+34

nixos/doc/manual/release-notes/rl-1803.xml

··· 239 239 <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. 240 240 </para> 241 241 </listitem> 242 242 + <listitem> 243 243 + <para> 244 244 + The Piwik analytics software was renamed to Matomo: 245 245 + <itemizedlist> 246 246 + <listitem> 247 247 + <para>The package <literal>pkgs.piwik</literal> was renamed to <literal>pkgs.matomo</literal>.</para> 248 248 + </listitem> 249 249 + <listitem> 250 250 + <para>The service <literal>services.piwik</literal> was renamed to <literal>services.matomo</literal>.</para> 251 251 + </listitem> 252 252 + <listitem> 253 253 + <para> 254 254 + The data directory <filename>/var/lib/piwik</filename> was renamed to <filename>/var/lib/matomo</filename>. 255 255 + All files will be moved automatically on first startup, but you might need to adjust your backup scripts. 256 256 + </para> 257 257 + </listitem> 258 258 + <listitem> 259 259 + <para> 260 260 + The <literal>piwik</literal> user was renamed to <literal>matomo</literal>. 261 261 + The service will adjust ownership automatically for files in the data directory. 262 262 + If you use unix socket authentication, remember to give the new <literal>matomo</literal> user 263 263 + access to the database and to change the <literal>username</literal> to <literal>matomo</literal> 264 264 + in the <literal>[database]</literal> section of <filename>/var/lib/matomo/config/config.ini.php</filename>. 265 265 + </para> 266 266 + </listitem> 267 267 + <listitem> 268 268 + <para> 269 269 + If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, 270 270 + but this is neither enforced nor required. 271 271 + </para> 272 272 + </listitem> 273 273 + </itemizedlist> 274 274 + </para> 275 275 + </listitem> 242 276 </itemizedlist> 243 277 244 278 </section>

+1 -1

nixos/modules/module-list.nix

··· 637 637 ./services/web-apps/nixbot.nix 638 638 ./services/web-apps/nexus.nix 639 639 ./services/web-apps/pgpkeyserver-lite.nix 640 640 - ./services/web-apps/piwik.nix 640 640 + ./services/web-apps/matomo.nix 641 641 ./services/web-apps/pump.io.nix 642 642 ./services/web-apps/restya-board.nix 643 643 ./services/web-apps/tt-rss.nix

+6

nixos/modules/rename.nix

··· 148 148 # parsoid 149 149 (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ]) 150 150 151 151 + # piwik was renamed to matomo 152 152 + (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) 153 153 + (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) 154 154 + (mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ]) 155 155 + (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) 156 156 + 151 157 # tarsnap 152 158 (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") 153 159

+1 -1

nixos/modules/services/databases/mysql.nix

··· 133 133 ''; 134 134 example = [ 135 135 "nextcloud" 136 136 - "piwik" 136 136 + "matomo" 137 137 ]; 138 138 }; 139 139

