setup: Merge multiple setup-apt-repo scripts into one.

This moves the `.asc` files into subdirectories, and writes out the
according `.list` files into them.  It moves from templates to
written-out `.list` files for clarity and ease of
implementation (Debian and Ubuntu need different templates for
`zulip`), and as a way of making explicit which releases are supported
for each list.  For the special-case of the PGroonga signing key, we
source an additional file within the directory.

This simplifies the process for adding another class of `.list` file.

puppet/zulip_ops/manifests/apt_repository_debathena.pp

@@ -1,6 +1,7 @@
 class zulip_ops::apt_repository_debathena {
-  $setup_file = "${::zulip_scripts_path}/lib/setup-apt-repo-debathena"
+  $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo"
   exec { 'setup_apt_repo_debathena':
-    command => "bash -c '${setup_file}'",
+    command => "${setup_apt_repo_file} --list zulip_debathena",
+    unless  => "${setup_apt_repo_file} --list zulip_debathena --verify",
   }
 }

puppet/zulip_ops/manifests/ksplice_uptrack.pp

@@ -14,10 +14,10 @@ class zulip_ops::ksplice_uptrack {
       mode    => '0640',
       content => template('zulip_ops/uptrack/uptrack.conf.erb'),
     }
-    $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo-ksplice"
+    $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo"
     exec{ 'setup-apt-repo-ksplice':
-      command => $setup_apt_repo_file,
-      unless  => "${setup_apt_repo_file} --verify",
+      command => "${setup_apt_repo_file} --list ksplice",
+      unless  => "${setup_apt_repo_file} --list ksplice --verify",
     }
     Package { 'uptrack':
       require => [

scripts/lib/setup-apt-repo

@@ -1,18 +1,34 @@
 #!/usr/bin/env bash
+#
+# This script handles adding custom apt repositories into
+# /etc/apt/sources.list.d/ files.  It bundles the GPG keys which are
+# used to verify the repositories (via `apt-key`), to explicitly pin
+# the trusted signing keys, as opposed to blindly trusting HTTPS.
+#
+# Each /etc/apt/soruces.list.d/foo.list file is created via `--list
+# foo`, where `foo` defaults to `zulip`.  The default `zulip.list` is
+# installed in `scripts/lib/install` / `tools/lib/provision.py`, and
+# other `.list` files may be installed by Puppet.
 set -x
 set -e
 set -u
 set -o pipefail
 
 verify=false
-args="$(getopt -o '' --long verify -- "$@")"
+args="$(getopt -o '' --long verify,list: -- "$@")"
 eval "set -- $args"
+LIST=zulip
 while true; do
     case "$1" in
         --verify)
             verify=true
             shift
             ;;
+        --list)
+            LIST="$2"
+            shift
+            shift
+            ;;
         --)
             shift
             break
@@ -23,12 +39,21 @@ done
 # Ensure the directory for LAST_DEPENDENCIES_HASH exists
 mkdir -p /var/lib/zulip
 
-SOURCES_FILE=/etc/apt/sources.list.d/zulip.list
-STAMP_FILE=/etc/apt/sources.list.d/zulip.list.apt-update-in-progress
+SOURCES_FILE=/etc/apt/sources.list.d/$LIST.list
+STAMP_FILE=/etc/apt/sources.list.d/$LIST.list.apt-update-in-progress
 
-ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")"
-DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0")
-DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state"
+ZULIP_SCRIPTS="$(cd "$(dirname "$(dirname "$0")")" && pwd)"
+LIST_PATH="$ZULIP_SCRIPTS/setup/apt-repos/$LIST"
+if ! [ -d "$LIST_PATH" ]; then
+    echo "Not a valid value for --list: '$LIST'"
+    echo ""
+    echo "Valid values are:"
+    ls -1 "$ZULIP_SCRIPTS/setup/apt-repos/"
+    exit 1
+fi
+
+DEPENDENCIES_HASH=$(sha1sum "$LIST_PATH/"*.asc "$0")
+DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state-$LIST"
 # Ensure that DEPENDENCIES_HASH_FILE exists before hashing it.
 touch "$DEPENDENCIES_HASH_FILE"
 LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")"
@@ -53,66 +78,24 @@ if ! apt-get -dy install "${pre_setup_deps[@]}"; then
 fi
 apt-get -y install "${pre_setup_deps[@]}"
 
