commit 37c009ca74c872ca099bbdecafab8a3a31b073e3 · tjh.dev/nixpkgs

+46

nixos/doc/manual/release-notes/rl-1803.xml

··· 244 <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. 245 </para> 246 </listitem> 247 </itemizedlist> 248 249 </section>

··· 244 <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. 245 </para> 246 </listitem> 247 + <listitem> 248 + <para> 249 + The Piwik analytics software was renamed to Matomo: 250 + <itemizedlist> 251 + <listitem> 252 + <para>The package <literal>pkgs.piwik</literal> was renamed to <literal>pkgs.matomo</literal>.</para> 253 + </listitem> 254 + <listitem> 255 + <para>The service <literal>services.piwik</literal> was renamed to <literal>services.matomo</literal>.</para> 256 + </listitem> 257 + <listitem> 258 + <para> 259 + The data directory <filename>/var/lib/piwik</filename> was renamed to <filename>/var/lib/matomo</filename>. 260 + All files will be moved automatically on first startup, but you might need to adjust your backup scripts. 261 + </para> 262 + </listitem> 263 + <listitem> 264 + <para> 265 + The default <option>serverName</option> for the nginx configuration changed from 266 + <literal>piwik.${config.networking.hostName}</literal> to 267 + <literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal> 268 + if <option>config.networking.domain</option> is set, 269 + <literal>matomo.${config.networking.hostName}</literal> if it is not set. 270 + If you change your <option>serverName</option>, remember you'll need to update the 271 + <literal>trustedHosts[]</literal> array in <filename>/var/lib/matomo/config/config.ini.php</filename> 272 + as well. 273 + </para> 274 + </listitem> 275 + <listitem> 276 + <para> 277 + The <literal>piwik</literal> user was renamed to <literal>matomo</literal>. 278 + The service will adjust ownership automatically for files in the data directory. 279 + If you use unix socket authentication, remember to give the new <literal>matomo</literal> user 280 + access to the database and to change the <literal>username</literal> to <literal>matomo</literal> 281 + in the <literal>[database]</literal> section of <filename>/var/lib/matomo/config/config.ini.php</filename>. 282 + </para> 283 + </listitem> 284 + <listitem> 285 + <para> 286 + If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, 287 + but this is neither enforced nor required. 288 + </para> 289 + </listitem> 290 + </itemizedlist> 291 + </para> 292 + </listitem> 293 </itemizedlist> 294 295 </section>

+1 -1

nixos/modules/module-list.nix

··· 638 ./services/web-apps/nixbot.nix 639 ./services/web-apps/nexus.nix 640 ./services/web-apps/pgpkeyserver-lite.nix 641 - ./services/web-apps/piwik.nix 642 ./services/web-apps/pump.io.nix 643 ./services/web-apps/restya-board.nix 644 ./services/web-apps/tt-rss.nix

··· 638 ./services/web-apps/nixbot.nix 639 ./services/web-apps/nexus.nix 640 ./services/web-apps/pgpkeyserver-lite.nix 641 + ./services/web-apps/matomo.nix 642 ./services/web-apps/pump.io.nix 643 ./services/web-apps/restya-board.nix 644 ./services/web-apps/tt-rss.nix

+6

nixos/modules/rename.nix

··· 148 # parsoid 149 (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ]) 150 151 # tarsnap 152 (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") 153

··· 148 # parsoid 149 (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ]) 150 151 + # piwik was renamed to matomo 152 + (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) 153 + (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) 154 + (mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ]) 155 + (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) 156 + 157 # tarsnap 158 (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") 159

