kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos/piwik: rename to matomo

Browse Source
wip/yesman
Florian Jacob 6 years ago
parent d431aed997
commit 48e449ee70
6 changed files with 99 additions and 48 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 34
      nixos/doc/manual/release-notes/rl-1803.xml
  2. 2
      nixos/modules/module-list.nix
  3. 6
      nixos/modules/rename.nix
  4. 2
      nixos/modules/services/databases/mysql.nix
  5. 42
      nixos/modules/services/web-apps/matomo-doc.xml
  6. 61
      nixos/modules/services/web-apps/matomo.nix

34
nixos/doc/manual/release-notes/rl-1803.xml
Unescape View File

@ -239,6 +239,40 @@ following incompatible changes:</para>
<link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>.
</para>
</listitem>
<listitem>
<para>
The Piwik analytics software was renamed to Matomo:
<itemizedlist>
<listitem>
<para>The package <literal>pkgs.piwik</literal> was renamed to <literal>pkgs.matomo</literal>.</para>
</listitem>
<listitem>
<para>The service <literal>services.piwik</literal> was renamed to <literal>services.matomo</literal>.</para>
</listitem>
<listitem>
<para>
The data directory <filename>/var/lib/piwik</filename> was renamed to <filename>/var/lib/matomo</filename>.
All files will be moved automatically on first startup, but you might need to adjust your backup scripts.
</para>
</listitem>
<listitem>
<para>
The <literal>piwik</literal> user was renamed to <literal>matomo</literal>.
The service will adjust ownership automatically for files in the data directory.
If you use unix socket authentication, remember to give the new <literal>matomo</literal> user
access to the database and to change the <literal>username</literal> to <literal>matomo</literal>
in the <literal>[database]</literal> section of <filename>/var/lib/matomo/config/config.ini.php</filename>.
</para>
</listitem>
<listitem>
<para>
If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean,
but this is neither enforced nor required.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</itemizedlist>
</section>

2
nixos/modules/module-list.nix
Unescape View File

@ -637,7 +637,7 @@
./services/web-apps/nixbot.nix
./services/web-apps/nexus.nix
./services/web-apps/pgpkeyserver-lite.nix
./services/web-apps/piwik.nix
./services/web-apps/matomo.nix
./services/web-apps/pump.io.nix
./services/web-apps/restya-board.nix
./services/web-apps/tt-rss.nix

6
nixos/modules/rename.nix
Unescape View File

@ -148,6 +148,12 @@ with lib;
# parsoid
(mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ])
# piwik was renamed to matomo
(mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ])
(mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ])
(mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ])
(mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ])
# tarsnap
(mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir")

2
nixos/modules/services/databases/mysql.nix
Unescape View File

@ -133,7 +133,7 @@ in
'';
example = [
"nextcloud"
"piwik"
"matomo"
];
};

42
nixos/modules/services/web-apps/piwik-doc.xml → nixos/modules/services/web-apps/matomo-doc.xml
Unescape View File

