From e4dd772bda99f1316da97ca0cd7cd99b85c56b5b Mon Sep 17 00:00:00 2001 From: Shawn Davis Date: Sun, 26 Nov 2023 17:21:27 -0600 Subject: [PATCH] Finished initial inventory for Matomo installer. --- scripttease/data/inventory/matomo/meta.ini | 6 ++ scripttease/data/inventory/matomo/notes.md | 99 ------------------- scripttease/data/inventory/matomo/steps.ini | 91 +++++++++++++++++ .../data/inventory/matomo/templates/http.conf | 12 +++ .../inventory/matomo/templates/https.conf | 52 ++++++++++ .../data/inventory/matomo/variables.ini | 43 ++++++++ 6 files changed, 204 insertions(+), 99 deletions(-) create mode 100644 scripttease/data/inventory/matomo/meta.ini delete mode 100644 scripttease/data/inventory/matomo/notes.md create mode 100644 scripttease/data/inventory/matomo/steps.ini create mode 100644 scripttease/data/inventory/matomo/templates/http.conf create mode 100644 scripttease/data/inventory/matomo/templates/https.conf create mode 100644 scripttease/data/inventory/matomo/variables.ini diff --git a/scripttease/data/inventory/matomo/meta.ini b/scripttease/data/inventory/matomo/meta.ini new file mode 100644 index 0000000..aaf395b --- /dev/null +++ b/scripttease/data/inventory/matomo/meta.ini @@ -0,0 +1,6 @@ +[package] +description = Install Matomo. +docs = https://matomo.com +tags = stats +title = Matomo +version = 0.1.0-d diff --git a/scripttease/data/inventory/matomo/notes.md b/scripttease/data/inventory/matomo/notes.md deleted file mode 100644 index 37fb60e..0000000 --- a/scripttease/data/inventory/matomo/notes.md +++ /dev/null @@ -1,99 +0,0 @@ -Install dependencies - -apt install apache2 mariadb-server php libapache2-mod-php php-cli php-fpm php-json php-common php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear phpbcmath curl unzip -v - -sudo systemctl start apache2 -sudo systemctl start mariadb - - -Enable and Create db - -sudo systemctl enable apache2 mariadb - -CREATE MYSQL DATABASE -MYSQL -CREATE DATABASE matomodb; -CREATE USER 'matomouser'@'localhost' IDENTIFIED BY 'password' -GRANT ALL PRIVILAGES ON matomodb.* TO 'matomouser'@'localhost' - - -Pull and unzip Matomo files and set permissions - -wget http://builds.matomo.org/matomo-latest.zip - -unzip matomo-latest.zip - -mv matomo /var/www/html/matomo - -chown -R www-data:www-data /var/www/html/matomo - -chmod -R 755 /var/www/html/matomo - - - -Create Apache config file - -sudo nano /etc/apache2/sites-available/matomo.conf - - - -ServerName matomo.mark37.com -DocumentRoot /var/www/html/matomo/ - - -Options FollowSymLinks -Allowoverride All -Require all granted - - - -Options None -Require all denied - - - -Options None -Required all granted - - - -Options None -Required all granted - - - -Options None -Required all granted - - -ErrorLog ${APACHE_LOG_DIR}/matomo_error.log -CustomLog ${APACHE_LOG_DIR}/matomo_access.log combined - - - - - - -Enable site - -sudo a2ensite matomo.mark37.com - -sudo a2enmod rewrite headers enc dif mime setenvif ssl - -sudo systemctl enable --now php7.4-fpm -sudo systemctl reload apache2 - - -Install SSL Certificate - -sudo apt install certbot python3-certbot-apache -y - -sudo ufw disable -sudo certbot --apache -d matomo.mark37.com -sudo ufw enable - - - -cron settings for Ssl renew - -0 6 * * 0 certbot renew -n -q --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” diff --git a/scripttease/data/inventory/matomo/steps.ini b/scripttease/data/inventory/matomo/steps.ini new file mode 100644 index 0000000..3ddca40 --- /dev/null +++ b/scripttease/data/inventory/matomo/steps.ini @@ -0,0 +1,91 @@ +[install dependencies] +install: $item +sudo: yes +items: apache2 mariadb-server php libapache2-mod-php php-cli php-fpm php-json php-common php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear phpbcmath curl unzip + +[make sure a maintenance root exists] +dir: /var/www/maint/www +group: {{ apache_group }} +owner: {{ apache_user }} +recursive: yes +sudo: yes + +[disable the default site] +apache.disable_site: 000-default +sudo: yes + +[install certbot] +install: certbot +sudo: yes + +[enable apache modules] +apache.enable_module: $item +items: rewrite headers enc dif mime setenvif ssl +sudo: yes + +; Is this really necessary? +[enable php] +run: systemctl enable --now php7.4-fpm +sudo: yes + +[create virtual host without SSL] +template: http.conf /etc/apache2/sites-available/{{ domain_name }}.conf +sudo: yes + +[enable the non-SSL site] +apache.enable_site: {{ domain_name }} +sudo: yes + +[reload apache with non-SSL site in place] +apache.reload: +sudo: yes + +[create the database] +mysql.create: {{ database_name }} +host: {{ database_host }} + +[create the database