-SCRIPTS_PATH="$(cd "$(dirname "$(dirname "$0")")" && pwd)"
-
 release=$(lsb_release -sc)
-if [[ "$release" =~ ^(bionic|cosmic|disco|eoan|focal|groovy)$ ]]; then
-    distribution=ubuntu
-    apt-key add "$SCRIPTS_PATH"/setup/pgdg.asc
-    apt-key add "$SCRIPTS_PATH"/setup/pgroonga-ppa.asc
-    cat >$SOURCES_FILE <<EOF
-deb http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
-deb-src http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
-
-deb http://ppa.launchpad.net/groonga/ppa/ubuntu $release main
-deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu $release main
-EOF
-elif [[ "$release" =~ ^(buster|bullseye)$ ]]; then
-    distribution=debian
-    apt-key add "$SCRIPTS_PATH"/setup/pgdg.asc
-    cat >$SOURCES_FILE <<EOF
-deb http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
-deb-src http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
-EOF
+if [ -f "$LIST_PATH/$release.list" ]; then
+    apt-key add "$LIST_PATH/"*.asc
+    cp "$LIST_PATH/$release.list" "$SOURCES_FILE"
 else
-    echo "Unsupported release $release."
+    cat <<EOF
+Unsupported release $release for sources.list file $LIST.  To add a
+new release, make a $LIST_PATH/$release.list file based on existing
+.list files in that directory.
+
+EOF
     exit 1
 fi
 
-if [[ ! -e /usr/share/doc/groonga-apt-source/copyright ]]; then
-    remove_pgroonga_apt_tmp_dir() {
-        rm -rf "$pgroonga_apt_tmp_dir"
-    }
-    pgroonga_apt_tmp_dir=$(mktemp --directory)
-    trap remove_pgroonga_apt_tmp_dir EXIT
-    pushd "$pgroonga_apt_tmp_dir"
-    tmp_gpg_home=.gnupg
-    pgroonga_apt_sign_key="$SCRIPTS_PATH"/setup/pgroonga-packages.groonga.org.asc
-    gpg --homedir="$tmp_gpg_home" --import "$pgroonga_apt_sign_key"
-    # Find fingerprint of the first key.
-    pgroonga_apt_sign_key_fingerprint=$(
-        gpg --homedir="$tmp_gpg_home" --with-colons --list-keys \
-            | grep '^fpr:' \
-            | cut --delimiter=: --fields=10 \
-            | head --lines=1
-    )
-    groonga_apt_source_deb="groonga-apt-source-latest-$release.deb"
-    groonga_apt_source_deb_sign="$groonga_apt_source_deb.asc.$pgroonga_apt_sign_key_fingerprint"
-    wget "https://packages.groonga.org/$distribution/$groonga_apt_source_deb"
-    wget "https://packages.groonga.org/$distribution/$groonga_apt_source_deb_sign"
-    gpg \
-        --homedir="$tmp_gpg_home" \
-        --verify \
-        "$groonga_apt_source_deb_sign" \
-        "$groonga_apt_source_deb"
-    # To suppress the following warning by "apt-get install":
-    #   N: Download is performed unsandboxed as root as file
-    #   '.../groonga-apt-source-latest-$release.deb' couldn't be
-    #   accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
-    chown _apt .
-    apt-get -y install "./$groonga_apt_source_deb"
-    popd
-    touch "$STAMP_FILE"
+if [ -e "$LIST_PATH/custom.sh" ]; then
+    export LIST_PATH
+    export STAMP_FILE
+    bash "$LIST_PATH/custom.sh"
 fi
 
 if [ "$zulip_source_hash" = "$(sha1sum "$SOURCES_FILE")" ] && ! [ -e "$STAMP_FILE" ]; then

