Update to 2022-03-07 16:00

roles/unmaintained/matomo/defaults/main.yml

@@ -0,0 +1,79 @@
+---
+
+matomo_id: 1
+matomo_root_dir: /opt/matomo_{{ matomo_id }}
+matomo_version: 3.14.1
+matomo_archive_url: https://builds.matomo.org/matomo-{{ matomo_version }}.tar.gz
+matomo_archive_sha1: d27769ce98d8a8101309cf3e4a0e982df39cf37a
+matomo_php_user: php-matomo_{{ matomo_id }}
+matomo_manage_upgrade: True
+matomo_php_version: 74
+# matomo_php_fpm_pool: matomo
+matomo_db_server: "{{ mysql_server | default('localhost') }}"
+matomo_db_port: 3306
+matomo_db_name: matomo_{{ matomo_id }}
+matomo_db_user: matomo_{{ matomo_id }}
+# matomo_db_pass:
+
+# Public matomo URL
+matomo_public_url: https://matomo.{{ inventory_hostname }}
+
+# If defined, restrict access to those hosts
+# matomo_src_ip:
+#   - 192.168.7.0/24
+
+# If defined, will add an alias in apache conf. Else, a vhost will have to be created
+# matomo_alias: matomo
+
+# Auth settings
+# This is the default settings
+matomo_ldap_base:
+  enabled: "{{ (ldap_auth | default(False) or ad_auth | default(False)) | ternary(True,False) }}"
+  use_ldap_for_authentication: 1
+  use_webserver_auth: 1
+  hostname: "{{ ad_auth | default(False) | ternary('ldaps://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower, ldap_uri | default('ldap://ldap' ~ ansible_domain) | regex_replace('^ldap://(.*)','ldaps://\\1')) }}"
+  port: ""
+  ldap_user_filter: "{{ ad_auth | default(False) | ternary('(&(objectCategory=person)(objectClass=user)(primaryGroupId=513))',ldap_user_object_class | default('(objectClass=inetOrgPerson)')) }}"
+  base_dn: "{{ ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=')), ldap_user_base | default('ou=Users') + ',' + ldap_base | default(ansible_domain | regex_replace('\\.',',dc='))) }}"
+  ldap_user_id_field: "{{ ad_auth | default(False) | ternary('sAMAccountName', 'uid') }}"
+  ldap_alias_field: cn
+  ldap_last_name_field: sn
+  ldap_first_name_field: givenName
+  ldap_mail_field: mail
+  servers[]: ldap
+  admin_user: ""
+  admin_pass: ""
+# And this the ones which should be overriden host_vars)
+matomo_ldap: {}
+# And this is the combination of both, which will be used in the role
+matomo_ldap_all: "{{ matomo_ldap_base | combine(matomo_ldap) }}}"
+
+# List of plugins which can be installed by ansible
+matomo_plugins:
+  LoginHttpAuth:
+    version: 3.0.1
+    sha1: 5d56fb010372fa593b050796eeff7fa37f031f60
+  LoginLdap:
+    version: 4.0.8
+    sha1: 9f698725b8c3ff07f9feed9bfbb9b4f3f2defea6
+  ArchiveSite:
+    version: 0.1.1
+    sha1: f1578a585df347a5e6c4ded34db9d816ef36e8ed
+  CustomAlerts:
+    version: 3.0.6
+    sha1: 6e7b7cc0e290c73b2b54ae067de6761b62fb56d9
+  CustomDimensions:
+    version: 3.1.10
+    sha1: 6dc679652e6d5f4a1808ecd3a095de77a7fc14f4
+  SecurityInfo:
+    version: 3.0.7
+    sha1: 2f3bc984e979d8a977b2c580d41985455dc24128
+
+matomo_base_plugins_to_install:
+  - LoginLdap
+  - SecurityInfo
+
+matomo_extra_plugins_to_install: []
+matomo_plugins_to_install: "{{ matomo_base_plugins_to_install + matomo_extra_plugins_to_install }}"
+# Should we remove unmanaged plugins, those installed manually, not using ansible
+matomo_remove_unmanaged_plugins: True

roles/unmaintained/matomo/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- include: ../httpd_common/handlers/main.yml
+- include: ../httpd_php/handlers/main.yml
+...

