#!/usr/bin/env bash # # This script handles adding custom apt repositories into # /etc/apt/sources.list.d/ files. It bundles the GPG keys which are # used to verify the repositories (via `apt-key`), to explicitly pin # the trusted signing keys, as opposed to blindly trusting HTTPS. # # Each /etc/apt/sources.list.d/foo.list file is created via `--list # foo`, where `foo` defaults to `zulip`. The default `zulip.list` is # installed in `scripts/lib/install` / `tools/lib/provision.py`, and # other `.list` files may be installed by Puppet. set -x set -e set -u set -o pipefail shopt -s extglob verify=false args="$(getopt -o '' --long verify,list: -- "$@")" eval "set -- $args" LIST=zulip while true; do case "$1" in --verify) verify=true shift ;; --list) LIST="$2" shift shift ;; --) shift break ;; esac done # Ensure the directory for LAST_DEPENDENCIES_HASH exists mkdir -p /var/lib/zulip SOURCES_FILE=/etc/apt/sources.list.d/$LIST.list PREF_FILE=/etc/apt/preferences.d/$LIST.pref STAMP_FILE=/etc/apt/sources.list.d/$LIST.list.apt-update-in-progress # All paths, for purposes of hashing, should be relative to the deploy # root. cd "$(dirname "$0")/../.." LIST_PATH="scripts/setup/apt-repos/$LIST" if ! [ -d "$LIST_PATH" ]; then echo "Not a valid value for --list: '$LIST'" echo "" echo "Valid values are:" ls -1 "scripts/setup/apt-repos/" exit 1 fi release="$(. /etc/os-release && printf '%s' "$VERSION_CODENAME")" if [ ! -f "$LIST_PATH/$release.list" ]; then cat </dev/null || true) pre_setup_deps=(apt-transport-https ca-certificates gnupg curl) if ! apt-get -dy install "${pre_setup_deps[@]}"; then apt-get update fi apt-get -y install "${pre_setup_deps[@]}" apt-key add "$LIST_PATH/"*.asc cp "$LIST_PATH/$release.list" "$SOURCES_FILE" if [ -e "$LIST_PATH/$LIST.pref" ]; then cp "$LIST_PATH/$LIST.pref" "$PREF_FILE" else rm -f "$PREF_FILE" fi if [ -e "$LIST_PATH/custom.sh" ]; then export LIST_PATH export STAMP_FILE bash "$LIST_PATH/custom.sh" fi if [ "$hashes" = "$(sha256sum "$SOURCES_FILE" "$PREF_FILE" 2>/dev/null || true)" ] && ! [ -e "$STAMP_FILE" ]; then echo "APT configuration did not change; skipping apt-get update" else # We create this stamp file to ensure `apt-get update` will be run # the next time this script is invoked, and each time after, until # `apt-get update` finishes successfully. touch "$STAMP_FILE" apt-get update && rm -f "$STAMP_FILE" fi echo "$DEPENDENCIES_HASH" >"$DEPENDENCIES_HASH_FILE"