+1 -1

nixos/modules/services/databases/mysql.nix

··· 133 ''; 134 example = [ 135 "nextcloud" 136 - "piwik" 137 ]; 138 }; 139

··· 133 ''; 134 example = [ 135 "nextcloud" 136 + "matomo" 137 ]; 138 }; 139

+95

nixos/modules/services/web-apps/matomo-doc.xml

···

··· 1 + <chapter xmlns="http://docbook.org/ns/docbook" 2 + xmlns:xlink="http://www.w3.org/1999/xlink" 3 + xmlns:xi="http://www.w3.org/2001/XInclude" 4 + version="5.0" 5 + xml:id="module-services-matomo"> 6 + 7 + <title>Matomo</title> 8 + <para> 9 + Matomo is a real-time web analytics application. 10 + This module configures php-fpm as backend for Matomo, optionally configuring an nginx vhost as well. 11 + </para> 12 + 13 + <para> 14 + An automatic setup is not suported by Matomo, so you need to configure Matomo itself in the browser-based Matomo setup. 15 + </para> 16 + 17 + 18 + <section> 19 + <title>Database Setup</title> 20 + 21 + <para> 22 + You also need to configure a MariaDB or MySQL database and -user for Matomo yourself, 23 + and enter those credentials in your browser. 24 + You can use passwordless database authentication via the UNIX_SOCKET authentication plugin 25 + with the following SQL commands: 26 + 27 + <programlisting> 28 + # For MariaDB 29 + INSTALL PLUGIN unix_socket SONAME 'auth_socket'; 30 + CREATE DATABASE matomo; 31 + CREATE USER 'matomo'@'localhost' IDENTIFIED WITH unix_socket; 32 + GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; 33 + 34 + # For MySQL 35 + INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; 36 + CREATE DATABASE matomo; 37 + CREATE USER 'matomo'@'localhost' IDENTIFIED WITH auth_socket; 38 + GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; 39 + </programlisting> 40 + 41 + Then fill in <literal>matomo</literal> as database user and database name, and leave the password field blank. 42 + This authentication works by allowing only the <literal>matomo</literal> unix user to authenticate as the 43 + <literal>matomo</literal> database user (without needing a password), but no other users. 44 + For more information on passwordless login, see 45 + <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />. 46 + </para> 47 + 48 + <para> 49 + Of course, you can use password based authentication as well, e.g. when the database is not on the same host. 50 + </para> 51 + </section> 52 + 53 + 54 + <section> 55 + <title>Backup</title> 56 + <para> 57 + You only need to take backups of your MySQL database and the 58 + <filename>/var/lib/matomo/config/config.ini.php</filename> file. 59 + Use a user in the <literal>matomo</literal> group or root to access the file. 60 + For more information, see <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />. 61 + </para> 62 + </section> 63 + 64 + 65 + <section> 66 + <title>Issues</title> 67 + <itemizedlist> 68 + <listitem> 69 + <para> 70 + Matomo's file integrity check will warn you. 71 + This is due to the patches necessary for NixOS, you can safely ignore this. 72 + </para> 73 + </listitem> 74 + 75 + <listitem> 76 + <para> 77 + Matomo will warn you that the JavaScript tracker is not writable. 78 + This is because it's located in the read-only nix store. 79 + You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. 80 + </para> 81 + </listitem> 82 + </itemizedlist> 83 + </section> 84 + 85 + 86 + <section> 87 + <title>Using other Web Servers than nginx</title> 88 + 89 + <para> 90 + You can use other web servers by forwarding calls for <filename>index.php</filename> and 91 + <filename>piwik.php</filename> to the <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket. 92 + You can use the nginx configuration in the module code as a reference to what else should be configured. 93 + </para> 94 + </section> 95 + </chapter>

