nixos/piwik: rename to matomo

This commit is contained in:
Florian Jacob 2018-01-16 18:44:27 +01:00
parent d431aed997
commit 48e449ee70
6 changed files with 99 additions and 48 deletions

View File

@ -239,6 +239,40 @@ following incompatible changes:</para>
<link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The Piwik analytics software was renamed to Matomo:
<itemizedlist>
<listitem>
<para>The package <literal>pkgs.piwik</literal> was renamed to <literal>pkgs.matomo</literal>.</para>
</listitem>
<listitem>
<para>The service <literal>services.piwik</literal> was renamed to <literal>services.matomo</literal>.</para>
</listitem>
<listitem>
<para>
The data directory <filename>/var/lib/piwik</filename> was renamed to <filename>/var/lib/matomo</filename>.
All files will be moved automatically on first startup, but you might need to adjust your backup scripts.
</para>
</listitem>
<listitem>
<para>
The <literal>piwik</literal> user was renamed to <literal>matomo</literal>.
The service will adjust ownership automatically for files in the data directory.
If you use unix socket authentication, remember to give the new <literal>matomo</literal> user
access to the database and to change the <literal>username</literal> to <literal>matomo</literal>
in the <literal>[database]</literal> section of <filename>/var/lib/matomo/config/config.ini.php</filename>.
</para>
</listitem>
<listitem>
<para>
If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean,
but this is neither enforced nor required.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

View File

@ -637,7 +637,7 @@
./services/web-apps/nixbot.nix ./services/web-apps/nixbot.nix
./services/web-apps/nexus.nix ./services/web-apps/nexus.nix
./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/pgpkeyserver-lite.nix
./services/web-apps/piwik.nix ./services/web-apps/matomo.nix
./services/web-apps/pump.io.nix ./services/web-apps/pump.io.nix
./services/web-apps/restya-board.nix ./services/web-apps/restya-board.nix
./services/web-apps/tt-rss.nix ./services/web-apps/tt-rss.nix

View File

@ -148,6 +148,12 @@ with lib;
# parsoid # parsoid
(mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ]) (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ])
# piwik was renamed to matomo
(mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ])
(mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ])
(mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ])
(mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ])
# tarsnap # tarsnap
(mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir")

View File

@ -133,7 +133,7 @@ in
''; '';
example = [ example = [
"nextcloud" "nextcloud"
"piwik" "matomo"
]; ];
}; };