@ -2,16 +2,16 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="module-services-piwik">
xml:id="module-services-matomo">
<title>Piwik</title>
<title>Matomo</title>
<para>
Piwik is a real-time web analytics application.
This module configures php-fpm as backend for piwik, optionally configuring an nginx vhost as well.
Matomo is a real-time web analytics application.
This module configures php-fpm as backend for Matomo, optionally configuring an nginx vhost as well.
</para>
<para>
An automatic setup is not suported by piwik, so you need to configure piwik itself in the browser-based piwik setup.
An automatic setup is not suported by Matomo, so you need to configure Matomo itself in the browser-based Matomo setup.
</para>
@ -19,7 +19,7 @@
<title>Database Setup</title>
<para>
You also need to configure a MariaDB or MySQL database and -user for piwik yourself,
You also need to configure a MariaDB or MySQL database and -user for Matomo yourself,
and enter those credentials in your browser.
You can use passwordless database authentication via the UNIX_SOCKET authentication plugin
with the following SQL commands:
@ -27,20 +27,20 @@
<programlisting>
# For MariaDB
INSTALL PLUGIN unix_socket SONAME 'auth_socket';
CREATE DATABASE piwik;
CREATE USER 'piwik'@'localhost' IDENTIFIED WITH unix_socket;
GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost';
CREATE DATABASE matomo;
CREATE USER 'matomo'@'localhost' IDENTIFIED WITH unix_socket;
GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost';
# For MySQL
INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
CREATE DATABASE piwik;
CREATE USER 'piwik'@'localhost' IDENTIFIED WITH auth_socket;
GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost';
CREATE DATABASE matomo;
CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket;
GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost';
</programlisting>
Then fill in <literal>piwik</literal> as database user and database name, and leave the password field blank.
This authentication works by allowing only the <literal>piwik</literal> unix user to authenticate as the
<literal>piwik</literal> database user (without needing a password), but no other users.
Then fill in <literal>matomo</literal> as database user and database name, and leave the password field blank.
This authentication works by allowing only the <literal>matomo</literal> unix user to authenticate as the
<literal>matomo</literal> database user (without needing a password), but no other users.
For more information on passwordless login, see
<link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />.
</para>
@ -55,9 +55,9 @@
<title>Backup</title>
<para>
You only need to take backups of your MySQL database and the
<filename>/var/lib/piwik/config/config.ini.php</filename> file.
Use a user in the <literal>piwik</literal> group or root to access the file.
For more information, see <link xlink:href="https://piwik.org/faq/how-to-install/faq_138/" />.
<filename>/var/lib/matomo/config/config.ini.php</filename> file.
Use a user in the <literal>matomo</literal> group or root to access the file.
For more information, see <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />.
</para>
</section>
@ -67,14 +67,14 @@
<itemizedlist>
<listitem>
<para>
Piwik's file integrity check will warn you.
Matomo's file integrity check will warn you.
This is due to the patches necessary for NixOS, you can safely ignore this.
</para>
</listitem>
<listitem>
<para>
Piwik will warn you that the JavaScript tracker is not writable.
Matomo will warn you that the JavaScript tracker is not writable.
This is because it's located in the read-only nix store.
You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
</para>
@ -88,7 +88,7 @@
<para>
You can use other web servers by forwarding calls for <filename>index.php</filename> and
<filename>piwik.php</filename> to the <literal>/run/phpfpm-piwik.sock</literal> fastcgi unix socket.
<filename>piwik.php</filename> to the <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket.
You can use the nginx configuration in the module code as a reference to what else should be configured.
</para>
</section>

61
nixos/modules/services/web-apps/piwik.nix → nixos/modules/services/web-apps/matomo.nix
Unescape View File