-95

nixos/modules/services/web-apps/piwik-doc.xml

··· 1 - <chapter xmlns="http://docbook.org/ns/docbook" 2 - xmlns:xlink="http://www.w3.org/1999/xlink" 3 - xmlns:xi="http://www.w3.org/2001/XInclude" 4 - version="5.0" 5 - xml:id="module-services-piwik"> 6 - 7 - <title>Piwik</title> 8 - <para> 9 - Piwik is a real-time web analytics application. 10 - This module configures php-fpm as backend for piwik, optionally configuring an nginx vhost as well. 11 - </para> 12 - 13 - <para> 14 - An automatic setup is not suported by piwik, so you need to configure piwik itself in the browser-based piwik setup. 15 - </para> 16 - 17 - 18 - <section> 19 - <title>Database Setup</title> 20 - 21 - <para> 22 - You also need to configure a MariaDB or MySQL database and -user for piwik yourself, 23 - and enter those credentials in your browser. 24 - You can use passwordless database authentication via the UNIX_SOCKET authentication plugin 25 - with the following SQL commands: 26 - 27 - <programlisting> 28 - # For MariaDB 29 - INSTALL PLUGIN unix_socket SONAME 'auth_socket'; 30 - CREATE DATABASE piwik; 31 - CREATE USER 'piwik'@'localhost' IDENTIFIED WITH unix_socket; 32 - GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; 33 - 34 - # For MySQL 35 - INSTALL PLUGIN auth_socket SONAME 'auth_socket.so'; 36 - CREATE DATABASE piwik; 37 - CREATE USER 'piwik'@'localhost' IDENTIFIED WITH auth_socket; 38 - GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost'; 39 - </programlisting> 40 - 41 - Then fill in <literal>piwik</literal> as database user and database name, and leave the password field blank. 42 - This authentication works by allowing only the <literal>piwik</literal> unix user to authenticate as the 43 - <literal>piwik</literal> database user (without needing a password), but no other users. 44 - For more information on passwordless login, see 45 - <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />. 46 - </para> 47 - 48 - <para> 49 - Of course, you can use password based authentication as well, e.g. when the database is not on the same host. 50 - </para> 51 - </section> 52 - 53 - 54 - <section> 55 - <title>Backup</title> 56 - <para> 57 - You only need to take backups of your MySQL database and the 58 - <filename>/var/lib/piwik/config/config.ini.php</filename> file. 59 - Use a user in the <literal>piwik</literal> group or root to access the file. 60 - For more information, see <link xlink:href="https://piwik.org/faq/how-to-install/faq_138/" />. 61 - </para> 62 - </section> 63 - 64 - 65 - <section> 66 - <title>Issues</title> 67 - <itemizedlist> 68 - <listitem> 69 - <para> 70 - Piwik's file integrity check will warn you. 71 - This is due to the patches necessary for NixOS, you can safely ignore this. 72 - </para> 73 - </listitem> 74 - 75 - <listitem> 76 - <para> 77 - Piwik will warn you that the JavaScript tracker is not writable. 78 - This is because it's located in the read-only nix store. 79 - You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. 80 - </para> 81 - </listitem> 82 - </itemizedlist> 83 - </section> 84 - 85 - 86 - <section> 87 - <title>Using other Web Servers than nginx</title> 88 - 89 - <para> 90 - You can use other web servers by forwarding calls for <filename>index.php</filename> and 91 - <filename>piwik.php</filename> to the <literal>/run/phpfpm-piwik.sock</literal> fastcgi unix socket. 92 - You can use the nginx configuration in the module code as a reference to what else should be configured. 93 - </para> 94 - </section> 95 - </chapter>

···

+47 -28

nixos/modules/services/web-apps/piwik.nix nixos/modules/services/web-apps/matomo.nix

