|
|
|
@ -1,10 +1,11 @@ |
|
|
|
|
{ config, lib, pkgs, services, ... }: |
|
|
|
|
with lib; |
|
|
|
|
let |
|
|
|
|
cfg = config.services.piwik; |
|
|
|
|
cfg = config.services.matomo; |
|
|
|
|
|
|
|
|
|
user = "piwik"; |
|
|
|
|
user = "matomo"; |
|
|
|
|
dataDir = "/var/lib/${user}"; |
|
|
|
|
deprecatedDataDir = "/var/lib/piwik"; |
|
|
|
|
|
|
|
|
|
pool = user; |
|
|
|
|
# it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, |
|
|
|
@ -15,15 +16,15 @@ let |
|
|
|
|
|
|
|
|
|
in { |
|
|
|
|
options = { |
|
|
|
|
services.piwik = { |
|
|
|
|
services.matomo = { |
|
|
|
|
# NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 |
|
|
|
|
# piwik issue for automatic piwik setup: https://github.com/piwik/piwik/issues/10257 |
|
|
|
|
# TODO: find a nice way to do this when more NixOS MySQL and / or piwik automatic setup stuff is implemented. |
|
|
|
|
# matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257 |
|
|
|
|
# TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented. |
|
|
|
|
enable = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
|
default = false; |
|
|
|
|
description = '' |
|
|
|
|
Enable piwik web analytics with php-fpm backend. |
|
|
|
|
Enable matomo web analytics with php-fpm backend. |
|
|
|
|
Either the nginx option or the webServerUser option is mandatory. |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
@ -32,8 +33,9 @@ in { |
|
|
|
|
type = types.nullOr types.str; |
|
|
|
|
default = null; |
|
|
|
|
example = "lighttpd"; |
|
|
|
|
# TODO: piwik.php might get renamed to matomo.php in future releases |
|
|
|
|
description = '' |
|
|
|
|
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx |
|
|
|
|
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx |
|
|
|
|
option is not used. Either this option or the nginx option is mandatory. |
|
|
|
|
If you want to use another webserver than nginx, you need to set this to that server's user |
|
|
|
|
and pass fastcgi requests to `index.php` and `piwik.php` to this socket. |
|
|
|
@ -55,7 +57,7 @@ in { |
|
|
|
|
catch_workers_output = yes |
|
|
|
|
''; |
|
|
|
|
description = '' |
|
|
|
|
Settings for phpfpm's process manager. You might need to change this depending on the load for piwik. |
|
|
|
|
Settings for phpfpm's process manager. You might need to change this depending on the load for matomo. |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
@ -65,7 +67,7 @@ in { |
|
|
|
|
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) |
|
|
|
|
{ |
|
|
|
|
# enable encryption by default, |
|
|
|
|
# as sensitive login and piwik data should not be transmitted in clear text. |
|
|
|
|
# as sensitive login and matomo data should not be transmitted in clear text. |
|
|
|
|
options.forceSSL.default = true; |
|
|
|
|
options.enableACME.default = true; |
|
|
|
|
} |
|
|
|
@ -77,10 +79,10 @@ in { |
|
|
|
|
enableACME = false; |
|
|
|
|
}; |
|
|
|
|
description = '' |
|
|
|
|
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik. |
|
|
|
|
With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo. |
|
|
|
|
Either this option or the webServerUser option is mandatory. |
|
|
|
|
Set this to {} to just enable the virtualHost if you don't need any customization. |
|
|
|
|
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active, |
|
|
|
|
If enabled, then by default, the serverName is ${user}.$\{config.networking.hostName\}, SSL is active, |
|
|
|
|
and certificates are acquired via ACME. |
|
|
|
|
If this is set to null (the default), no nginx virtualHost will be configured. |
|
|
|
|
''; |
|
|
|
@ -90,12 +92,12 @@ in { |
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable { |
|
|
|
|
warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [ |
|
|
|
|
"If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed." |
|
|
|
|
"If services.matomo.nginx is set, services.matomo.nginx.webServerUser is ignored and should be removed." |
|
|
|
|
]; |
|
|
|
|
|
|
|
|
|
assertions = [ { |
|
|
|
|
assertion = cfg.nginx != null || cfg.webServerUser != null; |
|
|
|
|
message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory"; |
|
|
|
|
message = "Either services.matomo.nginx or services.matomo.nginx.webServerUser is mandatory"; |
|
|
|
|
}]; |
|
|
|
|
|
|
|
|
|
users.extraUsers.${user} = { |
|
|
|
@ -106,19 +108,20 @@ in { |
|
|
|
|
}; |
|
|
|
|
users.extraGroups.${user} = {}; |
|
|
|
|
|
|
|
|
|
systemd.services.piwik_setup_update = { |
|
|
|
|
# everything needs to set up and up to date before piwik php files are executed |
|
|
|
|
systemd.services.matomo_setup_update = { |
|
|
|
|
