indico: slightly better socket/unit config

Signed-off-by: Jeltz <jeltz@federez.net>
2025-02-28 11:07:01 +01:00 · 2025-02-28 11:07:01 +01:00 · b1039a6859
commit b1039a6859
parent e47358876e
1 changed files with 28 additions and 18 deletions
--- a/modules/indico.nix
+++ b/modules/indico.nix
@ -18,7 +18,7 @@ let
  ++ lib.optionals (cfg.ldap != null)
    indico.optional-dependencies.ldap);
  redisSocket = config.services.redis.servers.${cfg.redis.name}.unixSocket;
-  indicoSocket = "/run/indico/indico.sock";
+  indicoSocket = "${cfg.stateDir}/indico.sock";
  baseDir = "${pythonEnv}/${pythonEnv.sitePackages}/indico";
  loggingFile = yamlFmt.generate "logging.yaml" {
    version = 1;
@ -403,7 +403,7 @@ in {
    };

    systemd.tmpfiles.rules = [
-      "d '${cfg.stateDir}'       0750 ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.stateDir}'       0755 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.stateDir}/cache' 0750 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.stateDir}/tmp'   0750 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.storageDir}'     0750 ${cfg.user} ${cfg.group} - -"
@ -415,15 +415,12 @@ in {
          CREATE EXTENSION IF NOT EXISTS unaccent;
          CREATE EXTENSION IF NOT EXISTS pg_trgm;
        '';
-        # TODO StateDirectory, CacheDirectory?
        common = {
          environment.INDICO_CONFIG = configFile;
          wantedBy = [ "multi-user.target" ];
          serviceConfig = {
            Group = cfg.group;
            User = cfg.user;
-            # Restart = "on-failure";
-            RuntimeDirectory = "indico";
          };
        };
      in
@ -432,13 +429,13 @@ in {
          description = "Indico database preparation and upgrade";
          after = [ "postgresql.service" ];
          serviceConfig.Type = "oneshot";
-          # Source: pretalx module ; passer par un service oneshot
+          # Source: pretalx module
          script = ''
            versionFile="${cfg.stateDir}/version"
            if [[ ! -f "$versionFile" ]]; then
              ${lib.getExe' config.services.postgresql.package "psql"} \
-                -d "${cfg.database}" \
-                -c "${psqlExtensionsCommands}"
+                -d ${lib.escapeShellArg cfg.database} \
+                -c ${lib.escapeShellArg psqlExtensionsCommands}
              ${lib.getExe' pythonEnv "indico"} db prepare
              echo "${indico.version}" > "$versionFile"
            fi
@ -473,20 +470,33 @@ in {
            "indico-worker.service"
            "indico-db.service"
          ];
-          # TODO bind on a TCP socket when cfg.nginx.enable == false?
-          serviceConfig.ExecStart = ''
-            ${lib.getExe' pythonEnv "gunicorn"} \
-              --bind unix:${indicoSocket} \
-              --name=indico \
-              indico.web.wsgi
-          '';
+          # TODO bind TCP si pas nginx
+          serviceConfig = {
+            Type = "notify";
+            NotifyAccess = "main";
+            ExecStart = ''
+              ${lib.getExe' pythonEnv "gunicorn"} \
+                --name=indico indico.web.wsgi
+            '';
+            ExecReload = "/bin/kill -s HUP $MAINPID";
+            KillMode = "mixed";
+            PrivateTmp = "true";
+          };
        };
      };

    systemd.sockets = lib.mkIf cfg.nginx.enable {
-      indico-web.socketConfig = {
-        ListenStream = indicoSocket;
-        SocketUser = config.services.nginx.user;
+      indico-web = {
+        description = "Indico socket";
+        wantedBy = [ "sockets.target" ];
+        partOf = [ "indico-web.service" ];
+        before = [ "nginx.service" ];
+        socketConfig = {
+          ListenStream = indicoSocket;
+          SocketUser = cfg.user;
+          SocketGroup = cfg.group;
+          SocketMode = "0660";
+        };
      };
    };