··· 1 { config, lib, pkgs, services, ... }: 2 with lib; 3 let 4 - cfg = config.services.piwik; 5 6 - user = "piwik"; 7 dataDir = "/var/lib/${user}"; 8 9 pool = user; 10 # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, ··· 12 phpSocket = "/run/phpfpm-${pool}.sock"; 13 phpExecutionUnit = "phpfpm-${pool}"; 14 databaseService = "mysql.service"; 15 16 in { 17 options = { 18 - services.piwik = { 19 # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 20 - # piwik issue for automatic piwik setup: https://github.com/piwik/piwik/issues/10257 21 - # TODO: find a nice way to do this when more NixOS MySQL and / or piwik automatic setup stuff is implemented. 22 enable = mkOption { 23 type = types.bool; 24 default = false; 25 description = '' 26 - Enable piwik web analytics with php-fpm backend. 27 Either the nginx option or the webServerUser option is mandatory. 28 ''; 29 }; ··· 32 type = types.nullOr types.str; 33 default = null; 34 example = "lighttpd"; 35 description = '' 36 - Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx 37 option is not used. Either this option or the nginx option is mandatory. 38 If you want to use another webserver than nginx, you need to set this to that server's user 39 and pass fastcgi requests to `index.php` and `piwik.php` to this socket. ··· 55 catch_workers_output = yes 56 ''; 57 description = '' 58 - Settings for phpfpm's process manager. You might need to change this depending on the load for piwik. 59 ''; 60 }; 61 ··· 65 (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) 66 { 67 # enable encryption by default, 68 - # as sensitive login and piwik data should not be transmitted in clear text. 69 options.forceSSL.default = true; 70 options.enableACME.default = true; 71 } ··· 73 ); 74 default = null; 75 example = { 76 - serverName = "stats.$\{config.networking.hostName\}"; 77 enableACME = false; 78 }; 79 description = '' 80 - With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik. 81 Either this option or the webServerUser option is mandatory. 82 Set this to {} to just enable the virtualHost if you don't need any customization. 83 - If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active, 84 - and certificates are acquired via ACME. 85 If this is set to null (the default), no nginx virtualHost will be configured. 86 ''; 87 }; ··· 90 91 config = mkIf cfg.enable { 92 warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [ 93 - "If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed." 94 ]; 95 96 assertions = [ { 97 assertion = cfg.nginx != null || cfg.webServerUser != null; 98 - message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory"; 99 }]; 100 101 users.extraUsers.${user} = { ··· 106 }; 107 users.extraGroups.${user} = {}; 108 109 - systemd.services.piwik_setup_update = { 110 - # everything needs to set up and up to date before piwik php files are executed 111 requiredBy = [ "${phpExecutionUnit}.service" ]; 112 before = [ "${phpExecutionUnit}.service" ]; 113 # the update part of the script can only work if the database is already up and running 114 requires = [ databaseService ]; 115 after = [ databaseService ]; 116 - path = [ pkgs.piwik ]; 117 serviceConfig = { 118 Type = "oneshot"; 119 User = user; 120 # hide especially config.ini.php from other 121 UMask = "0007"; 122 Environment = "PIWIK_USER_PATH=${dataDir}"; 123 # chown + chmod in preStart needs root 124 PermissionsStartOnly = true; ··· 127 # e.g. after restoring from backup or moving from another system. 128 # Note that ${dataDir}/config/config.ini.php might contain the MySQL password. 129 preStart = '' 130 chown -R ${user}:${user} ${dataDir} 131 chmod -R ug+rwX,o-rwx ${dataDir} 132 ''; 133 script = '' 134 - # Use User-Private Group scheme to protect piwik data, but allow administration / backup via piwik group 135 # Copy config folder 136 chmod g+s "${dataDir}" 137 - cp -r "${pkgs.piwik}/config" "${dataDir}/" 138 chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" 139 140 # check whether user setup has already been done 141 if test -f "${dataDir}/config/config.ini.php"; then 142 # then execute possibly pending database upgrade 143 - piwik-console core:update --yes 144 fi 145 ''; 146 }; 147 148 systemd.services.${phpExecutionUnit} = { 149 - # stop phpfpm on package upgrade, do database upgrade via piwik_setup_update, and then restart 150 - restartTriggers = [ pkgs.piwik ]; 151 # stop config.ini.php from getting written with read permission for others 152 serviceConfig.UMask = "0007"; 153 }; ··· 175 # References: 176 # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html 177 # https://github.com/perusio/piwik-nginx 178 - "${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx { 179 - # don't allow to override the root easily, as it will almost certainly break piwik. 180 # disadvantage: not shown as default in docs. 181 - root = mkForce "${pkgs.piwik}/share"; 182 183 # define locations here instead of as the submodule option's default 184 # so that they can easily be extended with additional locations if required 185 - # without needing to redefine the piwik ones. 186 # disadvantage: not shown as default in docs. 187 locations."/" = { 188 index = "index.php"; ··· 191 locations."= /index.php".extraConfig = '' 192 fastcgi_pass unix:${phpSocket}; 193 ''; 194 # allow piwik.php for tracking 195 locations."= /piwik.php".extraConfig = '' 196 fastcgi_pass unix:${phpSocket}; ··· 212 locations."= /robots.txt".extraConfig = '' 213 return 200 "User-agent: *\nDisallow: /\n"; 214 ''; 215 # let browsers cache piwik.js 216 locations."= /piwik.js".extraConfig = '' 217 expires 1M; ··· 221 }; 222 223 meta = { 224 - doc = ./piwik-doc.xml; 225 maintainers = with stdenv.lib.maintainers; [ florianjacob ]; 226 }; 227 }

