movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge pull request #47747 from florianjacob/matomo-archive-processing-service

Browse source 
Matomo archive processing service
This commit is contained in:
Silvan Mosberger 2019-02-14 21:05:16 +01:00 committed by GitHub
commit c84488329b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 110 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/doc/manual/release-notes/rl-1903.xml
View file

@ -412,6 +412,23 @@
<option>services.matomo.package</option> which determines the used <option>services.matomo.package</option> which determines the used
Matomo version. Matomo version.
</para> </para>
<para>
The Matomo module now also comes with the systemd service <literal>matomo-archive-processing.service</literal>
and a timer that automatically triggers archive processing every hour.
This means that you can safely
<link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
disable browser triggers for Matomo archiving
</link> at <literal>Administration > System > General Settings</literal>.
</para>
<para>
Additionally, you can enable to
<link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
delete old visitor logs
</link> at <literal>Administration > System > Privacy</literal>,
but make sure that you run <literal>systemctl start matomo-archive-processing.service</literal>
at least once without errors if you have already collected data before,
so that the reports get archived before the source data gets deleted.
</para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>

32
nixos/modules/services/web-apps/matomo-doc.xml
View file

@ -12,15 +12,15 @@
An automatic setup is not suported by Matomo, so you need to configure Matomo An automatic setup is not suported by Matomo, so you need to configure Matomo
itself in the browser-based Matomo setup. itself in the browser-based Matomo setup.
</para> </para>
<section xml:id="module-services-matomo-database-setup"> <section xml:id="module-services-matomo-database-setup">
<title>Database Setup</title> <title>Database Setup</title>
<para> <para>
You also need to configure a MariaDB or MySQL database and -user for Matomo You also need to configure a MariaDB or MySQL database and -user for Matomo
yourself, and enter those credentials in your browser. You can use yourself, and enter those credentials in your browser. You can use
passwordless database authentication via the UNIX_SOCKET authentication passwordless database authentication via the UNIX_SOCKET authentication
plugin with the following SQL commands: plugin with the following SQL commands:
<programlisting> <programlisting>
# For MariaDB # For MariaDB
INSTALL PLUGIN unix_socket SONAME 'auth_socket'; INSTALL PLUGIN unix_socket SONAME 'auth_socket';
CREATE DATABASE matomo; CREATE DATABASE matomo;
@ -32,7 +32,7 @@
CREATE DATABASE matomo; CREATE DATABASE matomo;
CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket; CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket;
GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost';
</programlisting> </programlisting>
Then fill in <literal>matomo</literal> as database user and database name, Then fill in <literal>matomo</literal> as database user and database name,
and leave the password field blank. This authentication works by allowing and leave the password field blank. This authentication works by allowing
only the <literal>matomo</literal> unix user to authenticate as the only the <literal>matomo</literal> unix user to authenticate as the
@ -46,9 +46,30 @@
database is not on the same host. database is not on the same host.
</para> </para>
</section> </section>
<section>
<title>Archive Processing</title>
<para>
This module comes with the systemd service <literal>matomo-archive-processing.service</literal>
and a timer that automatically triggers archive processing every hour.
This means that you can safely
<link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
disable browser triggers for Matomo archiving
</link> at <literal>Administration > System > General Settings</literal>.
</para>
<para>
With automatic archive processing, you can now also enable to
<link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
delete old visitor logs
</link> at <literal>Administration > System > Privacy</literal>,
but make sure that you run <literal>systemctl start matomo-archive-processing.service</literal>
at least once without errors if you have already collected data before,
so that the reports get archived before the source data gets deleted.
</para>
</section>
<section xml:id="module-services-matomo-backups"> <section xml:id="module-services-matomo-backups">
<title>Backup</title> <title>Backup</title>
<para> <para>
You only need to take backups of your MySQL database and the You only need to take backups of your MySQL database and the
<filename>/var/lib/matomo/config/config.ini.php</filename> file. Use a user <filename>/var/lib/matomo/config/config.ini.php</filename> file. Use a user
@ -57,9 +78,9 @@
<link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />. <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />.
</para> </para>
</section> </section>
<section xml:id="module-services-matomo-issues"> <section xml:id="module-services-matomo-issues">
<title>Issues</title> <title>Issues</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
@ -76,6 +97,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="module-services-matomo-other-web-servers"> <section xml:id="module-services-matomo-other-web-servers">
<title>Using other Web Servers than nginx</title> <title>Using other Web Servers than nginx</title>

