nixos/pleroma: move migrations to their own systemd unit

Running the migrations in a systemd execStartPre was a mistake. The
migrations can be pretty long to run and easily time-out.

Moving this to a proper oneshot service solves this issue and makes
this fits better the systemd execution model. We can now easily filter
the migrations logs.

1 files changed, 39 insertions, 24 deletions

diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix
index a152b72143dae..b527f4ab329ce 100644
--- a/nixos/modules/services/networking/pleroma.nix
+++ b/nixos/modules/services/networking/pleroma.nix
@@ -1,4 +1,4 @@
-{ config, options, lib, pkgs, stdenv, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.services.pleroma;
 in {
@@ -90,21 +90,33 @@ in {
       import_config "${cfg.secretConfigFile}"
     '';
 
-    systemd.services.pleroma = {
-      description = "Pleroma social network";
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" "postgresql.service" ];
-      wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
-      environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
-      serviceConfig = {
+    systemd.services = let
+      commonSystemdServiceConfig = {
         User = cfg.user;
         Group = cfg.group;
-        Type = "exec";
         WorkingDirectory = "~";
         StateDirectory = "pleroma pleroma/static pleroma/uploads";
         StateDirectoryMode = "700";
+        # Systemd sandboxing directives.
+        # Taken from the upstream contrib systemd service at
+        # pleroma/installation/pleroma.service
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+        PrivateDevices = false;
+        NoNewPrivileges = true;
+        CapabilityBoundingSet = "~CAP_SYS_ADMIN";
+      };
 
+    in {
+    pleroma-migrations = {
+      description = "Pleroma social network migrations";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" "postgresql.service" ];
+      wantedBy = [ "pleroma.service" ];
+      environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
+      serviceConfig = commonSystemdServiceConfig // {
+        Type = "oneshot";
         # Checking the conf file is there then running the database
         # migration before each service start, just in case there are
         # some pending ones.
@@ -112,8 +124,8 @@ in {
         # It's sub-optimal as we'll always run this, even if pleroma
         # has not been updated. But the no-op process is pretty fast.
         # Better be safe than sorry migration-wise.
-        ExecStartPre =
-          let preScript = pkgs.writers.writeBashBin "pleromaStartPre" ''
+        ExecStart =
+          let preScript = pkgs.writers.writeBashBin "pleroma-migrations" ''
             if [ ! -f /var/lib/pleroma/.cookie ]
             then
               echo "Creating cookie file"
@@ -121,26 +133,29 @@ in {
             fi
             ${cfg.package}/bin/pleroma_ctl migrate
           '';
-          in "${preScript}/bin/pleromaStartPre";
+          in "${preScript}/bin/pleroma-migrations";
+      };
+      # disksup requires bash
+      path = [ pkgs.bash ];
+    };
 
+    pleroma = {
+      description = "Pleroma social network";
+      wants = [ "pleroma-migrations.service" ];
+      after = [ "pleroma-migrations.service" ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
+      environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
+      serviceConfig = commonSystemdServiceConfig // {
+        Type = "exec";
         ExecStart = "${cfg.package}/bin/pleroma start";
         ExecStop = "${cfg.package}/bin/pleroma stop";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-
-        # Systemd sandboxing directives.
-        # Taken from the upstream contrib systemd service at
-        # pleroma/installation/pleroma.service
-        PrivateTmp = true;
-        ProtectHome = true;
-        ProtectSystem = "full";
-        PrivateDevices = false;
-        NoNewPrivileges = true;
-        CapabilityBoundingSet = "~CAP_SYS_ADMIN";
       };
       # disksup requires bash
       path = [ pkgs.bash ];
     };
-
+    };
   };
   meta.maintainers = with lib.maintainers; [ picnoir ];
   meta.doc = ./pleroma.md;