··· 1 { config, lib, pkgs, services, ... }: 2 with lib; 3 let 4 + cfg = config.services.matomo; 5 6 + user = "matomo"; 7 dataDir = "/var/lib/${user}"; 8 + deprecatedDataDir = "/var/lib/piwik"; 9 10 pool = user; 11 # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, ··· 13 phpSocket = "/run/phpfpm-${pool}.sock"; 14 phpExecutionUnit = "phpfpm-${pool}"; 15 databaseService = "mysql.service"; 16 + 17 + fqdn = 18 + let 19 + join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; 20 + in join config.networking.hostName config.networking.domain; 21 22 in { 23 options = { 24 + services.matomo = { 25 # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 26 + # matomo issue for automatic matomo setup: https://github.com/matomo-org/matomo/issues/10257 27 + # TODO: find a nice way to do this when more NixOS MySQL and / or matomo automatic setup stuff is implemented. 28 enable = mkOption { 29 type = types.bool; 30 default = false; 31 description = '' 32 + Enable matomo web analytics with php-fpm backend. 33 Either the nginx option or the webServerUser option is mandatory. 34 ''; 35 }; ··· 38 type = types.nullOr types.str; 39 default = null; 40 example = "lighttpd"; 41 + # TODO: piwik.php might get renamed to matomo.php in future releases 42 description = '' 43 + Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for matomo if the nginx 44 option is not used. Either this option or the nginx option is mandatory. 45 If you want to use another webserver than nginx, you need to set this to that server's user 46 and pass fastcgi requests to `index.php` and `piwik.php` to this socket. ··· 62 catch_workers_output = yes 63 ''; 64 description = '' 65 + Settings for phpfpm's process manager. You might need to change this depending on the load for matomo. 66 ''; 67 }; 68 ··· 72 (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) 73 { 74 # enable encryption by default, 75 + # as sensitive login and matomo data should not be transmitted in clear text. 76 options.forceSSL.default = true; 77 options.enableACME.default = true; 78 } ··· 80 ); 81 default = null; 82 example = { 83 + serverAliases = [ 84 + "matomo.$\{config.networking.domain\}" 85 + "stats.$\{config.networking.domain\}" 86 + ]; 87 enableACME = false; 88 }; 89 description = '' 90 + With this option, you can customize an nginx virtualHost which already has sensible defaults for matomo. 91 Either this option or the webServerUser option is mandatory. 92 Set this to {} to just enable the virtualHost if you don't need any customization. 93 + If enabled, then by default, the <option>serverName</option> is 94 + <literal>${user}.$\{config.networking.hostName\}.$\{config.networking.domain\}</literal>, 95 + SSL is active, and certificates are acquired via ACME. 96 If this is set to null (the default), no nginx virtualHost will be configured. 97 ''; 98 }; ··· 101 102 config = mkIf cfg.enable { 103 warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [ 104 + "If services.matomo.nginx is set, services.matomo.nginx.webServerUser is ignored and should be removed." 105 ]; 106 107 assertions = [ { 108 assertion = cfg.nginx != null || cfg.webServerUser != null; 109 + message = "Either services.matomo.nginx or services.matomo.nginx.webServerUser is mandatory"; 110 }]; 111 112 users.extraUsers.${user} = { ··· 117 }; 118 users.extraGroups.