diff --git a/.drone-home.star b/.drone-home.star new file mode 100644 index 0000000..d3c5053 --- /dev/null +++ b/.drone-home.star @@ -0,0 +1,14 @@ + +load("@this//matomo:drone.star", "drone") +load("@this//matomo:stack-name.star", "stackName") +load("@this//matomo:stack-root.star", "stackRoot") + +def main(ctx): + return drone( + ctx, + "home-deploy", + stackRoot, + stackName, + [] + ) + \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..be239b5 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,70 @@ +version: "3.7" +services: + matomo: + image: matomo:fpm-alpine + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + volumes: +# - ./config:/var/www/html/config:rw +# - ./logs:/var/www/html/logs + - matomo:/var/www/html + environment: + - MATOMO_DATABASE_HOST=matomo-mariadb + - MYSQL_PASSWORD=${MATOMO_MYSQL_PASSWORD} + - MYSQL_DATABASE=matomo + - MYSQL_USER=matomo + - MATOMO_DATABASE_ADAPTER=mysql + - MATOMO_DATABASE_TABLES_PREFIX=matomo_ + - MATOMO_DATABASE_USERNAME=matomo + - MATOMO_DATABASE_PASSWORD=${MATOMO_MYSQL_PASSWORD} + - MATOMO_DATABASE_DBNAME=matomo + networks: + - appnet + matomo-web: + image: nginx:alpine + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + volumes: + - matomo:/var/www/html:ro + # see https://github.com/matomo-org/matomo-nginx + - ./matomo/matomo.conf:/etc/nginx/conf.d/default.conf:ro + networks: + - appnet + - externalnet + matomo-mariadb: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack-data == yes] + replicas: 1 + restart_policy: + condition: any + image: mariadb:10 + command: --max-allowed-packet=128MB + networks: + - appnet + volumes: + - matomo-mariadb:/var/lib/mysql + environment: + MYSQL_ROOT_PASSWORD: ${MATOMO_MYSQL_ROOT_PASSWORD} + MYSQL_USER: matomo + MYSQL_DATABASE: matomo + MYSQL_PASSWORD: ${MATOMO_MYSQL_PASSWORD} +volumes: + matomo: + matomo-mariadb: + +networks: + appnet: + driver: overlay + #external: true + externalnet: + driver: overlay + external: true diff --git a/matomo/matomo.conf b/matomo/matomo.conf new file mode 100644 index 0000000..15d6f15 --- /dev/null +++ b/matomo/matomo.conf @@ -0,0 +1,69 @@ +upstream php-handler { + server matomo:9000; +} + +server { + listen 80; + + add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance + root /var/www/html; # replace with path to your matomo instance + index index.php; + try_files $uri $uri/ =404; + + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php { + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # Check that the PHP script exists before passing it + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/ + fastcgi_pass php-handler; + } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } +} + +# vim: filetype=nginx \ No newline at end of file