View File

@ -2,16 +2,16 @@
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0" version="5.0"
xml:id="module-services-piwik"> xml:id="module-services-matomo">
<title>Piwik</title> <title>Matomo</title>
<para> <para>
Piwik is a real-time web analytics application. Matomo is a real-time web analytics application.
This module configures php-fpm as backend for piwik, optionally configuring an nginx vhost as well. This module configures php-fpm as backend for Matomo, optionally configuring an nginx vhost as well.
</para> </para>
<para> <para>
An automatic setup is not suported by piwik, so you need to configure piwik itself in the browser-based piwik setup. An automatic setup is not suported by Matomo, so you need to configure Matomo itself in the browser-based Matomo setup.
</para> </para>
@ -19,7 +19,7 @@
<title>Database Setup</title> <title>Database Setup</title>
<para> <para>
You also need to configure a MariaDB or MySQL database and -user for piwik yourself, You also need to configure a MariaDB or MySQL database and -user for Matomo yourself,
and enter those credentials in your browser. and enter those credentials in your browser.
You can use passwordless database authentication via the UNIX_SOCKET authentication plugin You can use passwordless database authentication via the UNIX_SOCKET authentication plugin
with the following SQL commands: with the following SQL commands:
@ -27,20 +27,20 @@
<programlisting> <programlisting>
# For MariaDB # For MariaDB
INSTALL PLUGIN unix_socket SONAME 'auth_socket'; INSTALL PLUGIN unix_socket SONAME 'auth_socket';
CREATE DATABASE piwik; CREATE DATABASE matomo;
CREATE USER 'piwik'@'localhost' IDENTIFIED WITH unix_socket; CREATE USER 'matomo'@'localhost' IDENTIFIED WITH unix_socket;
GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost';
# For MySQL # For MySQL
INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
CREATE DATABASE piwik; CREATE DATABASE matomo;
CREATE USER 'piwik'@'localhost' IDENTIFIED WITH auth_socket; CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket;
GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost';
</programlisting> </programlisting>
Then fill in <literal>piwik</literal> as database user and database name, and leave the password field blank. Then fill in <literal>matomo</literal> as database user and database name, and leave the password field blank.
This authentication works by allowing only the <literal>piwik</literal> unix user to authenticate as the This authentication works by allowing only the <literal>matomo</literal> unix user to authenticate as the
<literal>piwik</literal> database user (without needing a password), but no other users. <literal>matomo</literal> database user (without needing a password), but no other users.
For more information on passwordless login, see For more information on passwordless login, see
<link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />. <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />.
</para> </para>
@ -55,9 +55,9 @@
<title>Backup</title> <title>Backup</title>
<para> <para>
You only need to take backups of your MySQL database and the You only need to take backups of your MySQL database and the
<filename>/var/lib/piwik/config/config.ini.php</filename> file. <filename>/var/lib/matomo/config/config.ini.php</filename> file.
Use a user in the <literal>piwik</literal> group or root to access the file. Use a user in the <literal>matomo</literal> group or root to access the file.
For more information, see <link xlink:href="https://piwik.org/faq/how-to-install/faq_138/" />. For more information, see <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />.
</para> </para>
</section> </section>
@ -67,14 +67,14 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
Piwik's file integrity check will warn you. Matomo's file integrity check will warn you.
This is due to the patches necessary for NixOS, you can safely ignore this. This is due to the patches necessary for NixOS, you can safely ignore this.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Piwik will warn you that the JavaScript tracker is not writable. Matomo will warn you that the JavaScript tracker is not writable.
This is because it's located in the read-only nix store. This is because it's located in the read-only nix store.
You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
</para> </para>
@ -88,7 +88,7 @@
<para> <para>
You can use other web servers by forwarding calls for <filename>index.php</filename> and You can use other web servers by forwarding calls for <filename>index.php</filename> and
<filename>piwik.php</filename> to the <literal>/run/phpfpm-piwik.sock</literal> fastcgi unix socket. <filename>piwik.php</filename> to the <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket.
You can use the nginx configuration in the module code as a reference to what else should be configured. You can use the nginx configuration in the module code as a reference to what else should be configured.
</para> </para>
</section> </section>