${user} = {}; 119 120 + systemd.services.matomo_setup_update = { 121 + # everything needs to set up and up to date before matomo php files are executed 122 requiredBy = [ "${phpExecutionUnit}.service" ]; 123 before = [ "${phpExecutionUnit}.service" ]; 124 # the update part of the script can only work if the database is already up and running 125 requires = [ databaseService ]; 126 after = [ databaseService ]; 127 + path = [ pkgs.matomo ]; 128 serviceConfig = { 129 Type = "oneshot"; 130 User = user; 131 # hide especially config.ini.php from other 132 UMask = "0007"; 133 + # TODO: might get renamed to MATOMO_USER_PATH in future versions 134 Environment = "PIWIK_USER_PATH=${dataDir}"; 135 # chown + chmod in preStart needs root 136 PermissionsStartOnly = true; ··· 139 # e.g. after restoring from backup or moving from another system. 140 # Note that ${dataDir}/config/config.ini.php might contain the MySQL password. 141 preStart = '' 142 + # migrate data from piwik to matomo folder 143 + if [ -d ${deprecatedDataDir} ]; then 144 + echo "Migrating from ${deprecatedDataDir} to ${dataDir}" 145 + mv -T ${deprecatedDataDir} ${dataDir} 146 + fi 147 chown -R ${user}:${user} ${dataDir} 148 chmod -R ug+rwX,o-rwx ${dataDir} 149 ''; 150 script = '' 151 + # Use User-Private Group scheme to protect matomo data, but allow administration / backup via matomo group 152 # Copy config folder 153 chmod g+s "${dataDir}" 154 + cp -r "${pkgs.matomo}/config" "${dataDir}/" 155 chmod -R u+rwX,g+rwX,o-rwx "${dataDir}" 156 157 # check whether user setup has already been done 158 if test -f "${dataDir}/config/config.ini.php"; then 159 # then execute possibly pending database upgrade 160 + matomo-console core:update --yes 161 fi 162 ''; 163 }; 164 165 systemd.services.${phpExecutionUnit} = { 166 + # stop phpfpm on package upgrade, do database upgrade via matomo_setup_update, and then restart 167 + restartTriggers = [ pkgs.matomo ]; 168 # stop config.ini.php from getting written with read permission for others 169 serviceConfig.UMask = "0007"; 170 }; ··· 192 # References: 193 # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html 194 # https://github.com/perusio/piwik-nginx 195 + "${user}.${fqdn}" = mkMerge [ cfg.nginx { 196 + # don't allow to override the root easily, as it will almost certainly break matomo. 197 # disadvantage: not shown as default in docs. 198 + root = mkForce "${pkgs.matomo}/share"; 199 200 # define locations here instead of as the submodule option's default 201 # so that they can easily be extended with additional locations if required 202 + # without needing to redefine the matomo ones. 203 # disadvantage: not shown as default in docs. 204 locations."/" = { 205 index = "index.php"; ··· 208 locations."= /index.php".extraConfig = '' 209 fastcgi_pass unix:${phpSocket}; 210 ''; 211 + # TODO: might get renamed to matomo.php in future versions 212 # allow piwik.php for tracking 213 locations."= /piwik.php".extraConfig = '' 214 fastcgi_pass unix:${phpSocket}; ··· 230 locations."= /robots.txt".extraConfig = '' 231 return 200 "User-agent: *\nDisallow: /\n"; 232 ''; 233 + # TODO: might get renamed to matomo.js in future versions 234 # let browsers cache piwik.js 235 locations."= /piwik.js".extraConfig = '' 236 expires 1M; ··· 240 }; 241 242 meta = { 243 + doc = ./matomo-doc.xml; 244 maintainers = with stdenv.lib.maintainers; [ florianjacob ]; 245 }; 246 }