roles/unmaintained/matomo/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: mkdir
+  - role: httpd_php

roles/unmaintained/matomo/tasks/archive_post.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ matomo_root_dir }}"
+    - version: "{{ matomo_current_version }}"
+  tags: matomo

roles/unmaintained/matomo/tasks/archive_pre.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/webapps_archive.yml
+  vars:
+    - root_dir: "{{ matomo_root_dir }}"
+    - version: "{{ matomo_current_version }}"
+    - db_name: "{{ matomo_db_name }}"
+  tags: matomo

roles/unmaintained/matomo/tasks/cleanup.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Remove uneeded files
+  file: path={{ matomo_root_dir }}/{{ item }} state=absent
+  with_items:
+    - web/vendor/maxmind-db/reader/autoload.php
+  tags: matomo
+
+- name: Remove temp files
+  file: path={{ matomo_root_dir }}/tmp/{{ item }} state=absent
+  with_items:
+    - matomo
+    - "How to install Matomo.html"
+    - matomo-{{ matomo_version }}.tar.gz
+    - matomo.sql
+  tags: matomo
+
+- name: Remove plugins archives
+  file: path={{ matomo_root_dir }}/tmp/{{ item }}-{{ matomo_plugins[item].version }}.zip state=absent
+  with_items: "{{ matomo_plugins.keys() | list }}"
+  tags: matomo
+
+- name: Remove obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/backup/pre.d/matomo_{{ matomo_id }}_pre-backup
+    - /etc/backup/post.d/matomo_{{ matomo_id }}_post-backup
+    - "{{ matomo_root_dir }}/db_dumps"
+  tags: matomo

roles/unmaintained/matomo/tasks/conf.yml

@@ -0,0 +1,140 @@
+---
+
+- name: Restore configuration
+  copy: src={{ matomo_root_dir }}/archives/{{ matomo_current_version }}/web/config/config.ini.php dest={{ matomo_root_dir }}/web/config/config.ini.php remote_src=True
+  when: matomo_install_mode == "upgrade"
+  tags: matomo
+
+- name: Configure Matomo
+  ini_file:
+    path: "{{ matomo_root_dir }}/web/config/config.ini.php"
+    option: "{{ item.option }}"
+    section: "{{ item.section }}"
+    value: "{{ item.value }}"
+    mode: 0660
+    group: "{{ matomo_php_user }}"
+  with_items:
+    - option: host
+      section: database
+      value: '"{{ matomo_db_server }}"'
+    - option: username
+      section: database
+      value: '"{{ matomo_db_user }}"'
+    - option: password
+      section: database
+      value: '"{{ matomo_db_pass }}"'
+    - option: dbname
+      section: database
+      value: '"{{ matomo_db_name }}"'
+    - option: assume_secure_protocol
+      section: General
+      value: 1
+    - option: salt
+      section: General
+      value: '"{{ matomo_salt }}"'
+    - option: enable_load_data_infile
+      section: General
+      value: 0
+    - option: tmp_path
+      section: General
+      value: "/../tmp"
+    - option: enable_auto_update
+      section: General
+      value: 0
+    - option: piwik_professional_support_ads_enabled
+      section: General
+      value: 0
+    - option: enable_fingerprinting_across_websites
+      section: Tracker
+      value: 1
+    - option: transport
+      section: mail
+      value: '"smtp"'
+    - option: host
+      section: mail
+      value: '"localhost"'
+  tags: matomo
+
+- name: Configure system proxy
+  ini_file:
+    path: "{{ matomo_root_dir }}/web/config/config.ini.php"
+    option: "{{ item.option }}"
+    section: "{{ item.section }}"
+    value: "{{ item.value }}"
+  with_items:
+    - option: host
+      section: proxy
+      value: "{{ system_proxy | urlsplit('hostname') }}"
+    - option: port
+      section: proxy
+      value: "{{ system_proxy | urlsplit('port') | default('8080') }}"
+  when: system_proxy is defined
+  tags: matomo
+
+- name: Configure reverse proxy
+  ini_file:
+    path: "{{ matomo_root_dir }}/web/config/config.ini.php"
+    option: "{{ item.option }}"
+    section: "{{ item.section }}"
+    value: "{{ item.value }}"
+  with_items:
+    - option: "proxy_client_headers[]"
+      section: General
+      value: '"HTTP_X_FORWARDED_FOR"'
+    - option: "proxy_host_headers[]"
+      section: General
+      value: '"HTTP_X_FORWARDED_HOST"'
+  when: httpd_src_ip is defined and httpd_src_ip | length > 0 and '0.0.0.0/0' not in httpd_src_ip
+  tags: matomo
+
+- name: Configure LDAP Authentication
+  ini_file:
+    path: "{{ matomo_root_dir }}/web/config/config.ini.php"
+    option: "{{ item }}"
+    section: LoginLdap
+    value: "{{ (matomo_ldap_all[item] is number) | ternary(matomo_ldap_all[item],'\"' + matomo_ldap_all[item] | string + '\"') }}"
+    state: "{{ matomo_ldap_all.enabled | ternary('present','absent') }}"
+  with_items: "{{ matomo_ldap_all.keys() | list | difference(['enabled','hostname','admin_user','admin_pass','base_dn','port']) }}"
+  tags: matomo
+
+- name: Configure LDAP Servers
+  ini_file:
+    path: "{{ matomo_root_dir }}/web/config/config.ini.php"
+    option: "{{ item }}"
+    section: LoginLdap_ldap
+    value: "{{ (matomo_ldap_all[item] is number) | ternary(matomo_ldap_all[item],'\"' + matomo_ldap_all[item] | string + '\"') }}"
+    state: "{{ (matomo_ldap_all.enabled and matomo_ldap_all[item] is defined) | ternary('present','absent') }}"
+  with_items: [hostname,port,base_dn,admin_user,admin_pass]
+  tags: matomo
+
+- name: Clear cache
+  command: php{{ (matomo_php_version == '54') | ternary('',matomo_php_version) }} {{ matomo_root_dir }}/web/console cache:clear
+  changed_when: False
+  when: matomo_install_mode == 'upgrade'
+  tags: matomo
+
+- name: Enable plugins
+  command: php{{ (matomo_php_version == '54') | ternary('',matomo_php_version) }} {{ matomo_root_dir }}/web/console plugin:activate {{ item }}
+  with_items: "{{ matomo_plugins_to_install }}"
+  changed_when: False
+  tags: matomo
+
+- name: Update Matomo database
+  command: /bin/php{{ (matomo_php_version == '54') | ternary('',matomo_php_version) }} {{ matomo_root_dir }}/web/console --no-interaction core:update --yes
+  when: matomo_install_mode != 'none'
+  tags: matomo
+
+- name: Sync LDAP users
+  command: php{{ (matomo_php_version == '54') | ternary('',matomo_php_version) }} {{ matomo_root_dir }}/web/console loginldap:synchronize-users
+  when:
+    - matomo_ldap_all.enabled
+    - '"LoginLdap" in matomo_plugins_to_install'
+  changed_when: False
+  tags: matomo
+
+- import_tasks: ../includes/webapps_webconf.yml
+  vars:
+    - app_id: matomo_{{ glpi_id }}
+    - php_version: "{{ matomo_php_version }}"
+    - php_fpm_pool: "{{ matomo_php_fpm_pool | default('') }}"
+  tags: matomo

