provide solution for mysql_secure_file_priv problem and matomo with c…

…ustom fpm pool
alphanodes · Aug 2, 2024 · 415a08a · 415a08a
1 parent aa83dbc
commit 415a08a
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 80 deletions.
diff --git a/roles/matomo/defaults/main.yml b/roles/matomo/defaults/main.yml
@@ -6,9 +6,6 @@ matomo_source_url: https://builds.matomo.org/
 
 matomo_dir: /srv/matomo
 
-# if matomo_vhost is no, subdirectory is used
-matomo_vhost: true
-
 matomo_user: "{{ nginx_user | default(nginx_user) | default('www-data') }}"
 matomo_group: "{{ nginx_group | default(nginx_group) | default('www-data') }}"
 
@@ -47,9 +44,14 @@ matomo_geoip_custom_directory: '{{ matomo_dir }}/misc'
 
 # for cluster you can customize installation
 matomo_with_mysql: true
-# if with nginx, php_fpm will be installed, too. If wihout nginx, php-cli will be installed, only.
+# if with nginx, php_fpm will be installed, too. If without nginx, php-cli will be installed, only.
 matomo_with_nginx: true
 
+# this could be required, if you use non www-data user
+# and want to use mysql_secure_file_priv
+# NOTE: do not activate it, if you use www-data as matomo_user (it should work without)
+matomo_add_mysql_to_matomo_group: false
+
 # see https://matomo.org/faq/new-to-piwik/faq_134/
 # if yes, plugins cannot be enabled by gui
 matomo_multi_server_environment: false

diff --git a/roles/matomo/tasks/setup.yml b/roles/matomo/tasks/setup.yml
@@ -1,5 +1,25 @@
 ---
 
+# see php-fpm pool group: settings should not be conflicting
+- name: Ensure Matomo serivce group is present
+  ansible.builtin.group:
+    name: "{{ matomo_group }}"
+    state: present
+    system: true
+  when: matomo_group != nginx_group and matomo_group != 'root'
+
+- name: Ensure Matomo service user is present
+  when: matomo_user != nginx_user and matomo_group != 'root'
+  ansible.builtin.user:
+    comment: Matomo Service User
+    name: "{{ matomo_user }}"
+    group: "{{ matomo_group }}"
+    home: "{{ matomo_dir }}"
+    createhome: false
+    shell: /usr/sbin/nologin
+    system: true
+    state: present
+
 - name: Stats for matomo config file
   ansible.builtin.stat:
     path: '{{ matomo_config_file }}'
@@ -81,6 +101,14 @@
         mode: '0755'
         state: directory
 
+# required for mysql mysql_secure_file_priv
+- name: Add mysql user to matomo group for pool {{ pool.name }}
+  ansible.builtin.user:
+    name: mysql
+    groups: '{{ matomo_group }}'
+    append: true
+  when: matomo_add_mysql_to_matomo_group and matomo_with_mysql
+
 # required for mysql mysql_secure_file_priv
 - name: Secure matomo directory
   ansible.builtin.file:
@@ -100,16 +128,9 @@
 
 - name: Matomo with nginx
   when: matomo_with_nginx
-  block:
-    - name: Include set vhost tasks
-      ansible.builtin.include_tasks: setup_vhost.yml
-      tags: nginx
-      when: matomo_vhost
-
-    - name: Include subdirectory tasks
-      ansible.builtin.include_tasks: setup_subdirectory.yml
-      tags: nginx
-      when: not matomo_vhost
+  ansible.builtin.include_tasks: setup_nginx.yml
+  tags:
+    - nginx
 
 - name: Set force_ssl = 1
   ansible.builtin.lineinfile:

diff --git a/roles/matomo/tasks/setup_vhost.yml → roles/matomo/tasks/setup_nginx.yml b/roles/matomo/tasks/setup_vhost.yml → roles/matomo/tasks/setup_nginx.yml
diff --git a/roles/matomo/tasks/setup_subdirectory.yml b/roles/matomo/tasks/setup_subdirectory.yml
diff --git a/roles/matomo/templates/nginx/matomo.j2 b/roles/matomo/templates/nginx/matomo.j2
diff --git a/roles/matomo/templates/nginx/sites-available/matomo.j2 b/roles/matomo/templates/nginx/sites-available/matomo.j2
@@ -33,13 +33,13 @@ server {
 
   ## deny access to all other .php files
   location ~* ^.+\.php$ {
-      deny all;
-      return 403;
+    deny all;
+    return 403;
   }
 
   ## serve all other files normally
   location / {
-      try_files $uri $uri/ =404;
+    try_files $uri $uri/ =404;
   }
 
 {% if matomo_vhost_includes is defined -%}
@@ -51,19 +51,34 @@ server {
   access_log off;
 {% endif %}
 
-  location ~ \.(jpg|jpeg|gif|png|ico)$ {
-    access_log off;
-    expires 33d;
+  ## disable all access to the following directories
+  location ~ ^/(config|tmp|core|lang) {
+    deny all;
+    return 403; # replace with 404 to not show these directories exist
+  }
+
+  location ~ js/container_.*_preview\.js$ {
+    expires off;
+    add_header Cache-Control 'private, no-cache, no-store';
   }
 
-  location ~ ^/(config|tmp|core|lang|libs|vendor|node_modules) {
-      deny all;
-      return 403;
+  location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$ {
+    allow all;
+    ## Cache images,CSS,JS and webfonts for an hour
+    ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+    expires 1h;
+    add_header Pragma public;
+    add_header Cache-Control "public";
+  }
+
+  location ~ ^/(libs|vendor|plugins|misc|node_modules) {
+    deny all;
+    return 403;
   }
 
   ## properly display textfiles in root directory
   location ~/(.*\.md|LEGALNOTICE|LICENSE) {
-      default_type text/plain;
+    default_type text/plain;
   }
 }