+59

pkgs/servers/web-apps/matomo/default.nix

···

··· 1 + { stdenv, fetchurl, makeWrapper, php }: 2 + 3 + stdenv.mkDerivation rec { 4 + name = "matomo-${version}"; 5 + version = "3.3.0"; 6 + 7 + src = fetchurl { 8 + # TODO: As soon as the tarballs are renamed as well on future releases, this should be enabled again 9 + # url = "https://builds.matomo.org/${name}.tar.gz"; 10 + url = "https://builds.matomo.org/piwik-${version}.tar.gz"; 11 + sha256 = "1ybzj3kk0x29nv8c6xnhir5d9dr0q0fl1vnm4i7zvhml73ryqk0f"; 12 + }; 13 + 14 + nativeBuildInputs = [ makeWrapper ]; 15 + 16 + # make-localhost-default-database-server.patch: 17 + # This changes the default value of the database server field 18 + # from 127.0.0.1 to localhost. 19 + # unix socket authentication only works with localhost, 20 + # but password-based SQL authentication works with both. 21 + # TODO: is upstream interested in this? 22 + patches = [ ./make-localhost-default-database-host.patch ]; 23 + 24 + # this bootstrap.php adds support for getting PIWIK_USER_PATH 25 + # from an environment variable. Point it to a mutable location 26 + # to be able to use matomo read-only from the nix store 27 + postPatch = '' 28 + cp ${./bootstrap.php} bootstrap.php 29 + ''; 30 + 31 + # TODO: future versions might rename the PIWIK_… variables to MATOMO_… 32 + # TODO: Move more unnecessary files from share/, especially using PIWIK_INCLUDE_PATH. 33 + # See https://forum.matomo.org/t/bootstrap-php/5926/10 and 34 + # https://github.com/matomo-org/matomo/issues/11654#issuecomment-297730843 35 + installPhase = '' 36 + runHook preInstall 37 + 38 + # copy evertything to share/, used as webroot folder, and then remove what's known to be not needed 39 + mkdir -p $out/share 40 + cp -ra * $out/share/ 41 + # tmp/ is created by matomo in PIWIK_USER_PATH 42 + rmdir $out/share/tmp 43 + # config/ needs to be copied to PIWIK_USER_PATH anyway 44 + mv $out/share/config $out/ 45 + 46 + makeWrapper ${php}/bin/php $out/bin/matomo-console \ 47 + --add-flags "$out/share/console" 48 + 49 + runHook postInstall 50 + ''; 51 + 52 + meta = with stdenv.lib; { 53 + description = "A real-time web analytics application"; 54 + license = licenses.gpl3Plus; 55 + homepage = https://matomo.org/; 56 + platforms = platforms.all; 57 + maintainers = [ maintainers.florianjacob ]; 58 + }; 59 + }

+13

pkgs/servers/web-apps/matomo/make-localhost-default-database-host.patch

···

··· 1 + diff --git a/plugins/Installation/FormDatabaseSetup.php b/plugins/Installation/FormDatabaseSetup.php 2 + index 9364f49870..2625cbb91b 100644 3 + --- a/plugins/Installation/FormDatabaseSetup.php 4 + +++ b/plugins/Installation/FormDatabaseSetup.php 5 + @@ -82,7 +82,7 @@ class FormDatabaseSetup extends QuickForm2 6 + 7 + // default values 8 + $this->addDataSource(new HTML_QuickForm2_DataSource_Array(array( 9 + - 'host' => '127.0.0.1', 10 + + 'host' => 'localhost', 11 + 'type' => $defaultDatabaseType, 12 + 'tables_prefix' => 'matomo_', 13 + )));

pkgs/servers/web-apps/piwik/bootstrap.php pkgs/servers/web-apps/matomo/bootstrap.php

