Switch to custom Matomo image

So that we can customize it with plugins we need etc.

Author: stsnel

.github/workflows/build-push-image-matomo.yml

@@ -0,0 +1,46 @@
+---
+name: "Build Nginx image and push it to registry"
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/build-push-image-matomo.yml'
+      - 'docker/images/matomo/**'
+  workflow_dispatch:
+
+jobs:
+  push-image:
+    if: github.repository == 'utrechtuniversity/matomo-ansible'
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - name: Extract branch name
+      shell: bash
+      run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+      id: extract_branch
+
+    - name: Check out Matomo Ansible repository
+      uses: actions/checkout@v6
+      with:
+        path: matomo-ansible
+        repository: UtrechtUniversity/matomo-ansible
+        ref: ${{ steps.extract_branch.outputs.branch }}
+
+    - name: Authenticate to the container registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v6
+      with:
+        context: matomo-ansible/docker/images/matomo
+        file: matomo-ansible/docker/images/matomo/Dockerfile
+        push: true
+        tags: ghcr.io/utrechtuniversity/matomo-app:latest

docker/.env

@@ -1,10 +1,16 @@
 # Configuration of Matomo
 
 # Application configuration
-MATOMO_HOST=www.matomo.test
+MATOMO_HOST="www.matomo.test"
 MATOMO_HOST_IP=127.0.0.1
 MATOMO_HOST_PORT=443
 
+MATOMO_FIRST_SITE_NAME=test
+MATOMO_FIRST_SITE_URL=https://www.matomo.test
+MATOMO_FIRST_USER_NAME=uuadmin
+MATOMO_FIRST_USER_EMAIL=yoda@uu.nl
+MATOMO_FIRST_USER_PASSWORD=admin
+
 # Database configuration
 MARIADB_PASSWORD=testtest
 MARIADB_ROOT_PASSWORD=testtest

docker/build-local-images.sh

@@ -3,10 +3,10 @@ set -e
 
 cd images
 
-for image in nginx mta
+for image in nginx mta matomo
 do cd "$image"
    echo "Building image $image ..."
-   ./build.sh
+   ./build.sh $*
    cd ..
 done
 

docker/docker-compose.yml

@@ -1,11 +1,18 @@
 ---
+
+volumes:
+  matomo_config:
+  matomo_db_data:
+  nginx_config:
+
 services:
   database:
+    container_name: database
     image: mariadb:12
     command: --max-allowed-packet=64MB
     restart: always
     volumes:
-      - database:/var/lib/mysql:Z
+      - matomo_db_data:/var/lib/mysql:Z
     environment:
       - MARIADB_AUTO_UPGRADE=1
       - MARIADB_DATABASE=matomo
@@ -16,19 +23,26 @@ services:
       - MARIADB_USER=matomo
 
   matomo:
-    image: matomo:5.4.0
+    container_name: matomo
+    image: ghcr.io/utrechtuniversity/matomo-app:latest
     restart: always
     depends_on:
       - database
     volumes:
-      - matomo:/var/www/html:z
+      - matomo_config:/var/www/html/matomo/config:z
     environment:
       - MATOMO_DATABASE_ADAPTER=mysql
       - MATOMO_DATABASE_DBNAME=matomo
       - MATOMO_DATABASE_HOST=database
       - MATOMO_DATABASE_PASSWORD=${MARIADB_PASSWORD}
       - MATOMO_DATABASE_TABLES_PREFIX=matomo_
       - MATOMO_DATABASE_USERNAME=matomo
+      - MATOMO_HOST=${MATOMO_HOST}
+      - MATOMO_FIRST_SITE_NAME=${MATOMO_FIRST_SITE_NAME}
+      - MATOMO_FIRST_SITE_URL=${MATOMO_FIRST_SITE_URL}
+      - MATOMO_FIRST_USER_NAME=${MATOMO_FIRST_USER_NAME}
+      - MATOMO_FIRST_USER_EMAIL=${MATOMO_FIRST_USER_EMAIL}
+      - MATOMO_FIRST_USER_PASSWORD=${MATOMO_FIRST_USER_PASSWORD}
       - PHP_MEMORY_LIMIT=2048M
 