+95

nixos/modules/services/web-apps/matomo-doc.xml

··· 1 1 + <chapter xmlns="http://docbook.org/ns/docbook" 2 2 + xmlns:xlink="http://www.w3.org/1999/xlink" 3 3 + xmlns:xi="http://www.w3.org/2001/XInclude" 4 4 + version="5.0" 5 5 + xml:id="module-services-matomo"> 6 6 + 7 7 + <title>Matomo</title> 8 8 + <para> 9 9 + Matomo is a real-time web analytics application. 10 10 + This module configures php-fpm as backend for Matomo, optionally configuring an nginx vhost as well. 11 11 + </para> 12 12 + 13 13 + <para> 14 14 + An automatic setup is not suported by Matomo, so you need to configure Matomo itself in the browser-based Matomo setup. 15 15 + </para> 16 16 + 17 17 + 18 18 + <section> 19 19 + <title>Database Setup</title> 20 20 + 21 21 + <para> 22 22 + You also need to configure a MariaDB or MySQL database and -user for Matomo yourself, 23 23 + and enter those credentials in your browser. 24 24 + You can use passwordless database authentication via the UNIX_SOCKET authentication plugin 25 25 + with the following SQL commands: 26 26 + 27 27 + <programlisting> 28 28 + # For MariaDB 29 29 + INSTALL PLUGIN unix_socket SONAME 'auth_socket'; 30 30 + CREATE DATABASE matomo; 31 31 + CREATE USER 'matomo'@'localhost' IDENTIFIED WITH unix_socket; 32 32 + GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; 33 33 + 34 34 + # For MySQL 35 35 + INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; 36 36 + CREATE DATABASE matomo; 37 37 + CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket; 38 38 + GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; 39 39 + </programlisting> 40 40 + 41 41 + Then fill in <literal>matomo</literal> as database user and database name, and leave the password field blank. 42 42 + This authentication works by allowing only the <literal>matomo</literal> unix user to authenticate as the 43 43 + <literal>matomo</literal> database user (without needing a password), but no other users. 44 44 + For more information on passwordless login, see 45 45 + <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />. 46 46 + </para> 47 47 + 48 48 + <para> 49 49 + Of course, you can use password based authentication as well, e.g. when the database is not on the same host. 50 50 + </para> 51 51 + </section> 52 52 + 53 53 + 54 54 + <section> 55 55 + <title>Backup</title> 56 56 + <para> 57 57 + You only need to take backups of your MySQL database and the 58 58 + <filename>/var/lib/matomo/config/config.ini.php</filename> file. 59 59 + Use a user in the <literal>matomo</literal> group or root to access the file. 60 60 + For more information, see <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />. 61 61 + </para> 62 62 + </section> 63 63 + 64 64 + 65 65 + <section> 66 66 + <title>Issues</title> 67 67 + <itemizedlist> 68 68 + <listitem> 69 69 + <para> 70 70 + Matomo's file integrity check will warn you. 71 71 + This is due to the patches necessary for NixOS, you can safely ignore this. 72 72 + </para> 73 73 + </listitem> 74 74 + 75 75 + <listitem> 76 76 + <para> 77 77 + Matomo will warn you that the JavaScript tracker is not writable. 78 78 + This is because it's located in the read-only nix store. 79 79 + You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. 80 80 + </para> 81 81 + </listitem> 82 82 + </itemizedlist> 83 83 + </section> 84 84 + 85 85 + 86 86 + <section> 87 87 + <title>Using other Web Servers than nginx</title> 88 88 + 89 89 + <para> 90 90 + You can use other web servers by forwarding calls for <filename>index.php</filename> and 91 91 + <filename>piwik.php</filename> to the <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket. 92 92 + You can use the nginx configuration in the module code as a reference to what else should be configured. 93 93 + </para> 94 94 + </section> 95 95 + </chapter>

-95

nixos/modules/services/web-apps/piwik-doc.xml

··· 1 1 - <chapter xmlns="http://docbook.org/ns/docbook" 2 2 - xmlns:xlink="http://www.w3.org/1999/xlink" 3 3 - xmlns:xi="http://www.w3.org/2001/XInclude" 4 4 - version="5.0" 5 5 - xml:id="module-services-piwik"> 6 6 - 7 7 - <title>Piwik</title> 8 8 - <para> 9 9 - Piwik is a real-time web analytics application. 10 10 - This module configures php-fpm as backend for piwik, optionally configuring an nginx vhost as well. 11 11 - </para> 12 12 - 13 13 - <para> 14 14 - An automatic setup is not suported by piwik, so you need to configure piwik itself in the browser-based piwik setup. 15 15 - </para> 16 16 - 17 17 - 18 18 - <section> 19 19 - <title>Database Setup</title> 20 20 - 21 21 - <para> 22 22 - You also need to configure a MariaDB or MySQL database and -user for piwik yourself, 23 23 - and enter those credentials in your browser. 24 24 - You can use passwordless database authentication via the UNIX_SOCKET authentication plugin 25 25 - with the following SQL commands: 26 26 - 27 27 - <programlisting> 28 28 - # For MariaDB 29 29 - INSTALL PLUGIN unix_socket SONAME 'auth_socket'; 30 30 - CREATE DATABASE piwik; 31 31 - CREATE USER 'piwik'@'localhost' IDENTIFIED WITH unix_socket; 32 32 - GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; 33 33 - 34 34 - # For MySQL 35 35 - INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; 36 36 - CREATE DATABASE piwik; 37 37 - CREATE USER 'piwik'@'localhost' IDENTIFIED WITH auth_socket; 38 38 - GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; 39 39 - </programlisting> 40 40 - 41 41 - Then fill in <literal>piwik</literal> as database user and database name, and leave the password field blank. 42 42 - This authentication works by allowing only the <literal>piwik</literal> unix user to authenticate as the 43 43 - <literal>piwik</literal> database user (without needing a password), but no other users. 44 44 - For more information on passwordless login, see 45 45 - <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />. 46 46 - </para> 47 47 - 48 48 - <para> 49 49 - Of course, you can use password based authentication as well, e.g. when the database is not on the same host. 50 50 - </para> 51 51 - </section> 52 52 - 53 53 - 54 54 - <section> 55 55 - <title>Backup</title> 56 56 - <para> 57 57 - You only need to take backups of your MySQL database and the 58 58 - <filename>/var/lib/piwik/config/config.ini.php</filename> file. 59 59 - Use a user in the <literal>piwik</literal> group or root to access the file. 60 60 - For more information, see <link xlink:href="https://piwik.org/faq/how-to-install/faq_138/" />. 61 61 - </para> 62 62 - </section> 63 63 - 64 64 - 65 65 - <section> 66 66 - <title>Issues</title> 67 67 - <itemizedlist> 68 68 - <listitem> 69 69 - <para> 70 70 - Piwik's file integrity check will warn you. 71 71 - This is due to the patches necessary for NixOS, you can safely ignore this. 72 72 - </para> 73 73 - </listitem> 74 74 - 75 75 - <listitem> 76 76 - <para> 77 77 - Piwik will warn you that the JavaScript tracker is not writable. 78 78 - This is because it's located in the read-only nix store. 79 79 - You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. 80 80 - </para> 81 81 - </listitem> 82 82 - </itemizedlist> 83 83 - </section> 84 84 - 85 85 - 86 86 - <section> 87 87 - <title>Using other Web Servers than nginx</title> 88 88 - 89 89 - <para> 90 90 - You can use other web servers by forwarding calls for <filename>index.php</filename> and 91 91 - <filename>piwik.php</filename> to the <literal>/run/phpfpm-piwik.sock</literal> fastcgi unix socket. 92 92 - You can use the nginx configuration in the module code as a reference to what else should be configured. 93 93 - </para> 94 94 - </section> 95 95 - </chapter>

