From 415a08acda72974eac9cf4f5a4f49b694fb018f2 Mon Sep 17 00:00:00 2001
From: Alexander Meindl <a.meindl@alphanodes.com>
Date: Fri, 2 Aug 2024 11:12:46 +0200
Subject: [PATCH] provide solution for mysql_secure_file_priv problem and
 matomo with custom fpm pool

---
 roles/matomo/defaults/main.yml                | 10 +++--
 roles/matomo/tasks/setup.yml                  | 41 ++++++++++++++-----
 .../{setup_vhost.yml => setup_nginx.yml}      |  0
 roles/matomo/tasks/setup_subdirectory.yml     | 21 ----------
 roles/matomo/templates/nginx/matomo.j2        | 35 ----------------
 .../templates/nginx/sites-available/matomo.j2 | 35 +++++++++++-----
 6 files changed, 62 insertions(+), 80 deletions(-)
 rename roles/matomo/tasks/{setup_vhost.yml => setup_nginx.yml} (100%)
 delete mode 100644 roles/matomo/tasks/setup_subdirectory.yml
 delete mode 100644 roles/matomo/templates/nginx/matomo.j2

diff --git a/roles/matomo/defaults/main.yml b/roles/matomo/defaults/main.yml
index e89dd46..8324905 100644
--- a/roles/matomo/defaults/main.yml
+++ b/roles/matomo/defaults/main.yml
@@ -6,9 +6,6 @@ matomo_source_url: https://builds.matomo.org/
 
 matomo_dir: /srv/matomo
 
-# if matomo_vhost is no, subdirectory is used
-matomo_vhost: true
-
 matomo_user: "{{ nginx_user | default(nginx_user) | default('www-data') }}"
 matomo_group: "{{ nginx_group | default(nginx_group) | default('www-data') }}"
 
@@ -47,9 +44,14 @@ matomo_geoip_custom_directory: '{{ matomo_dir }}/misc'
 
 # for cluster you can customize installation
 matomo_with_mysql: true
-# if with nginx, php_fpm will be installed, too. If wihout nginx, php-cli will be installed, only.
+# if with nginx, php_fpm will be installed, too. If without nginx, php-cli will be installed, only.
 matomo_with_nginx: true
 
+# this could be required, if you use non www-data user
+# and want to use mysql_secure_file_priv
+# NOTE: do not activate it, if you use www-data as matomo_user (it should work without)
+matomo_add_mysql_to_matomo_group: false
+
 # see https://matomo.org/faq/new-to-piwik/faq_134/
 # if yes, plugins cannot be enabled by gui
 matomo_multi_server_environment: false
diff --git a/roles/matomo/tasks/setup.yml b/roles/matomo/tasks/setup.yml
index 931e399..8ae2e36 100644
--- a/roles/matomo/tasks/setup.yml
+++ b/roles/matomo/tasks/setup.yml
@@ -1,5 +1,25 @@
 ---
 
+# see php-fpm pool group: settings should not be conflicting
+- name: Ensure Matomo serivce group is present
+  ansible.builtin.group:
+    name: "{{ matomo_group }}"
+    state: present
+    system: true
+  when: matomo_group != nginx_group and matomo_group != 'root'
+
+- name: Ensure Matomo service user is present
+  when: matomo_user != nginx_user and matomo_group != 'root'
+  ansible.builtin.user:
+    comment: Matomo Service User
+    name: "{{ matomo_user }}"
+    group: "{{ matomo_group }}"
+    home: "{{ matomo_dir }}"
+    createhome: false
+    shell: /usr/sbin/nologin
+    system: true
+    state: present
+
 - name: Stats for matomo config file
   ansible.builtin.stat:
     path: '{{ matomo_config_file }}'
@@ -81,6 +101,14 @@
         mode: '0755'
         state: directory
 
+# required for mysql mysql_secure_file_priv
+- name: Add mysql user to matomo group for pool {{ pool.name }}
+  ansible.builtin.user:
+    name: mysql
+    groups: '{{ matomo_group }}'
+    append: true
+  when: matomo_add_mysql_to_matomo_group and matomo_with_mysql
+
 # required for mysql mysql_secure_file_priv
 - name: Secure matomo directory
   ansible.builtin.file:
@@ -100,16 +128,9 @@
 
 - name: Matomo with nginx
   when: matomo_with_nginx
-  block:
-    - name: Include set vhost tasks
-      ansible.builtin.include_tasks: setup_vhost.yml
-      tags: nginx
-      when: matomo_vhost
-
-    - name: Include subdirectory tasks
-      ansible.builtin.include_tasks: setup_subdirectory.yml
-      tags: nginx
-      when: not matomo_vhost
+  ansible.builtin.include_tasks: setup_nginx.yml
+  tags:
+    - nginx
 