View File

@ -1,10 +1,11 @@
{ config, lib, pkgs, services, ... }: { config, lib, pkgs, services, ... }:
with lib; with lib;
let let
cfg = config.services.piwik; cfg = config.services.matomo;
user = "piwik"; user = "matomo";
dataDir = "/var/lib/${user}"; dataDir = "/var/lib/${user}";
deprecatedDataDir = "/var/lib/piwik";
pool = user; pool = user;
# it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770,
@ -15,15 +16,15 @@ let
in { in {
options = { options = {
services.piwik = { services.matomo = {
# NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963
# piwik issue for automatic piwik setup: https://github.com/piwik/piwik/issues/10257 # matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257
# TODO: find a nice way to do this when more NixOS MySQL and / or piwik automatic setup stuff is implemented. # TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented.
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''
Enable piwik web analytics with php-fpm backend. Enable matomo web analytics with php-fpm backend.
Either the nginx option or the webServerUser option is mandatory. Either the nginx option or the webServerUser option is mandatory.
''; '';
}; };
@ -32,8 +33,9 @@ in {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
example = "lighttpd"; example = "lighttpd";
# TODO: piwik.php might get renamed to matomo.php in future releases
description = '' description = ''
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx
option is not used. Either this option or the nginx option is mandatory. option is not used. Either this option or the nginx option is mandatory.
If you want to use another webserver than nginx, you need to set this to that server's user If you want to use another webserver than nginx, you need to set this to that server's user
and pass fastcgi requests to `index.php` and `piwik.php` to this socket. and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
@ -55,7 +57,7 @@ in {
catch_workers_output = yes catch_workers_output = yes
''; '';
description = '' description = ''
Settings for phpfpm's process manager. You might need to change this depending on the load for piwik. Settings for phpfpm's process manager. You might need to change this depending on the load for matomo.
''; '';
}; };
@ -65,7 +67,7 @@ in {
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) (import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
{ {
# enable encryption by default, # enable encryption by default,
# as sensitive login and piwik data should not be transmitted in clear text. # as sensitive login and matomo data should not be transmitted in clear text.
options.forceSSL.default = true; options.forceSSL.default = true;
options.enableACME.default = true; options.enableACME.default = true;
} }
@ -77,10 +79,10 @@ in {
enableACME = false; enableACME = false;
}; };
description = '' description = ''
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik. With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo.
Either this option or the webServerUser option is mandatory. Either this option or the webServerUser option is mandatory.
Set this to {} to just enable the virtualHost if you don't need any customization. Set this to {} to just enable the virtualHost if you don't need any customization.
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active, If enabled, then by default, the serverName is ${user}.$\{config.networking.hostName\}, SSL is active,
and certificates are acquired via ACME. and certificates are acquired via ACME.
If this is set to null (the default), no nginx virtualHost will be configured. If this is set to null (the default), no nginx virtualHost will be configured.
''; '';
@ -90,12 +92,12 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [ warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [
"If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed." "If services.matomo.nginx is set, services.matomo.nginx.webServerUser is ignored and should be removed."
]; ];
assertions = [ { assertions = [ {
assertion = cfg.nginx != null || cfg.webServerUser != null; assertion = cfg.nginx != null || cfg.webServerUser != null;
message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory"; message = "Either services.matomo.nginx or services.matomo.nginx.webServerUser is mandatory";
}]; }];
users.extraUsers.${user} = { users.extraUsers.${user} = {
@ -106,19 +108,20 @@ in {
}; };
users.extraGroups.${user} = {}; users.extraGroups.${user} = {};
systemd.services.piwik_setup_update = { systemd.services.matomo_setup_update = {
# everything needs to set up and up to date before piwik php files are executed # everything needs to set up and up to date before matomo php files are executed
requiredBy = [ "${phpExecutionUnit}.service" ]; requiredBy = [ "${phpExecutionUnit}.service" ];
before = [ "${phpExecutionUnit}.service" ]; before = [ "${phpExecutionUnit}.service" ];
# the update part of the script can only work if the database is already up and running # the update part of the script can only work if the database is already up and running
requires = [ databaseService ]; requires = [ databaseService ];