roles/unmaintained/matomo/tasks/directories.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Create directories
+  file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  with_items:
+    - path: "{{ matomo_root_dir }}/sessions"
+      group: "{{ matomo_php_user }}"
+      mode: 770
+    - path: "{{ matomo_root_dir }}/tmp"
+      group: "{{ matomo_php_user }}"
+      mode: 770
+    - path: "{{ matomo_root_dir }}/cache"
+      group: "{{ matomo_php_user }}"
+      mode: 770
+    - path: "{{ matomo_root_dir }}/web"
+    - path: "{{ matomo_root_dir }}/meta"
+      mode: 700
+    - path: "{{ matomo_root_dir }}/backup"
+      mode: 700
+  tags: matomo

roles/unmaintained/matomo/tasks/facts.yml

@@ -0,0 +1,31 @@
+---
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ matomo_root_dir }}"
+    - version: "{{ matomo_version }}"
+  tags: matomo
+- set_fact: matomo_install_mode={{ (install_mode == 'upgrade' and not matomo_manage_upgrade) | ternary('none',install_mode) }}
+  tags: matomo
+- set_fact: matomo_current_version={{ current_version | default('') }}
+  tags: matomo
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ matomo_root_dir }}/meta/salt.txt"
+  tags: matomo
+- set_fact: matomo_salt={{ rand_pass }}
+  tags: matomo
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{matomo_root_dir }}/meta/ansible_dbpass"
+  when: matomo_db_pass is not defined
+  tags: matomo
+- set_fact: matomo_db_pass={{ rand_pass }}
+  when: matomo_db_pass is not defined
+  tags: matomo
+
+- name: Combine default and custom LDAP settings
+  set_fact: matomo_ldap_all={{ matomo_ldap_base | combine(matomo_ldap) }}
+  tags: matomo