user] +mysql.user: {{ database_user }} +host: {{ database_host }} +password: {{ database_password }} + +[set privileges for database user] +mysql.grant: {{ database_user }} +database: {{ database_name }} +host: {{ database_host }} + +[download the latest copy of matomo] +run: wget http://builds.matomo.org/matomo-latest.zip +cd: /tmp + +[unzip the matomo package] +run: unzip matomo-latest.zip +cd: /tmp + +[move the matomo package] +move: /tmp/matomo {{ install_path }}/{{ domain_tld }} +sudo: yes + +[set permissions on the matomo directory] +perms: {{ install_path }}/{{ domain_tld }} +owner: {{ apache_user }} +group: {{ apache_group }} +mode: 755 +recursive: yes +sudo: yes + +{% if not file_exists(letsencrypt_file, host=current_host) %} +[acquire SSL certificate] +certbot: {{ domain_name }} +email: {{ webmaster_email }} +webroot: /var/www/maint/www +sudo: yes +{% endif %} + +[create virtual host with SSL] +template: https.conf /etc/apache2/sites-available/{{ domain_name }}.conf +sudo: yes + +[reload apache with SSL in place] +apache.reload: +sudo: yes diff --git a/scripttease/data/inventory/matomo/templates/http.conf b/scripttease/data/inventory/matomo/templates/http.conf new file mode 100644 index 0000000..837c09b --- /dev/null +++ b/scripttease/data/inventory/matomo/templates/http.conf @@ -0,0 +1,12 @@ +# The port 80 host is required for renewing Let's Encrypt certificates. By default document root is shared by all sites +# requiring SSL support, but this may be changed to {{ deploy.shared_path }}/maint/www in the deployment template if +# a custom maintenance site is required. + + ServerName {{ domain_name }} + ServerAlias *.{{ domain_name }} + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteCond %{REQUEST_URI} !^/.well-known [NC] + RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L] + DocumentRoot /var/www/maint/www + diff --git a/scripttease/data/inventory/matomo/templates/https.conf b/scripttease/data/inventory/matomo/templates/https.conf new file mode 100644 index 0000000..d026c75 --- /dev/null +++ b/scripttease/data/inventory/matomo/templates/https.conf @@ -0,0 +1,52 @@ +# The port 80 host is required for renewing Let's Encrypt certificates. By default document root is shared by all sites +# requiring SSL support, but this may be changed to {{ deploy.shared_path }}/maint/www in the deployment template if +# a custom maintenance site is required. + + ServerName {{ domain_name }} + ServerAlias *.{{ domain_name }} + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteCond %{REQUEST_URI} !^/.well-known [NC] + RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L] + DocumentRoot /var/www/maint/www + + +# The 443 host is where the application is actually served. + + ServerName {{ domain_name }} + DocumentRoot {{ install_path }}/{{ domain_tld }} + + + Options FollowSymLinks + Allowoverride All + Require all granted + + + + Options None + Require all denied + + + + Options None + Required all granted + + + + Options None + Required all granted + + + + Options None + Required all granted + + + ErrorLog ${APACHE_LOG_DIR}/matomo_error.log + CustomLog ${APACHE_LOG_DIR}/matomo_access.log combined + + SSLEngine on + SSLCertificateKeyFile /etc/letsencrypt/live/{{ domain_name }}/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem + + diff --git a/scripttease/data/inventory/matomo/variables.ini b/scripttease/data/inventory/matomo/variables.ini new file mode 100644 index 0000000..7c162be --- /dev/null +++ b/scripttease/data/inventory/matomo/variables.ini @@ -0,0 +1,43 @@ +[apache_user] +comment = The name of the user that runs Apache. +value = www-data + +[apache_group] +comment = The name of the group to which the Apache user is assigned. +value = www-data + +[database_host] +comment = The server name hosting the database. +value = localhost + +[database_name] +comment = The name of the database. +value = matomo_example_com + +[database_password] +comment = The password used to access the database. +value = change_this_to_something_secure! + +[database_user] +comment = The user name accessing the database. +value = matomo_example_com + +[domain_name] +comment = The domain name to use for the Matomo host. +value = matomo.example.com + +[domain_tld] +comment = The domain name as a directory. +value = matomo_example_com + +[letsencrypt_file] +comment = The path to the SSL cert. +value = /etc/letsencrypt/live/%(domain_name)/cert.pem + +[webmaster_email] +comment = The webmaster's email address. Used when setting up SSL. +value = webmaster@example.com + +[install_path] +comment = The path to document root where Matomo will be installed. +value = /var/www