
 class zulip::postgres_backups {
   include zulip::postgres_common
 
   $wal_g_version = '0.2.15'
-  $wal_g_hash = 'ea33c2341d7bfb203c6948590c29834c013ab06a28c7a2b236a73d906f785c84'
-  exec {'install-wal-g':
-    command => "${::zulip_scripts_path}/setup/install-wal-g.sh ${wal_g_version} ${wal_g_hash}",
-    creates => "/usr/local/bin/wal-g-${wal_g_version}",
+  zulip::sha256_tarball_to { 'wal-g':
+    url     => "https://github.com/wal-g/wal-g/releases/download/v${wal_g_version}/wal-g.linux-amd64.tar.gz",
+    sha256  => 'ea33c2341d7bfb203c6948590c29834c013ab06a28c7a2b236a73d906f785c84',
+    install => {
+      'wal-g' => "/usr/local/bin/wal-g-${wal_g_version}",
+    },
   }
   file { '/usr/local/bin/wal-g':
     ensure => 'link',

puppet/zulip/manifests/sha256_tarball_to.pp

@@ -0,0 +1,15 @@
+# @summary Downloads, verifies hash, and copies files out.
+#
+define zulip::sha256_tarball_to(
+  String $sha256,
+  String $url,
+  Hash[String, String] $install,
+) {
+  $install_expanded = $install.convert_to(Array).join(' ')
+  # Puppet does not support `creates => [...]`, so we have to pick one
+  $a_file = $install[keys($install)[0]]
+  exec { $url:
+    command => "${::zulip_scripts_path}/setup/sha256-tarball-to ${sha256} ${url} ${install_expanded}",
+    creates => $a_file,
+  }
+}

scripts/setup/install-wal-g.sh

@@ -1,20 +0,0 @@
-#!/bin/sh
-
-set -e
-set -x
-
-VERSION="$1"
-HASH="$2"
-
-cd /tmp
-wget -qO "wal-g-$VERSION.tar.gz" \
-     "https://github.com/wal-g/wal-g/releases/download/v$VERSION/wal-g.linux-amd64.tar.gz"
-
-# Check not against the arbitrary provided sha256 on Github, but
-# against the (same) sha256 that we hardcode as "known good".
-echo "$HASH  wal-g-$VERSION.tar.gz" > "wal-g-$VERSION.tar.gz.sha256"
-sha256sum -c "wal-g-$VERSION.tar.gz.sha256"
-
-tar xzf "wal-g-$VERSION.tar.gz"
-mv wal-g "/usr/local/bin/wal-g-$VERSION"
-rm "wal-g-$VERSION.tar.gz" "wal-g-$VERSION.tar.gz.sha256"

scripts/setup/sha256-tarball-to

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+if [ "$#" -lt 4 ]; then
+    echo "Usage:"
+    echo "  sha256-tarball-to SHA256 http://FETCH/FROM.tar.gz SRC1 DST1 [SRC2 DST2 [...]]"
+    echo
+    echo "SHA256 is the sha256sum of the tarball fetched; each SRC (which may be a"
+    echo "directory) is expected to be a relative path into the unpacked tarball,"
+    echo "and each DST is the absolute path it should be moved to."
+    exit 1
+fi
+
+set -e
+set -x
+
+SHA256="$1"
+URL="$2"
+shift
+shift
+
+# Work in a tmpdir which we clean up at the end
+tmpdir="$(mktemp -d)"
+trap 'rm -r "$tmpdir"' EXIT
+cd "$tmpdir"
+
+# Fetch to a predictable name, not whatever curl guesses from the URL
+LOCALFILE="archive.tar.gz"
+wget -qO "$LOCALFILE" "$URL"
+
+# Check the hash against what was passed in
+echo "$SHA256  $LOCALFILE" > "$LOCALFILE.sha256"
+sha256sum -c "$LOCALFILE.sha256"
+
+tar xzf "$LOCALFILE"
+
+# Take the rest of the arguments two-at-a-time, as source and
+# destination to move out of the unpacked tarball.
+while [ "$#" -gt 0 ]; do
+    mv "$1" "$2"
+    shift
+    shift
+done