82
nixos/modules/services/web-apps/matomo.nix
View file

@ -23,20 +23,24 @@ in {
options = { options = {
services.matomo = { services.matomo = {
# NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963
# matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257 # Matomo issue for automatic Matomo setup: https://github.com/matomo-org/matomo/issues/10257
# TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented. # TODO: find a nice way to do this when more NixOS MySQL and / or Matomo automatic setup stuff is implemented.
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''
Enable matomo web analytics with php-fpm backend. Enable Matomo web analytics with php-fpm backend.
Either the nginx option or the webServerUser option is mandatory. Either the nginx option or the webServerUser option is mandatory.
''; '';
}; };
package = mkOption { package = mkOption {
type = types.package; type = types.package;
description = "Matomo package to use"; description = ''
Matomo package for the service to use.
This can be used to point to newer releases from nixos-unstable,
as they don't get backported if they are not security-relevant.
'';
default = pkgs.matomo; default = pkgs.matomo;
defaultText = "pkgs.matomo"; defaultText = "pkgs.matomo";
}; };
@ -47,13 +51,27 @@ in {
example = "lighttpd"; example = "lighttpd";
# TODO: piwik.php might get renamed to matomo.php in future releases # TODO: piwik.php might get renamed to matomo.php in future releases
description = '' description = ''
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for Matomo if the nginx
option is not used. Either this option or the nginx option is mandatory. option is not used. Either this option or the nginx option is mandatory.
If you want to use another webserver than nginx, you need to set this to that server's user If you want to use another webserver than nginx, you need to set this to that server's user
and pass fastcgi requests to `index.php` and `piwik.php` to this socket. and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
''; '';
}; };
periodicArchiveProcessing = mkOption {
type = types.bool;
default = true;
description = ''
Enable periodic archive processing, which generates aggregated reports from the visits.
This means that you can safely disable browser triggers for Matomo archiving,
and safely enable to delete old visitor logs.
Before deleting visitor logs,
make sure though that you run <literal>systemctl start matomo-archive-processing.service</literal>
at least once without errors if you have already collected data before.
'';
};
phpfpmProcessManagerConfig = mkOption { phpfpmProcessManagerConfig = mkOption {
type = types.str; type = types.str;
default = '' default = ''
@ -69,7 +87,7 @@ in {
catch_workers_output = yes catch_workers_output = yes
''; '';
description = '' description = ''
Settings for phpfpm's process manager. You might need to change this depending on the load for matomo. Settings for phpfpm's process manager. You might need to change this depending on the load for Matomo.
''; '';
}; };
@ -79,7 +97,7 @@ in {
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) (import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
{ {
# enable encryption by default, # enable encryption by default,
# as sensitive login and matomo data should not be transmitted in clear text. # as sensitive login and Matomo data should not be transmitted in clear text.
options.forceSSL.default = true; options.forceSSL.default = true;
options.enableACME.default = true; options.enableACME.default = true;
} }
@ -94,7 +112,7 @@ in {
enableACME = false; enableACME = false;
}; };
description = '' description = ''
With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo. With this option, you can customize an nginx virtualHost which already has sensible defaults for Matomo.
Either this option or the webServerUser option is mandatory. Either this option or the webServerUser option is mandatory.
Set this to {} to just enable the virtualHost if you don't need any customization. Set this to {} to just enable the virtualHost if you don't need any customization.
If enabled, then by default, the <option>serverName</option> is If enabled, then by default, the <option>serverName</option> is
@ -124,29 +142,30 @@ in {
}; };
users.groups.${user} = {}; users.groups.${user} = {};
systemd.services.matomo_setup_update = { systemd.services.matomo-setup-update = {
# everything needs to set up and up to date before matomo php files are executed # everything needs to set up and up to date before Matomo php files are executed
requiredBy = [ "${phpExecutionUnit}.service" ]; requiredBy = [ "${phpExecutionUnit}.service" ];
before = [ "${phpExecutionUnit}.service" ]; before = [ "${phpExecutionUnit}.service" ];