scripts/lib/setup-apt-repo-debathena

@@ -1,57 +0,0 @@
-#!/usr/bin/env bash
-set -x
-set -e
-
-# Ensure the directory for LAST_DEPENDENCIES_HASH exists
-mkdir -p /var/lib/zulip
-
-SOURCES_FILE=/etc/apt/sources.list.d/zulip_debathena.list
-STAMP_FILE=/etc/apt/sources.list.d/zulip_debathena.list.apt-update-in-progress
-
-ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")"
-DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0")
-DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state-debathena"
-# Ensure that DEPENDENCIES_HASH_FILE exists before hashing it.
-touch "$DEPENDENCIES_HASH_FILE"
-LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")"
-
-# First, we only do anything in setup-apt-repo if any of its inputs
-# (apt keys, code, etc.)  changed.
-if [ "$DEPENDENCIES_HASH" = "$LAST_DEPENDENCIES_HASH" ]; then
-    exit 0
-fi
-
-# Ensure that the sources file exists
-touch "$SOURCES_FILE"
-
-# Hash it to check if the sources file is changed by the script later.
-zulip_source_hash=$(sha1sum "$SOURCES_FILE")
-
-apt-get install -y lsb-release apt-transport-https gnupg
-
-SCRIPTS_PATH="$(dirname "$(dirname "$0")")"
-
-release=$(lsb_release -sc)
-if [ "$release" = "bionic" ]; then
-    apt-key add "$SCRIPTS_PATH"/setup/debathena-archive.asc
-    cat >$SOURCES_FILE <<EOF
-    deb http://debathena.mit.edu/apt $release debathena debathena-config
-    deb-src http://debathena.mit.edu/apt $release debathena debathena-config
-EOF
-else
-    echo "Unsupported release $release."
-    exit 1
-fi
-
-# Copied blindly from scripts/lib/setup-apt-repo
-if [ "$zulip_source_hash" = "$(sha1sum "$SOURCES_FILE")" ] && ! [ -e "$STAMP_FILE" ]; then
-    echo "zulip.list file did not change; skipping apt-get update"
-else
-    # We create this stamp file to ensure `apt-get update` will be run
-    # the next time this script is invoked, and each time after, until
-    # `apt-get update` finishes successfully.
-    touch "$STAMP_FILE"
-    apt-get update && rm -f "$STAMP_FILE"
-fi
-
-echo "$DEPENDENCIES_HASH" >"$DEPENDENCIES_HASH_FILE"

scripts/lib/setup-apt-repo-ksplice

@@ -1,80 +0,0 @@
-#!/usr/bin/env bash
-set -x
-set -e
-set -u
-set -o pipefail
-
-verify=false
-args="$(getopt -o '' --long verify -- "$@")"
-eval "set -- $args"
-while true; do
-    case "$1" in
-        --verify)
-            verify=true
-            shift
-            ;;
-        --)
-            shift
-            break
-            ;;
-    esac
-done
-
-# Ensure the directory for LAST_DEPENDENCIES_HASH exists
-mkdir -p /var/lib/zulip
-
-SOURCES_FILE=/etc/apt/sources.list.d/ksplice.list
-STAMP_FILE=/etc/apt/sources.list.d/ksplice.list.apt-update-in-progress
-
-ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")"
-DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0")
-DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state-ksplice"
-# Ensure that DEPENDENCIES_HASH_FILE exists before hashing it.
-touch "$DEPENDENCIES_HASH_FILE"
-LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")"
-
-# First, we only do anything in setup-apt-repo if any of its inputs
-# (apt keys, code, etc.)  changed.
-if [ "$DEPENDENCIES_HASH" = "$LAST_DEPENDENCIES_HASH" ]; then
-    exit 0
-elif [ "$verify" == true ]; then
-    exit 1
-fi
-
-# Ensure that the sources file exists
-touch "$SOURCES_FILE"
-
-# Hash it to check if the sources file is changed by the script later.
-zulip_source_hash=$(sha1sum "$SOURCES_FILE")
-
-pre_setup_deps=(lsb-release apt-transport-https ca-certificates gnupg wget)
-if ! apt-get -dy install "${pre_setup_deps[@]}"; then
-    apt-get update
-fi
-apt-get -y install "${pre_setup_deps[@]}"
-
-SCRIPTS_PATH="$(cd "$(dirname "$(dirname "$0")")" && pwd)"
-
-release=$(lsb_release -sc)
-if [[ "$release" =~ ^(buster|bullseye|bionic|cosmic|disco|eoan|focal|groovy)$ ]]; then
-    apt-key add "$SCRIPTS_PATH"/setup/ksplice.asc
-    cat >$SOURCES_FILE <<EOF
-deb http://www.ksplice.com/apt $release ksplice
-deb-src http://www.ksplice.com/apt $release ksplice
-EOF
-else
-    echo "Unsupported release $release."
-    exit 1
-fi
-
-if [ "$zulip_source_hash" = "$(sha1sum "$SOURCES_FILE")" ] && ! [ -e "$STAMP_FILE" ]; then
-    echo "zulip.list file did not change; skipping apt-get update"
-else
-    # We create this stamp file to ensure `apt-get update` will be run
-    # the next time this script is invoked, and each time after, until
-    # `apt-get update` finishes successfully.
-    touch "$STAMP_FILE"
-    apt-get update && rm -f "$STAMP_FILE"
-fi
-
-echo "$DEPENDENCIES_HASH" >"$DEPENDENCIES_HASH_FILE"

scripts/setup/apt-repos/ksplice/bionic.list

@@ -0,0 +1,2 @@
+deb http://www.ksplice.com/apt bionic ksplice
+deb-src http://www.ksplice.com/apt bionic ksplice