# everything needs to set up and up to date before matomo php files are executed |
|
|
|
|
requiredBy = [ "${phpExecutionUnit}.service" ]; |
|
|
|
|
before = [ "${phpExecutionUnit}.service" ]; |
|
|
|
|
# the update part of the script can only work if the database is already up and running |
|
|
|
|
requires = [ databaseService ]; |
|
|
|
|
after = [ databaseService ]; |
|
|
|
|
path = [ pkgs.piwik ]; |
|
|
|
|
path = [ pkgs.matomo ]; |
|
|
|
|
serviceConfig = { |
|
|
|
|
Type = "oneshot"; |
|
|
|
|
User = user; |
|
|
|
|
# hide especially config.ini.php from other |
|
|
|
|
UMask = "0007"; |
|
|
|
|
# TODO: might get renamed to MATOMO_USER_PATH in future versions |
|
|
|
|
Environment = "PIWIK_USER_PATH=${dataDir}"; |
|
|
|
|
# chown + chmod in preStart needs root |
|
|
|
|
PermissionsStartOnly = true; |
|
|
|
@ -127,27 +130,32 @@ in { |
|
|
|
|
# e.g. after restoring from backup or moving from another system. |
|
|
|
|
# Note that ${dataDir}/config/config.ini.php might contain the MySQL password. |
|
|
|
|
preStart = '' |
|
|
|
|
# migrate data from piwik to matomo folder |
|
|
|
|
if [ -d ${deprecatedDataDir} ]; then |
|
|
|
|
echo "Migrating from ${deprecatedDataDir} to ${dataDir}" |
|
|
|
|
mv -T ${deprecatedDataDir} ${dataDir} |
|
|
|
|
fi |
|
|
|
|
chown -R ${user}:${user} ${dataDir} |
|
|
|
|
chmod -R ug+rwX,o-rwx ${dataDir} |
|
|
|
|
''; |
|
|
|
|
script = '' |
|
|
|
|
# Use User-Private Group scheme to protect piwik data, but allow administration / backup via piwik group |
|
|
|
|
# Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group |
|
|
|
|
# Copy config folder |
|
|
|
|
chmod g+s "${dataDir}" |
|
|
|
|
cp -r "${pkgs.piwik}/config" "${dataDir}/" |
|
|
|
|
cp -r "${pkgs.matomo}/config" "${dataDir}/" |
|
|
|
|
chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" |
|
|
|
|
|
|
|
|
|
# check whether user setup has already been done |
|
|
|
|
if test -f "${dataDir}/config/config.ini.php"; then |
|
|
|
|
# then execute possibly pending database upgrade |
|
|
|
|
piwik-console core:update --yes |
|
|
|
|
matomo-console core:update --yes |
|
|
|
|
fi |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
systemd.services.${phpExecutionUnit} = { |
|
|
|
|
# stop phpfpm on package upgrade, do database upgrade via piwik_setup_update, and then restart |
|
|
|
|
restartTriggers = [ pkgs.piwik ]; |
|
|
|
|
# stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart |
|
|
|
|
restartTriggers = [ pkgs.matomo ]; |
|
|
|
|
# stop config.ini.php from getting written with read permission for others |
|
|
|
|
serviceConfig.UMask = "0007"; |
|
|
|
|
}; |
|
|
|
@ -175,14 +183,15 @@ in { |
|
|
|
|
# References: |
|
|
|
|
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html |
|
|
|
|
# https://github.com/perusio/piwik-nginx |
|
|
|
|
# TODO: better default |
|
|
|
|
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx { |
|
|
|
|
# don't allow to override the root easily, as it will almost certainly break piwik. |
|
|
|
|
# don't allow to override the root easily, as it will almost certainly break matomo. |
|
|
|
|
# disadvantage: not shown as default in docs. |
|
|
|
|
root = mkForce "${pkgs.piwik}/share"; |
|
|
|
|
root = mkForce "${pkgs.matomo}/share"; |
|
|
|
|
|
|
|
|
|
# define locations here instead of as the submodule option's default |
|
|
|
|
# so that they can easily be extended with additional locations if required |
|
|
|
|
# without needing to redefine the piwik ones. |
|
|
|
|
# without needing to redefine the matomo ones. |
|
|
|
|
# disadvantage: not shown as default in docs. |
|
|
|
|
locations."/" = { |
|
|
|
|
index = "index.php"; |
|
|
|
@ -191,6 +200,7 @@ in { |
|
|
|
|
locations."= /index.php".extraConfig = '' |
|
|
|
|
fastcgi_pass unix:${phpSocket}; |
|
|
|
|
''; |
|
|
|
|
# TODO: might get renamed to matomo.php in future versions |
|
|
|
|
# allow piwik.php for tracking |
|
|
|
|
locations."= /piwik.php".extraConfig = '' |
|
|
|
|
fastcgi_pass unix:${phpSocket}; |
|
|
|
@ -212,6 +222,7 @@ in { |
|
|
|
|
locations."= /robots.txt".extraConfig = '' |
|
|
|
|
return 200 "User-agent: *\nDisallow: /\n"; |
|
|
|
|
''; |
|
|
|
|
# TODO: might get renamed to matomo.js in future versions |
|
|
|
|
# let browsers cache piwik.js |
|
|
|
|
locations."= /piwik.js".extraConfig = '' |
|
|
|
|
expires 1M; |
|
|
|
@ -221,7 +232,7 @@ in { |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
meta = { |
|
|
|
|
doc = ./piwik-doc.xml; |
|
|
|
|
doc = ./matomo-doc.xml; |
|
|
|
|
maintainers = with stdenv.lib.maintainers; [ florianjacob ]; |
|
|
|
|
}; |
|
|
|
|
} |