# the update part of the script can only work if the database is already up and running # the update part of the script can only work if the database is already up and running
requires = [ databaseService ]; requires = [ databaseService ];
after = [ databaseService ]; after = [ databaseService ];
path = [ cfg.package ]; path = [ cfg.package ];
environment.PIWIK_USER_PATH = dataDir;
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = user; User = user;
# hide especially config.ini.php from other # hide especially config.ini.php from other
UMask = "0007"; UMask = "0007";
# TODO: might get renamed to MATOMO_USER_PATH in future versions # TODO: might get renamed to MATOMO_USER_PATH in future versions
Environment = "PIWIK_USER_PATH=${dataDir}";
# chown + chmod in preStart needs root # chown + chmod in preStart needs root
PermissionsStartOnly = true; PermissionsStartOnly = true;
}; };
# correct ownership and permissions in case they're not correct anymore, # correct ownership and permissions in case they're not correct anymore,
# e.g. after restoring from backup or moving from another system. # e.g. after restoring from backup or moving from another system.
# Note that ${dataDir}/config/config.ini.php might contain the MySQL password. # Note that ${dataDir}/config/config.ini.php might contain the MySQL password.
preStart = '' preStart = ''
# migrate data from piwik to matomo folder # migrate data from piwik to Matomo folder
if [ -d ${deprecatedDataDir} ]; then if [ -d ${deprecatedDataDir} ]; then
echo "Migrating from ${deprecatedDataDir} to ${dataDir}" echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
mv -T ${deprecatedDataDir} ${dataDir} mv -T ${deprecatedDataDir} ${dataDir}
@ -155,7 +174,7 @@ in {
chmod -R ug+rwX,o-rwx ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir}
''; '';
script = '' script = ''
# Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group # Use User-Private Group scheme to protect Matomo data, but allow administration / backup via 'matomo' group
# Copy config folder # Copy config folder
chmod g+s "${dataDir}" chmod g+s "${dataDir}"
cp -r "${cfg.package}/config" "${dataDir}/" cp -r "${cfg.package}/config" "${dataDir}/"
@ -169,8 +188,39 @@ in {
''; '';
}; };
# If this is run regularly via the timer,
# 'Browser trigger archiving' can be disabled in Matomo UI > Settings > General Settings.
systemd.services.matomo-archive-processing = {
description = "Archive Matomo reports";
# the archiving can only work if the database is already up and running
requires = [ databaseService ];
after = [ databaseService ];
# TODO: might get renamed to MATOMO_USER_PATH in future versions
environment.PIWIK_USER_PATH = dataDir;
serviceConfig = {
Type = "oneshot";
User = user;
UMask = "0007";
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
ExecStart = "${cfg.package}/bin/matomo-console core:archive --url=https://${user}.${fqdn}";
};
};
systemd.timers.matomo-archive-processing = mkIf cfg.periodicArchiveProcessing {
description = "Automatically archive Matomo reports every hour";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "hourly";
Persistent = "yes";
AccuracySec = "10m";
};
};
systemd.services.${phpExecutionUnit} = { systemd.services.${phpExecutionUnit} = {
# stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart # stop phpfpm on package upgrade, do database upgrade via matomo-setup-update, and then restart
restartTriggers = [ cfg.package ]; restartTriggers = [ cfg.package ];
# stop config.ini.php from getting written with read permission for others # stop config.ini.php from getting written with read permission for others
serviceConfig.UMask = "0007"; serviceConfig.UMask = "0007";
@ -200,13 +250,13 @@ in {
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
# https://github.com/perusio/piwik-nginx # https://github.com/perusio/piwik-nginx
"${user}.${fqdn}" = mkMerge [ cfg.nginx { "${user}.${fqdn}" = mkMerge [ cfg.nginx {
# don't allow to override the root easily, as it will almost certainly break matomo. # don't allow to override the root easily, as it will almost certainly break Matomo.
# disadvantage: not shown as default in docs. # disadvantage: not shown as default in docs.
root = mkForce "${cfg.package}/share"; root = mkForce "${cfg.package}/share";
# define locations here instead of as the submodule option's default # define locations here instead of as the submodule option's default
# so that they can easily be extended with additional locations if required # so that they can easily be extended with additional locations if required
# without needing to redefine the matomo ones. # without needing to redefine the Matomo ones.
# disadvantage: not shown as default in docs. # disadvantage: not shown as default in docs.
locations."/" = { locations."/" = {
index = "index.php"; index = "index.php";