scripts/setup/apt-repos/ksplice/focal.list

@@ -0,0 +1,2 @@
+deb http://www.ksplice.com/apt focal ksplice
+deb-src http://www.ksplice.com/apt focal ksplice

scripts/setup/apt-repos/zulip/bionic.list

@@ -0,0 +1,5 @@
+deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main
+
+deb http://ppa.launchpad.net/groonga/ppa/ubuntu bionic main
+deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu bionic main

scripts/setup/apt-repos/zulip/bullseye.list

@@ -0,0 +1,2 @@
+deb http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main

scripts/setup/apt-repos/zulip/buster.list

@@ -0,0 +1,2 @@
+deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main

scripts/setup/apt-repos/zulip/cosmic.list

@@ -0,0 +1,5 @@
+deb http://apt.postgresql.org/pub/repos/apt/ cosmic-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ cosmic-pgdg main
+
+deb http://ppa.launchpad.net/groonga/ppa/ubuntu cosmic main
+deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu cosmic main

scripts/setup/apt-repos/zulip/custom.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+if [[ ! -e /usr/share/doc/groonga-apt-source/copyright ]]; then
+    remove_pgroonga_apt_tmp_dir() {
+        rm -rf "$pgroonga_apt_tmp_dir"
+    }
+    pgroonga_apt_tmp_dir=$(mktemp --directory)
+    trap remove_pgroonga_apt_tmp_dir EXIT
+
+    {
+        cd "$pgroonga_apt_tmp_dir" || exit 1
+        tmp_gpg_home=.gnupg
+        pgroonga_apt_sign_key="$LIST_PATH/pgroonga-packages.groonga.org.asc"
+        gpg --homedir="$tmp_gpg_home" --import "$pgroonga_apt_sign_key"
+        # Find fingerprint of the first key.
+        pgroonga_apt_sign_key_fingerprint=$(
+            gpg --homedir="$tmp_gpg_home" --with-colons --list-keys \
+                | grep '^fpr:' \
+                | cut --delimiter=: --fields=10 \
+                | head --lines=1
+        )
+        release=$(lsb_release -sc)
+        distribution=$(lsb_release -si | tr '[:upper:]' '[:lower:]')
+        groonga_apt_source_deb="groonga-apt-source-latest-$release.deb"
+        groonga_apt_source_deb_sign="$groonga_apt_source_deb.asc.$pgroonga_apt_sign_key_fingerprint"
+        wget "https://packages.groonga.org/$distribution/$groonga_apt_source_deb"
+        wget "https://packages.groonga.org/$distribution/$groonga_apt_source_deb_sign"
+        gpg \
+            --homedir="$tmp_gpg_home" \
+            --verify \
+            "$groonga_apt_source_deb_sign" \
+            "$groonga_apt_source_deb"
+        # To suppress the following warning by "apt-get install":
+        #   N: Download is performed unsandboxed as root as file
+        #   '.../groonga-apt-source-latest-$release.deb' couldn't be
+        #   accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
+        chown _apt .
+        apt-get -y install "./$groonga_apt_source_deb"
+    }
+    touch "$STAMP_FILE"
+fi

scripts/setup/apt-repos/zulip/disco.list

@@ -0,0 +1,5 @@
+deb http://apt.postgresql.org/pub/repos/apt/ disco-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ disco-pgdg main
+
+deb http://ppa.launchpad.net/groonga/ppa/ubuntu disco main
+deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu disco main

scripts/setup/apt-repos/zulip/eoan.list

@@ -0,0 +1,5 @@
+deb http://apt.postgresql.org/pub/repos/apt/ eoan-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ eoan-pgdg main
+
+deb http://ppa.launchpad.net/groonga/ppa/ubuntu eoan main
+deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu eoan main

scripts/setup/apt-repos/zulip/focal.list

@@ -0,0 +1,5 @@
+deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main
+
+deb http://ppa.launchpad.net/groonga/ppa/ubuntu focal main
+deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu focal main

scripts/setup/apt-repos/zulip/groovy.list

@@ -0,0 +1,5 @@
+deb http://apt.postgresql.org/pub/repos/apt/ groovy-pgdg main
+deb-src http://apt.postgresql.org/pub/repos/apt/ groovy-pgdg main
+
+deb http://ppa.launchpad.net/groonga/ppa/ubuntu groovy main
+deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu groovy main

scripts/setup/apt-repos/zulip_debathena/bionic.list

@@ -0,0 +1,2 @@
+deb http://debathena.mit.edu/apt bionic debathena debathena-config
+deb-src http://debathena.mit.edu/apt bionic debathena debathena-config