+36 -25

nixos/modules/services/web-apps/piwik.nix nixos/modules/services/web-apps/matomo.nix

··· 1 1 { config, lib, pkgs, services, ... }: 2 2 with lib; 3 3 let 4 4 - cfg = config.services.piwik; 4 4 + cfg = config.services.matomo; 5 5 6 6 - user = "piwik"; 6 6 + user = "matomo"; 7 7 dataDir = "/var/lib/${user}"; 8 8 + deprecatedDataDir = "/var/lib/piwik"; 8 9 9 10 pool = user; 10 11 # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, ··· 15 16 16 17 in { 17 18 options = { 18 18 - services.piwik = { 19 19 + services.matomo = { 19 20 # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 20 20 - # piwik issue for automatic piwik setup: https://github.com/piwik/piwik/issues/10257 21 21 - # TODO: find a nice way to do this when more NixOS MySQL and / or piwik automatic setup stuff is implemented. 21 21 + # matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257 22 22 + # TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented. 22 23 enable = mkOption { 23 24 type = types.bool; 24 25 default = false; 25 26 description = '' 26 26 - Enable piwik web analytics with php-fpm backend. 27 27 + Enable matomo web analytics with php-fpm backend. 27 28 Either the nginx option or the webServerUser option is mandatory. 28 29 ''; 29 30 }; ··· 32 33 type = types.nullOr types.str; 33 34 default = null; 34 35 example = "lighttpd"; 36 36 + # TODO: piwik.php might get renamed to matomo.php in future releases 35 37 description = '' 36 36 - Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx 38 38 + Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx 37 39 option is not used. Either this option or the nginx option is mandatory. 38 40 If you want to use another webserver than nginx, you need to set this to that server's user 39 41 and pass fastcgi requests to `index.php` and `piwik.php` to this socket. ··· 55 57 catch_workers_output = yes 56 58 ''; 57 59 description = '' 58 58 - Settings for phpfpm's process manager. You might need to change this depending on the load for piwik. 60 60 + Settings for phpfpm's process manager. You might need to change this depending on the load for matomo. 59 61 ''; 60 62 }; 61 63 ··· 65 67 (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) 66 68 { 67 69 # enable encryption by default, 68 68 - # as sensitive login and piwik data should not be transmitted in clear text. 70 70 + # as sensitive login and matomo data should not be transmitted in clear text. 69 71 options.forceSSL.default = true; 70 72 options.enableACME.default = true; 71 73 } ··· 77 79 enableACME = false; 78 80 }; 79 81 description = '' 80 80 - With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik. 82 82 + With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo. 81 83 Either this option or the webServerUser option is mandatory. 82 84 Set this to {} to just enable the virtualHost if you don't need any customization. 83 83 - If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active, 85 85 + If enabled, then by default, the serverName is ${user}.$\{config.networking.hostName\}, SSL is active, 84 86 and certificates are acquired via ACME. 85 87 If this is set to null (the default), no nginx virtualHost will be configured. 86 88 ''; ··· 90 92 91 93 config = mkIf cfg.enable { 92 94 warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [ 93 93 - "If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed." 95 95 + "If services.matomo.nginx is set, services.matomo.nginx.webServerUser is ignored and should be removed." 94 96 ]; 95 97 96 98 assertions = [ { 97 99 assertion = cfg.nginx != null || cfg.webServerUser != null; 98 98 - message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory"; 100 100 + message = "Either services.matomo.nginx or services.matomo.nginx.webServerUser is mandatory"; 99 101 }]; 100 102 101 103 users.extraUsers.${user} = { ··· 106 108 }; 107 109 users.extraGroups.