@ -1,10 +1,11 @@
{ config, lib, pkgs, services, ... }:
with lib;
let
cfg = config.services.piwik;
cfg = config.services.matomo;
user = "piwik";
user = "matomo";
dataDir = "/var/lib/${user}";
deprecatedDataDir = "/var/lib/piwik";
pool = user;
# it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770,
@ -15,15 +16,15 @@ let
in {
options = {
services.piwik = {
services.matomo = {
# NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963
# piwik issue for automatic piwik setup: https://github.com/piwik/piwik/issues/10257
# TODO: find a nice way to do this when more NixOS MySQL and / or piwik automatic setup stuff is implemented.
# matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257
# TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented.
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable piwik web analytics with php-fpm backend.
Enable matomo web analytics with php-fpm backend.
Either the nginx option or the webServerUser option is mandatory.
'';
};
@ -32,8 +33,9 @@ in {
type = types.nullOr types.str;
default = null;
example = "lighttpd";
# TODO: piwik.php might get renamed to matomo.php in future releases
description = ''
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx
option is not used. Either this option or the nginx option is mandatory.
If you want to use another webserver than nginx, you need to set this to that server's user
and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
@ -55,7 +57,7 @@ in {
catch_workers_output = yes
'';
description = ''
Settings for phpfpm's process manager. You might need to change this depending on the load for piwik.
Settings for phpfpm's process manager. You might need to change this depending on the load for matomo.
'';
};
@ -65,7 +67,7 @@ in {
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
{
# enable encryption by default,
# as sensitive login and piwik data should not be transmitted in clear text.
# as sensitive login and matomo data should not be transmitted in clear text.
options.forceSSL.default = true;
options.enableACME.default = true;
}
@ -77,10 +79,10 @@ in {
enableACME = false;
};
description = ''
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo.
Either this option or the webServerUser option is mandatory.
Set this to {} to just enable the virtualHost if you don't need any customization.
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
If enabled, then by default, the serverName is ${user}.$\{config.networking.hostName\}, SSL is active,
and certificates are acquired via ACME.
If this is set to null (the default), no nginx virtualHost will be configured.
'';
@ -90,12 +92,12 @@ in {
config = mkIf cfg.enable {
warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [
"If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed."
"If services.matomo.nginx is set, services.matomo.nginx.webServerUser is ignored and should be removed."
];
assertions = [ {
assertion = cfg.nginx != null || cfg.webServerUser != null;
message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory";
message = "Either services.matomo.nginx or services.matomo.nginx.webServerUser is mandatory";
}];
users.extraUsers.${user} = {
@ -106,19 +108,20 @@ in {
};
users.extraGroups.${user} = {};
systemd.services.piwik_setup_update = {
# everything needs to set up and up to date before piwik php files are executed
systemd.services.matomo_setup_update = {
# everything needs to set up and up to date before matomo php files are executed
requiredBy = [ "${phpExecutionUnit}.service" ];
before = [ "${phpExecutionUnit}.service" ];
# the update part of the script can only work if the database is already up and running
requires = [ databaseService ];
after = [ databaseService ];
path = [ pkgs.piwik ];
path = [ pkgs.matomo ];
serviceConfig = {
Type = "oneshot";
User = user;
# hide especially config.ini.php from other
UMask = "0007";
# TODO: might get renamed to MATOMO_USER_PATH in future versions
Environment = "PIWIK_USER_PATH=${dataDir}";
# chown + chmod in preStart needs root
PermissionsStartOnly = true;
@ -127,27 +130,32 @@ in {
# e.g. after restoring from backup or moving from another system.
# Note that ${dataDir}/config/config.ini.php might contain the MySQL password.
preStart = ''
# migrate data from piwik to matomo folder
if [ -d ${deprecatedDataDir} ]; then
echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
mv -T ${deprecatedDataDir} ${dataDir}
fi
chown -R ${user}:${user} ${dataDir}
chmod -R ug+rwX,o-rwx ${dataDir}
'';
script = ''
# Use User-Private Group scheme to protect piwik data, but allow administration / backup via piwik group
# Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group
# Copy config folder
chmod g+s "${dataDir}"
cp -r "${pkgs.piwik}/config" "${dataDir}/"
cp -r "${pkgs.matomo}/config" "${dataDir}/"
chmod -R u+rwX,g+rwX,o-rwx "${dataDir}"
# check whether user setup has already been done
if test -f "${dataDir}/config/config.ini.php"; then
# then execute possibly pending database upgrade
piwik-console core:update --yes
matomo-console core:update --yes
fi
'';
};
systemd.services.${phpExecutionUnit} = {
# stop phpfpm on package upgrade, do database upgrade via piwik_setup_update, and then restart
restartTriggers = [ pkgs.piwik ];
# stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart
restartTriggers = [ pkgs.matomo ];
# stop config.ini.php from getting written with read permission for others
serviceConfig.UMask = "0007";
};
@ -175,14 +183,15 @@ in {
# References:
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
# https://github.com/perusio/piwik-nginx
# TODO: better default
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
# don't allow to override the root easily, as it will almost certainly break piwik.
# don't allow to override the root easily, as it will almost certainly break matomo.
# disadvantage: not shown as default in docs.
root = mkForce "${pkgs.piwik}/share";
root = mkForce "${pkgs.matomo}/share";
# define locations here instead of as the submodule option's default
# so that they can easily be extended with additional locations if required
# without needing to redefine the piwik ones.
# without needing to redefine the matomo ones.
# disadvantage: not shown as default in docs.
locations."/" = {
index = "index.php";
@ -191,6 +200,7 @@ in {
locations."= /index.php".extraConfig = ''
fastcgi_pass unix:${phpSocket};
'';
# TODO: might get renamed to matomo.php in future versions
# allow piwik.php for tracking
locations."= /piwik.php".extraConfig = ''
fastcgi_pass unix:${phpSocket};
@ -212,6 +222,7 @@ in {
locations."= /robots.txt".extraConfig = ''
return 200 "User-agent: *\nDisallow: /\n";
'';
# TODO: might get renamed to matomo.js in future versions
# let browsers cache piwik.js
locations."= /piwik.js".extraConfig = ''
expires 1M;
@ -221,7 +232,7 @@ in {
};
meta = {
doc = ./piwik-doc.xml;
doc = ./matomo-doc.xml;
maintainers = with stdenv.lib.maintainers; [ florianjacob ];
};
}
Write Preview
Loading…
Cancel
Save