-51

pkgs/servers/web-apps/piwik/default.nix

··· 1 - { stdenv, fetchurl, makeWrapper, php }: 2 - 3 - stdenv.mkDerivation rec { 4 - name = "piwik-${version}"; 5 - version = "3.2.1"; 6 - 7 - src = fetchurl { 8 - url = "https://builds.piwik.org/${name}.tar.gz"; 9 - sha512 = "1yisgywz7dm6kygh9mc207xnqpvdxbw4pa2l9gjh495a6979x3chi7z5rf410z4dmrg0kbj8wqm8mmmslfn276xvw37l2d4h73ij1h2"; 10 - }; 11 - 12 - nativeBuildInputs = [ makeWrapper ]; 13 - 14 - # regarding the 127.0.0.1 substitute: 15 - # This replaces the default value of the database server field. 16 - # unix socket authentication only works with localhost, 17 - # but password-based SQL authentication works with both. 18 - postPatch = '' 19 - substituteInPlace plugins/Installation/FormDatabaseSetup.php \ 20 - --replace "=> '127.0.0.1'," "=> 'localhost'," 21 - cp ${./bootstrap.php} bootstrap.php 22 - ''; 23 - 24 - # TODO: Move more unnecessary files from share/, especially using PIWIK_INCLUDE_PATH. 25 - # See https://forum.piwik.org/t/bootstrap-php/5926/10 and 26 - # https://github.com/piwik/piwik/issues/11654#issuecomment-297730843 27 - installPhase = '' 28 - runHook preInstall 29 - 30 - # copy evertything to share/, used as webroot folder, and then remove what's known to be not needed 31 - mkdir -p $out/share 32 - cp -ra * $out/share/ 33 - # tmp/ is created by piwik in PIWIK_USER_PATH 34 - rmdir $out/share/tmp 35 - # config/ needs to be copied to PIWIK_USER_PATH anyway 36 - mv $out/share/config $out/ 37 - 38 - makeWrapper ${php}/bin/php $out/bin/piwik-console \ 39 - --add-flags "$out/share/console" 40 - 41 - runHook postInstall 42 - ''; 43 - 44 - meta = with stdenv.lib; { 45 - description = "A real-time web analytics application"; 46 - license = licenses.gpl3Plus; 47 - homepage = https://piwik.org/; 48 - platforms = platforms.all; 49 - maintainers = [ maintainers.florianjacob ]; 50 - }; 51 - }

···

+1

pkgs/top-level/aliases.nix

··· 132 m3d-linux = m33-linux; # added 2016-08-13 133 manpages = man-pages; # added 2015-12-06 134 man_db = man-db; # added 2016-05 135 midoriWrapper = midori; # added 2015-01 136 minc_tools = minc-tools; # 2017-12 137 mlt-qt5 = libsForQt5.mlt; # added 2015-12-19

··· 132 m3d-linux = m33-linux; # added 2016-08-13 133 manpages = man-pages; # added 2015-12-06 134 man_db = man-db; # added 2016-05 135 + piwik = matomo; # added 2018-01-16 136 midoriWrapper = midori; # added 2015-01 137 minc_tools = minc-tools; # 2017-12 138 mlt-qt5 = libsForQt5.mlt; # added 2015-12-19

+1 -1

pkgs/top-level/all-packages.nix

··· 12672 12673 shaarli-material = callPackage ../servers/web-apps/shaarli/material-theme.nix { }; 12674 12675 - piwik = callPackage ../servers/web-apps/piwik { }; 12676 12677 axis2 = callPackage ../servers/http/tomcat/axis2 { }; 12678

··· 12672 12673 shaarli-material = callPackage ../servers/web-apps/shaarli/material-theme.nix { }; 12674 12675 + matomo = callPackage ../servers/web-apps/matomo { }; 12676 12677 axis2 = callPackage ../servers/http/tomcat/axis2 { }; 12678