after = [ databaseService ]; after = [ databaseService ];
path = [ pkgs.piwik ]; path = [ pkgs.matomo ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = user; User = user;
# hide especially config.ini.php from other # hide especially config.ini.php from other
UMask = "0007"; UMask = "0007";
# TODO: might get renamed to MATOMO_USER_PATH in future versions
Environment = "PIWIK_USER_PATH=${dataDir}"; Environment = "PIWIK_USER_PATH=${dataDir}";
# chown + chmod in preStart needs root # chown + chmod in preStart needs root
PermissionsStartOnly = true; PermissionsStartOnly = true;
@ -127,27 +130,32 @@ in {
# e.g. after restoring from backup or moving from another system. # e.g. after restoring from backup or moving from another system.
# Note that ${dataDir}/config/config.ini.php might contain the MySQL password. # Note that ${dataDir}/config/config.ini.php might contain the MySQL password.
preStart = '' preStart = ''
# migrate data from piwik to matomo folder
if [ -d ${deprecatedDataDir} ]; then
echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
mv -T ${deprecatedDataDir} ${dataDir}
fi
chown -R ${user}:${user} ${dataDir} chown -R ${user}:${user} ${dataDir}
chmod -R ug+rwX,o-rwx ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir}
''; '';
script = '' script = ''
# Use User-Private Group scheme to protect piwik data, but allow administration / backup via piwik group # Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group
# Copy config folder # Copy config folder
chmod g+s "${dataDir}" chmod g+s "${dataDir}"
cp -r "${pkgs.piwik}/config" "${dataDir}/" cp -r "${pkgs.matomo}/config" "${dataDir}/"
chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" chmod -R u+rwX,g+rwX,o-rwx "${dataDir}"
# check whether user setup has already been done # check whether user setup has already been done
if test -f "${dataDir}/config/config.ini.php"; then if test -f "${dataDir}/config/config.ini.php"; then
# then execute possibly pending database upgrade # then execute possibly pending database upgrade
piwik-console core:update --yes matomo-console core:update --yes
fi fi
''; '';
}; };
systemd.services.${phpExecutionUnit} = { systemd.services.${phpExecutionUnit} = {
# stop phpfpm on package upgrade, do database upgrade via piwik_setup_update, and then restart # stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart
restartTriggers = [ pkgs.piwik ]; restartTriggers = [ pkgs.matomo ];
# stop config.ini.php from getting written with read permission for others # stop config.ini.php from getting written with read permission for others
serviceConfig.UMask = "0007"; serviceConfig.UMask = "0007";
}; };
@ -175,14 +183,15 @@ in {
# References: # References:
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
# https://github.com/perusio/piwik-nginx # https://github.com/perusio/piwik-nginx
# TODO: better default
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx { "${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
# don't allow to override the root easily, as it will almost certainly break piwik. # don't allow to override the root easily, as it will almost certainly break matomo.
# disadvantage: not shown as default in docs. # disadvantage: not shown as default in docs.
root = mkForce "${pkgs.piwik}/share"; root = mkForce "${pkgs.matomo}/share";
# define locations here instead of as the submodule option's default # define locations here instead of as the submodule option's default
# so that they can easily be extended with additional locations if required # so that they can easily be extended with additional locations if required
# without needing to redefine the piwik ones. # without needing to redefine the matomo ones.
# disadvantage: not shown as default in docs. # disadvantage: not shown as default in docs.
locations."/" = { locations."/" = {
index = "index.php"; index = "index.php";
@ -191,6 +200,7 @@ in {
locations."= /index.php".extraConfig = '' locations."= /index.php".extraConfig = ''
fastcgi_pass unix:${phpSocket}; fastcgi_pass unix:${phpSocket};
''; '';
# TODO: might get renamed to matomo.php in future versions
# allow piwik.php for tracking # allow piwik.php for tracking
locations."= /piwik.php".extraConfig = '' locations."= /piwik.php".extraConfig = ''
fastcgi_pass unix:${phpSocket}; fastcgi_pass unix:${phpSocket};
@ -212,6 +222,7 @@ in {
locations."= /robots.txt".extraConfig = '' locations."= /robots.txt".extraConfig = ''
return 200 "User-agent: *\nDisallow: /\n"; return 200 "User-agent: *\nDisallow: /\n";
''; '';
# TODO: might get renamed to matomo.js in future versions
# let browsers cache piwik.js # let browsers cache piwik.js
locations."= /piwik.js".extraConfig = '' locations."= /piwik.js".extraConfig = ''
expires 1M; expires 1M;
@ -221,7 +232,7 @@ in {
}; };
meta = { meta = {
doc = ./piwik-doc.xml; doc = ./matomo-doc.xml;
maintainers = with stdenv.lib.maintainers; [ florianjacob ]; maintainers = with stdenv.lib.maintainers; [ florianjacob ];
}; };
} }