${user} = {}; 108 110 109 109 - systemd.services.piwik_setup_update = { 110 110 - # everything needs to set up and up to date before piwik php files are executed 111 111 + systemd.services.matomo_setup_update = { 112 112 + # everything needs to set up and up to date before matomo php files are executed 111 113 requiredBy = [ "${phpExecutionUnit}.service" ]; 112 114 before = [ "${phpExecutionUnit}.service" ]; 113 115 # the update part of the script can only work if the database is already up and running 114 116 requires = [ databaseService ]; 115 117 after = [ databaseService ]; 116 116 - path = [ pkgs.piwik ]; 118 118 + path = [ pkgs.matomo ]; 117 119 serviceConfig = { 118 120 Type = "oneshot"; 119 121 User = user; 120 122 # hide especially config.ini.php from other 121 123 UMask = "0007"; 124 124 + # TODO: might get renamed to MATOMO_USER_PATH in future versions 122 125 Environment = "PIWIK_USER_PATH=${dataDir}"; 123 126 # chown + chmod in preStart needs root 124 127 PermissionsStartOnly = true; ··· 127 130 # e.g. after restoring from backup or moving from another system. 128 131 # Note that ${dataDir}/config/config.ini.php might contain the MySQL password. 129 132 preStart = '' 133 133 + # migrate data from piwik to matomo folder 134 134 + if [ -d ${deprecatedDataDir} ]; then 135 135 + echo "Migrating from ${deprecatedDataDir} to ${dataDir}" 136 136 + mv -T ${deprecatedDataDir} ${dataDir} 137 137 + fi 130 138 chown -R ${user}:${user} ${dataDir} 131 139 chmod -R ug+rwX,o-rwx ${dataDir} 132 140 ''; 133 141 script = '' 134 134 - # Use User-Private Group scheme to protect piwik data, but allow administration / backup via piwik group 142 142 + # Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group 135 143 # Copy config folder 136 144 chmod g+s "${dataDir}" 137 137 - cp -r "${pkgs.piwik}/config" "${dataDir}/" 145 145 + cp -r "${pkgs.matomo}/config" "${dataDir}/" 138 146 chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" 139 147 140 148 # check whether user setup has already been done 141 149 if test -f "${dataDir}/config/config.ini.php"; then 142 150 # then execute possibly pending database upgrade 143 143 - piwik-console core:update --yes 151 151 + matomo-console core:update --yes 144 152 fi 145 153 ''; 146 154 }; 147 155 148 156 systemd.services.${phpExecutionUnit} = { 149 149 - # stop phpfpm on package upgrade, do database upgrade via piwik_setup_update, and then restart 150 150 - restartTriggers = [ pkgs.piwik ]; 157 157 + # stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart 158 158 + restartTriggers = [ pkgs.matomo ]; 151 159 # stop config.ini.php from getting written with read permission for others 152 160 serviceConfig.UMask = "0007"; 153 161 }; ··· 175 183 # References: 176 184 # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html 177 185 # https://github.com/perusio/piwik-nginx 186 186 + # TODO: better default 178 187 "${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx { 179 179 - # don't allow to override the root easily, as it will almost certainly break piwik. 188 188 + # don't allow to override the root easily, as it will almost certainly break matomo. 180 189 # disadvantage: not shown as default in docs. 181 181 - root = mkForce "${pkgs.piwik}/share"; 190 190 + root = mkForce "${pkgs.matomo}/share"; 182 191 183 192 # define locations here instead of as the submodule option's default 184 193 # so that they can easily be extended with additional locations if required 185 185 - # without needing to redefine the piwik ones. 194 194 + # without needing to redefine the matomo ones. 186 195 # disadvantage: not shown as default in docs. 187 196 locations."/" = { 188 197 index = "index.php"; ··· 191 200 locations."= /index.php".extraConfig = '' 192 201 fastcgi_pass unix:${phpSocket}; 193 202 ''; 203 203 + # TODO: might get renamed to matomo.php in future versions 194 204 # allow piwik.php for tracking 195 205 locations."= /piwik.php".extraConfig = '' 196 206 fastcgi_pass unix:${phpSocket}; ··· 212 222 locations."= /robots.txt".extraConfig = '' 213 223 return 200 "User-agent: *\nDisallow: /\n"; 214 224 ''; 225 225 + # TODO: might get renamed to matomo.js in future versions 215 226 # let browsers cache piwik.js 216 227 locations."= /piwik.js".extraConfig = '' 217 228 expires 1M; ··· 221 232 }; 222 233 223 234 meta = { 224 224 - doc = ./piwik-doc.xml; 235 235 + doc = ./matomo-doc.xml; 225 236 maintainers = with stdenv.lib.maintainers; [ florianjacob ]; 226 237 }; 227 238 }