   nginx:
@@ -64,9 +78,3 @@ services:
       -  POSTFIX_ORIGIN=${POSTFIX_ORIGIN}
     sysctls:
       net.ipv4.ip_unprivileged_port_start: 0
-
-
-volumes:
-  database:
-  matomo:
-  nginx_config:

docker/images/matomo/001-matomo.conf

@@ -0,0 +1,29 @@
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	ServerName SERVERNAME
+
+	DocumentRoot /var/www/html/matomo
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+

docker/images/matomo/Dockerfile

@@ -0,0 +1,55 @@
+FROM ubuntu:24.04
+LABEL maintainer="Yoda team <yoda@uu.nl>"
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Application settings
+ENV MATOMO_VERSION="5.6.1"
+ENV MATOMO_EXTRATOOLS_PLUGIN_VERSION="5.1.5"
+ENV MATOMO_CLASSICCOUNTER_PLUGIN_VERSION="0.4.0"
+
+# Network settings
+EXPOSE 80
+
+# Update packages
+RUN apt-get update
+
+# Install common tools
+# hadolint ignore=DL3033
+RUN apt-get install -y wget git vim sudo nmap crudini
+
+## Install Apache
+# hadolint ignore=DL3033
+RUN apt-get install -y apache2 apache2-dev libapache2-mod-php && \
+    a2enmod headers && \
+    a2enmod rewrite
+COPY 001-matomo.conf /etc/apache2/sites-available/001-matomo.conf
+RUN a2dissite 000-default.conf && \
+    a2ensite 001-matomo.conf
+
+## Install PHP dependencies
+RUN sudo apt-get install -y php php-curl php-gd php-cli php-mysql php-xml php-mbstring
+
+## Install Matomo
+RUN cd /tmp && \
+    wget "https://builds.matomo.org/matomo-${MATOMO_VERSION}.tar.gz" && \
+    cd /var/www/html && \
+    tar xvfz "/tmp/matomo-${MATOMO_VERSION}.tar.gz" && \
+    rm "/tmp/matomo-${MATOMO_VERSION}.tar.gz"
+
+## Install Matomo plugins
+RUN cd /var/www/html/matomo/plugins && \
+    git clone --branch "$MATOMO_EXTRATOOLS_PLUGIN_VERSION" https://github.com/Digitalist-Open-Cloud/Matomo-Plugin-ExtraTools.git ExtraTools && \
+    git clone --branch "$MATOMO_CLASSICCOUNTER_PLUGIN_VERSION" https://github.com/Findus23/plugin-ClassicCounter.git Counter && \
+    echo "[General]" > /var/www/html/matomo/config/common.config.ini.php && \
+    echo "always_load_commands_from_plugin=ExtraTools" >> /var/www/html/matomo/config/common.config.ini.php && \
+    chown -R www-data:www-data /var/www/html/matomo &&\
+    find /var/www/html/matomo/tmp -type f -exec chmod 644 {} \; &&\
+    find /var/www/html/matomo/tmp -type d -exec chmod 755 {} \;
+
+# Install init script
+# hadolint ignore=DL3033
+COPY matomo-init.sh /matomo-init.sh
+RUN chmod 0755 /matomo-init.sh
+
+VOLUME [ "/sys/fs/cgroup" ]
+CMD exec /matomo-init.sh

docker/images/matomo/build.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+docker build -t ghcr.io/utrechtuniversity/matomo-app:latest . $*