roles/unmaintained/matomo/tasks/install.yml

@@ -0,0 +1,181 @@
+---
+
+- name: Install needed tools
+  yum:
+    name:
+      - unzip
+      - mariadb
+      - acl
+      - php{{ matomo_php_version }}-php-pecl-geoip
+  tags: matomo
+
+- name: Download Matomo
+  get_url:
+    url: "{{ matomo_archive_url }}"
+    dest: "{{ matomo_root_dir }}/tmp/"
+    checksum: "sha1:{{ matomo_archive_sha1 }}"
+  when: matomo_install_mode != 'none'
+  tags: matomo
+
+- name: Extract matomo archive
+  unarchive:
+    src: "{{ matomo_root_dir }}/tmp/matomo-{{ matomo_version }}.tar.gz"
+    dest: "{{ matomo_root_dir }}/tmp"
+    remote_src: yes
+  when: matomo_install_mode != 'none'
+  tags: matomo
+
+- name: Check if we have the list of core plugins
+  stat: path={{ matomo_root_dir }}/meta/core_plugins.txt
+  register: matomo_core_plugins_list
+  tags: matomo
+
+- name: Build a list of core plugins, which should never be removed
+  shell: find {{ matomo_root_dir }}/web/plugins/ -mindepth 1 -maxdepth 1 -type d -exec basename "{}" \; > {{ matomo_root_dir }}/meta/core_plugins.txt
+  when:
+    - matomo_install_mode == 'none'
+    - not matomo_core_plugins_list.stat.exists
+  changed_when: False
+  tags: matomo
+
+- name: Build a list of core plugins, which should never be removed
+  shell: find {{ matomo_root_dir }}/tmp/matomo/plugins/ -mindepth 1 -maxdepth 1 -type d -exec basename "{}" \; > {{ matomo_root_dir }}/meta/core_plugins.txt
+  when: matomo_install_mode != "none"
+  changed_when: False
+  tags: matomo
+
+- name: Remove known non core plugins from the list
+  lineinfile: path={{ matomo_root_dir }}/meta/core_plugins.txt regexp='^{{ item }}$' state=absent
+  with_items: "{{ matomo_plugins.keys() | list }}"
+  tags: matomo
+
+- name: Read core plugins list
+  command: cat {{ matomo_root_dir }}/meta/core_plugins.txt
+  register: matomo_core_plugins
+  changed_when: False
+  tags: matomo
+
+- name: List previously installed plugins
+  shell: find {{ matomo_root_dir }}/archives/{{ matomo_current_version }}/web/plugins/ -mindepth 1 -maxdepth 1 -type d -exec basename "{}" \;
+  register: matomo_previous_plugins
+  when: matomo_install_mode == "upgrade"
+  changed_when: False
+  tags: matomo
+
+- name: Move matomo to the web directory
+  synchronize:
+    src: "{{ matomo_root_dir }}/tmp/matomo/"
+    dest: "{{ matomo_root_dir }}/web/"
+    recursive: True
+    delete: True
+    rsync_opts:
+      - '--exclude=config/config.ini.php'
+  delegate_to: "{{ inventory_hostname }}"
+  when: matomo_install_mode != "none"
+  tags: matomo
+
+- name: Restore previous unmanaged plugins
+  synchronize:
+    src: "{{ matomo_root_dir }}/archives/{{ matomo_current_version }}/web/plugins/{{ item }}"
+    dest: "{{ matomo_root_dir }}/web/plugins/"
+    delegate_to: "{{ inventory_hostname }}"
+    recursive: True
+  with_items: "{{ matomo_previous_plugins.stdout_lines }}"
+  when:
+    - matomo_install_mode == 'upgrade'
+    - not matomo_remove_unmanaged_plugins
+  tags: matomo
+
+- name: List installed plugins
+  shell: find {{ matomo_root_dir }}/web/plugins/ -mindepth 1 -maxdepth 1 -type d -exec basename "{}" \;
+  register: matomo_current_plugins
+  changed_when: False
+  tags: matomo
+
+- name: Disable unmanaged plugins
+  command: php{{ (matomo_php_version == '54') | ternary('',matomo_php_version) }} {{ matomo_root_dir }}/web/console plugin:deactivate {{ item }}
+  with_items: "{{ matomo_current_plugins.stdout_lines }}"
+  when:
+    - item not in matomo_plugins_to_install
+    - item not in matomo_core_plugins.stdout
+    - matomo_remove_unmanaged_plugins
+  tags: matomo
+
+- name: Remove unmanaged plugins
+  file: path={{ matomo_root_dir }}/web/plugins/{{ item }} state=absent
+  with_items: "{{ matomo_current_plugins.stdout_lines }}"
+  when:
+    - item not in matomo_plugins_to_install
+    - item not in matomo_core_plugins.stdout
+    - matomo_remove_unmanaged_plugins
+  tags: matomo
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ matomo_db_name }}"
+    - db_user: "{{ matomo_db_user }}"
+    - db_server: "{{ matomo_db_server }}"
+    - db_pass: "{{ matomo_db_pass }}"
+  tags: matomo
+
+- set_fact: matomo_db_created={{ db_created }}
+  tags: matomo
+
+- name: Copy the DB structure
+  copy: src=matomo.sql dest={{ matomo_root_dir }}/tmp/matomo.sql
+  when: matomo_install_mode == 'install'
+  tags: matomo
+
+- name: Init the database
+  mysql_db:
+    state: import
+    login_host: "{{ matomo_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    name: "{{ matomo_db_name }}"
+    target: "{{ matomo_root_dir }}/tmp/matomo.sql"
+  when:
+    - matomo_install_mode == 'install'
+    - matomo_db_created.changed
+  tags: matomo
+
+- name: Build a list of installed plugins
+  shell: find {{ matomo_root_dir }}/web/plugins -maxdepth 1 -mindepth 1 -type d -exec basename "{}" \;
+  register: matomo_installed_plugins
+  changed_when: False
+  tags: matomo
+
+- name: Download plugins
+  get_url:
+    url: http://plugins.matomo.org/api/2.0/plugins/{{ item }}/download/{{ matomo_plugins[item].version }}
+    dest: "{{ matomo_root_dir }}/tmp"
+    checksum: "sha1:{{ matomo_plugins[item].sha1 }}"
+  when: item not in matomo_installed_plugins.stdout_lines
+  with_items: "{{ matomo_plugins_to_install }}"
+  tags: matomo
+
+- name: Extract plugins
+  unarchive:
+    src: "{{ matomo_root_dir }}/tmp/{{ item }}-{{ matomo_plugins[item].version }}.zip"
+    dest: "{{ matomo_root_dir }}/web/plugins/"
+    remote_src: yes
+  when: item not in matomo_installed_plugins.stdout_lines
+  with_items: "{{ matomo_plugins_to_install }}"
+  tags: matomo
+
+- name: Deploy backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/matomo_{{ matomo_id }} mode=750
+  loop:
+    - pre
+    - post
+  tags: matomo
+
+- name: Setup cron task
+  cron:
+    name: matomo_{{ matomo_id }}
+    special_time: hourly
+    user: "{{ matomo_php_user }}"
+    job: "/bin/php{{ (matomo_php_version == '54') | ternary('',matomo_php_version) }} {{ matomo_root_dir }}/web/console core:archive --url={{ matomo_public_url }} 2>&1 | /bin/systemd-cat -t matomo_{{ matomo_id }}"
+    cron_file: matomo_{{ matomo_id }}
+  tags: matomo
+