 - name: Set force_ssl = 1
   ansible.builtin.lineinfile:
diff --git a/roles/matomo/tasks/setup_vhost.yml b/roles/matomo/tasks/setup_nginx.yml
similarity index 100%
rename from roles/matomo/tasks/setup_vhost.yml
rename to roles/matomo/tasks/setup_nginx.yml
diff --git a/roles/matomo/tasks/setup_subdirectory.yml b/roles/matomo/tasks/setup_subdirectory.yml
deleted file mode 100644
index ef36e95..0000000
--- a/roles/matomo/tasks/setup_subdirectory.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-
-- name: Set matomo location directory
-  ansible.builtin.set_fact:
-    matomo_location_dir: "/{{ matomo_dir | basename }}"
-
-- name: Update matomo subdirectory configuration
-  ansible.builtin.template:
-    src: nginx/matomo.j2
-    dest: /etc/nginx/matomo.conf
-    mode: '0644'
-  notify: Reload nginx
-
-- name: Remove vhost configuration files
-  ansible.builtin.file:
-    path: '{{ item }}'
-    state: absent
-  notify: Restart nginx
-  loop:
-    - /etc/nginx/sites-available/matomo.conf
-    - /etc/nginx/sites-enabled/matomo.conf
diff --git a/roles/matomo/templates/nginx/matomo.j2 b/roles/matomo/templates/nginx/matomo.j2
deleted file mode 100644
index 6c50a5f..0000000
--- a/roles/matomo/templates/nginx/matomo.j2
+++ /dev/null
@@ -1,35 +0,0 @@
-{{ ansible_managed | comment }}
-# nginx matomo subdirectory configuration
-
-{% if matomo_location_redirect != '' -%}
-
-location ^~ {{ matomo_location_redirect }} {
-  return 301 $scheme://$host{{ matomo_location_dir }};
-}
-
-{% endif -%}
-
-# see http://nginx.org/en/docs/http/ngx_http_core_module.html#location
-location ^~ {{ matomo_location_dir }} {
-  root /srv;
-
-  add_header Referrer-Policy origin always;
-  add_header X-Content-Type-Options "nosniff" always;
-  add_header X-XSS-Protection "1; mode=block" always;
-
-
-  # deny rule have to defined before php location!
-  location ~ ^{{ matomo_location_dir }}/(config|tmp|core|lang|libs|vendor|node_modules|\.) {
-    deny all;
-    return 403;
-  }
-
-  location ~ ^{{ matomo_location_dir }}/(.+.php) {
-
-    {%- include 'templates/fpm.inc.j2' with context %}
-
-    fastcgi_index  index.php;
-  }
-
-  access_log off;
-}
diff --git a/roles/matomo/templates/nginx/sites-available/matomo.j2 b/roles/matomo/templates/nginx/sites-available/matomo.j2
index daa6dee..f165e98 100644
--- a/roles/matomo/templates/nginx/sites-available/matomo.j2
+++ b/roles/matomo/templates/nginx/sites-available/matomo.j2
@@ -33,13 +33,13 @@ server {
 
   ## deny access to all other .php files
   location ~* ^.+\.php$ {
-      deny all;
-      return 403;
+    deny all;
+    return 403;
   }
 
   ## serve all other files normally
   location / {
-      try_files $uri $uri/ =404;
+    try_files $uri $uri/ =404;
   }
 
 {% if matomo_vhost_includes is defined -%}
@@ -51,19 +51,34 @@ server {
   access_log off;
 {% endif %}
 
-  location ~ \.(jpg|jpeg|gif|png|ico)$ {
-    access_log off;
-    expires 33d;
+  ## disable all access to the following directories
+  location ~ ^/(config|tmp|core|lang) {
+    deny all;
+    return 403; # replace with 404 to not show these directories exist
+  }
+
+  location ~ js/container_.*_preview\.js$ {
+    expires off;
+    add_header Cache-Control 'private, no-cache, no-store';
   }
 
-  location ~ ^/(config|tmp|core|lang|libs|vendor|node_modules) {
-      deny all;
-      return 403;
+  location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$ {
+    allow all;
+    ## Cache images,CSS,JS and webfonts for an hour
+    ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+    expires 1h;
+    add_header Pragma public;
+    add_header Cache-Control "public";
+  }
+
+  location ~ ^/(libs|vendor|plugins|misc|node_modules) {
+    deny all;
+    return 403;
   }
 
   ## properly display textfiles in root directory
   location ~/(.*\.md|LEGALNOTICE|LICENSE) {
-      default_type text/plain;
+    default_type text/plain;
   }
 }