docker/images/matomo/matomo-init.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+set -o pipefail
+set -u
+
+function start_service {
+  apache2ctl -D FOREGROUND || true
+  echo "Error: Apache either terminated or would not start. Keeping container running for troubleshooting purposes."
+  sleep infinity
+}
+
+function before_update {
+  echo -e "[...] ${1}"
+}
+
+function progress_update {
+  GREEN='\033[0;32m'
+  RESET='\033[0m'
+  echo -e "[ ${GREEN}\xE2\x9C\x94${RESET} ] ${1}"
+}
+
+check_port() {
+    local host="$1"
+    local port="$2"
+
+    echo "Checking service availability at ${host}:${port}..."
+
+    while true; do
+        # Use nmap to scan the specified port on the given host
+        nmap -p "${port}" "${host}" | grep -q "open"
+
+        # If the port is open, exit the loop
+        if [ $? -eq 0 ]; then
+            echo "Server is available at ${host}:${port}"
+            break
+        else
+            echo "Server at ${host}:${port} is not available. Retrying in 1 seconds..."
+            sleep 1
+        fi
+    done
+}
+
+## Check DB up
+check_port database 3306
+
+set -e
+
+if ! [[ -f /container_initialized ]]
+then before_update "Setting up Apache vhost"
+     perl -pi -e '$servername=$ENV{MATOMO_HOST}; s/SERVERNAME/$servername/' /etc/apache2/sites-available/001-matomo.conf
+     before_update "Initializing Matomo."
+     cd /var/www/html/matomo
+     ./console matomo:install --no-interaction \
+	     --db-username="$MATOMO_DATABASE_USERNAME" \
+	     --db-pass="MATOMO_DATABASE_PASSWORD" \
+             --db-host="$MATOMO_DATABASE_HOST" \
+	     --db-port=3306 \
+	     --db-name="$MATOMO_DATABASE_DBNAME" \
+             --first-site-name="$MATOMO_FIRST_SITE_NAME" \
+	     --first-site-url="$MATOMO_FIRST_SITE_URL" \
+             --first-user="$MATOMO_FIRST_USER_NAME" \
+             --first-user-email="$MATOMO_FIRST_USER_EMAIL" \
+             --first-user-pass="$MATOMO_FIRST_USER_PASSWORD"
+     crudini --set /var/www/html/matomo/config/config.ini.php General force_ssl 1
+     crudini --set /var/www/html/matomo/config/config.ini.php General assume_secure_protocol 1
+     crudini --set /var/www/html/matomo/config/config.ini.php General proxy_client_headers[] HTTP_X_FORWARDED_FOR
+     crudini --set /var/www/html/matomo/config/config.ini.php General proxy_host_headers[] HTTP_X_FORWARDED_HOST
+     chmod 0644 /var/www/html/matomo/config/config.ini.php
+     chown www-data:www-data /var/www/html/matomo/config/config.ini.php
+     touch /container_initialized
+fi
+
+before_update "Initialization complete. Starting Apache"
+start_service

docker/images/mta/Dockerfile

@@ -23,7 +23,7 @@ RUN dpkg-reconfigure --frontend=noninteractive locales
 RUN update-locale LANG=${LC_ALL}
 
 # Install common dependencies
-RUN apt -y install curl golang git && \
+RUN apt -y install curl golang git iproute2 && \
     curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash && \
     source /root/.nvm/nvm.sh && \
     nvm install v18

docker/images/nginx/nginx.site.part1

@@ -12,8 +12,9 @@ server {
 
 server {
 
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
     ssl_certificate /etc/certificates/matomo.pem;
     ssl_certificate_key /etc/certificates/matomo.key;
@@ -43,9 +44,13 @@ server {
 
     location / {
         proxy_pass http://matomo:80/;
-        proxy_set_header Host PUT_HOST_HEADER_HERE;
-        proxy_set_header X-Forwarded-Proto https;
-        proxy_set_header Referer $http_referer;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+
         proxy_cache cache;
         proxy_cache_bypass $cookie_auth_tkt;
         proxy_no_cache $cookie_auth_tkt;