roles/unmaintained/matomo/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: archive_pre.yml
+  when: matomo_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: archive_post.yml
+  when: matomo_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: write_version.yml
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
+

roles/unmaintained/matomo/tasks/user.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: "{{ matomo_php_user }}"
+    - comment: "PHP FPM for matomo {{ matomo_id }}"
+  tags: matomo

roles/unmaintained/matomo/tasks/write_version.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/webapps_post.yml
+  vars:
+    - root_dir: "{{ matomo_root_dir }}"
+    - version: "{{ matomo_version }}"
+  tags: matomo

roles/unmaintained/matomo/templates/config.ini.php.j2

@@ -0,0 +1,24 @@
+[database]
+host = "{{ matomo_db_server }}"
+username = "{{ matomo_db_user }}"
+password = "{{ matomo_db_pass }}"
+dbname = "{{ matomo_db_name }}"
+port = {{ matomo_db_port }}
+
+[General]
+assume_secure_protocol = 1
+{% if httpd_src_ip is defined and httpd_src_ip | length > 0 and '0.0.0.0/0' not in httpd_src_ip %}
+proxy_client_headers[] = "HTTP_X_FORWARDED_FOR"
+proxy_host_headers[] = "HTTP_X_FORWARDED_HOST"
+{% endif %}
+salt = "{{ matomo_salt }}"
+force_ssl = 0
+assume_secure_protocol = 1
+
+[Tracker]
+enable_fingerprinting_across_websites = 1
+
+[mail]
+transport = "smtp"
+host = "localhost"
+

