1 files changed, 18 insertions, 7 deletions

diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm
index 8a3499e..a403f21 100644
--- a/genenetwork/services/genenetwork.scm
+++ b/genenetwork/services/genenetwork.scm
@@ -148,6 +148,8 @@
                    (default "https://auth.genenetwork.org"))
   (gn2-server-url gn-uploader-configuration-gn2-server-url
                   (default "https://genenetwork.org"))
+  (sessions-dir gn-uploader-sessions-dir
+                (default "/var/genenetwork/sessions/gn-uploader"))
   (log-level gn-uploader-configuration-log-level
              (default 'warning)
              (sanitize sanitize-log-level)))
@@ -682,14 +684,18 @@ a @code{<genenetwork-configuration>} record."
 
 (define (gn-uploader-activation config)
   (match-record config <gn-uploader-configuration>
-    (secrets data-directory)
+    (secrets data-directory sessions-dir)
     (with-imported-modules '((guix build utils))
       #~(begin
           (use-modules (guix build utils))
           ;; Let service user own their own secrets files.
-          (chown #$secrets
-                 (passwd:uid (getpw "gunicorn-gn-uploader"))
-                 (passwd:gid (getpw "gunicorn-gn-uploader")))
+          (for-each (lambda (file)
+                      (chown file
+                             (passwd:uid (getpw "gunicorn-gn-uploader"))
+                             (passwd:gid (getpw "gunicorn-gn-uploader"))))
+                    (append (list #$secrets)
+                            (find-files #$sessions-dir
+                                        #:directories? #t)))
           ;; Set owner-only permissions on secrets files.
           (for-each (lambda (file)
                       (chmod file #o600))
@@ -705,7 +711,7 @@ a @code{<genenetwork-configuration>} record."
 
 (define (gn-uploader-gunicorn-app config)
   (match-record config <gn-uploader-configuration>
-    (gn-uploader sql-uri port data-directory secrets log-level auth-server-url gn2-server-url)
+    (gn-uploader sql-uri port data-directory secrets log-level auth-server-url gn2-server-url sessions-dir)
     ;; If we mapped only the mysqld.sock socket file, it would break
     ;; when the external mysqld server is restarted.
     (let* ((database-mapping (file-system-mapping
@@ -719,7 +725,8 @@ a @code{<genenetwork-configuration>} record."
                                                ("UPLOAD_FOLDER" ,(string-append data-directory
                                                                                 "/uploads"))
                                                ("AUTH_SERVER_URL" ,auth-server-url)
-                                               ("GN2_SERVER_URL" ,gn2-server-url)))))
+                                               ("GN2_SERVER_URL" ,gn2-server-url)
+                                               ("SESSION_FILESYSTEM_CACHE_PATH" ,sessions-dir)))))
            (gn-uploader-profile (profile
                                  (content (package->development-manifest gn-uploader))
                                  (allow-collisions? #t)))
@@ -760,7 +767,11 @@ a @code{<genenetwork-configuration>} record."
                               (target source))
                              (file-system-mapping
                               (source gn-uploader-ca-bundle)
-                              (target source))))
+                              (target source))
+                             (file-system-mapping
+                              (source sessions-dir)
+                              (target source)
+                              (writable? #t))))
              (extra-cli-arguments
               (list "--log-level"
                     (string-upcase (symbol->string log-level)))))))))