roles/unmaintained/matomo/templates/httpd.conf.j2

@@ -0,0 +1,32 @@
+{% if matomo_alias is defined %}
+Alias /{{ matomo_alias }} {{ matomo_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+<Directory {{ matomo_root_dir }}/web>
+  AllowOverride All
+  Options FollowSymLinks
+{% if matomo_src_ip is defined %}
+  Require ip {{ matomo_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ matomo_php_fpm_pool | default('matomo_' + matomo_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+
+  <FilesMatch "^(\.ansible_version|\.git.*|(README|LICENSE|AUTHORS|CHANGELOG|CONTRIBUTING|LEGALNOTICE|PRIVACY|SECURITY)(\.md)?|.*\.co?nf|\.htaccess|composer\.(json|lock))">
+    Require all denied
+  </FilesMatch>
+</Directory>
+
+<Directory {{ matomo_root_dir }}/web/config>
+  Require all denied
+</Directory>
+<Directory {{ matomo_root_dir }}/web/inc>
+  Require all denied
+</Directory>
+<Directory {{ matomo_root_dir }}/web/config>
+  Require all denied
+</Directory>

roles/unmaintained/matomo/templates/perms.sh.j2

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+restorecon -R {{ matomo_root_dir }}
+chown root:root {{ matomo_root_dir }}
+chmod 700 {{ matomo_root_dir }}
+setfacl -k -b {{ matomo_root_dir }}
+setfacl -m u:{{ matomo_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ matomo_root_dir }}
+chown -R root:root {{ matomo_root_dir }}/web
+chown -R {{ matomo_php_user | default('apache') }} {{ matomo_root_dir }}/web/plugins
+chown {{ matomo_php_user | default('apache') }} {{ matomo_root_dir }}/web/matomo.js
+find {{ matomo_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ matomo_root_dir }}/web -type d -exec chmod 755 "{}" \;
+chown -R :{{ matomo_php_user }} {{ matomo_root_dir }}/web/{config,tmp,misc}/
+find {{ matomo_root_dir }}/web/{config,tmp,misc} -type f -exec chmod 660 "{}" \;
+find {{ matomo_root_dir }}/web/{config,tmp,misc} -type d -exec chmod 770 "{}" \;
+chown -R {{ matomo_php_user }} {{ matomo_root_dir }}/tmp/*
+find {{ matomo_root_dir }}/tmp/ -type f -exec chmod 660 "{}" \;
+find {{ matomo_root_dir }}/tmp/ -type d -exec chmod 770 "{}" \;
+chown :{{ matomo_php_user }} {{ matomo_root_dir }}/web/piwik.js
+chmod 664 {{ matomo_root_dir }}/web/piwik.js
+

roles/unmaintained/matomo/templates/php.conf.j2

@@ -0,0 +1,37 @@
+; {{ ansible_managed }}
+
+[matomo_{{ matomo_id }}]
+
+listen.owner = root
+listen.group = {{ httpd_user | default('apache') }}
+listen.mode = 0660
+listen = /run/php-fpm/matomo_{{ matomo_id }}.sock
+user = {{ matomo_php_user }}
+group = {{ matomo_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 60m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 256M
+php_admin_value[session.save_path] = {{ matomo_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ matomo_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ matomo_root_dir }}/tmp
+php_admin_value[post_max_size] = 2M
+php_admin_value[upload_max_filesize] = 2M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ matomo_root_dir }}
+php_admin_value[max_execution_time] = 300
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_uploads] = off
+php_admin_flag[session.cookie_httponly] = on

roles/unmaintained/matomo/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -f {{ matomo_root_dir }}/backup/*

roles/unmaintained/matomo/templates/pre-backup.j2

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump --user={{ matomo_db_user | quote }} \
+                   --password={{ matomo_db_pass | quote }} \
+                   --host={{ matomo_db_server | quote }} \
+                   --quick --single-transaction \
+                   --add-drop-table {{ matomo_db_name | quote }} | zstd -c > {{ matomo_root_dir }}/backup/{{ matomo_db_name }}.sql.zst