fix: upgrade matomo configuration for performance

and better monitoring of services

confs/matomo/cron.d-disabled/matomo-archive

@@ -0,0 +1,4 @@
+MAILTO="[email protected]"
+# see https://fr.matomo.org/faq/on-premise/how-to-set-up-auto-archiving-of-your-reports/
+# only start if no process is already running
+5 * * * * www-data ps -elf|grep "core:archive"|grep -v grep || /usr/bin/php /var/www/html/matomo/console core:archive --url=http://analytics.openfoodfacts.org/ >> /var/log/matomo/matomo-archive.log 2>>/var/log/matomo/matomo-archive-err.log

confs/matomo/cron.d-disabled/matomo-tracking

@@ -0,0 +1,4 @@
+MAILTO="[email protected]"
+# see https://matomo.org/faq/on-premise/how-to-configure-matomo-to-handle-unexpected-peak-in-traffic/
+# only start if no process is already running
+* * * * * www-data ps -elf|grep "queuedtracking:process"|grep -v grep || /usr/bin/php /var/www/html/matomo/console queuedtracking:process --no-ansi >> /var/log/matomo/matomo-tracking.log 2>>/var/log/matomo/matomo-tracking-err.log

confs/matomo/mysql/mariadb.conf.d/50-server.cnf

@@ -0,0 +1,140 @@
+#
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+#
+# See the examples of server my.cnf files in /usr/share/mysql
+
+# this is read by the standalone daemon and embedded servers
+[server]
+
+# this is only for the mysqld standalone daemon
+[mysqld]
+
+#
+# * Basic Settings
+#
+user                    = mysql
+pid-file                = /run/mysqld/mysqld.pid
+socket                  = /run/mysqld/mysqld.sock
+#port                   = 3306
+basedir                 = /usr
+datadir                 = /var/lib/mysql
+tmpdir                  = /tmp
+lc-messages-dir         = /usr/share/mysql
+#skip-external-locking
+
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address            = 127.0.0.1
+
+#
+# * Fine Tuning
+#
+#key_buffer_size        = 16M
+#max_allowed_packet     = 16M
+#thread_stack           = 192K
+#thread_cache_size      = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+#myisam_recover_options = BACKUP
+#max_connections        = 100
+#table_cache            = 64
+#thread_concurrency     = 10
+
+#
+# * Query Cache Configuration
+#
+#query_cache_limit      = 1M
+query_cache_size        = 16M
+
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file       = /var/log/mysql/mysql.log
+#general_log            = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Enable the slow query log to see queries with especially long duration
+#slow_query_log_file    = /var/log/mysql/mariadb-slow.log
+#long_query_time        = 10
+#log_slow_rate_limit    = 1000
+#log_slow_verbosity     = query_plan
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+#server-id              = 1
+#log_bin                = /var/log/mysql/mysql-bin.log
+expire_logs_days        = 10
+#max_binlog_size        = 100M
+#binlog_do_db           = include_database_name
+#binlog_ignore_db       = exclude_database_name
+
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+#chroot = /var/lib/mysql/
+#
+# For generating SSL certificates you can use for example the GUI tool "tinyca".
+#
+#ssl-ca = /etc/mysql/cacert.pem
+#ssl-cert = /etc/mysql/server-cert.pem
+#ssl-key = /etc/mysql/server-key.pem
+#
+# Accept only connections using the latest and most secure TLS protocol version.
+# ..when MariaDB is compiled with OpenSSL:
+#ssl-cipher = TLSv1.2
+# ..when MariaDB is compiled with YaSSL (default in Debian):
+#ssl = on
+
+#
+# * Character sets
+#
+# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
+# utf8 4-byte character set. See also client.cnf
+#
+character-set-server  = utf8mb4
+collation-server      = utf8mb4_general_ci
+
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+
+#
+# * Unix socket authentication plugin is built-in since 10.0.22-6
+#
+# Needed so the root database user can authenticate without a password but
+# only when running as the unix root user.
+#
+# Also available for other users if required.
+# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
+
+# specific to use memory
+# 4G out of 6G (should be 80% of RAM, but DB is not alone)
+innodb_buffer_pool_size=4G
+# table size 64M / Go = 64*6
+max_heap_table_size=384M
+tmp_table_size=384M
+# this is only for embedded server
+[embedded]
+
+# This group is only read by MariaDB servers, not by MySQL.
+# If you use the same .cnf file for MySQL and MariaDB,
+# you can put MariaDB-only options here
+[mariadb]
+
+
+# This group is only read by MariaDB-10.3 servers.
+# If you use the same .cnf file for MariaDB of different versions,
+# use this group for options that older servers don't understand
+[mariadb-10.3]

confs/matomo/nginx/sites-enabled/default

@@ -0,0 +1,114 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/html/matomo;
+
+	# Add index.php to the list if you are using PHP
+	index index.php;
+
+	server_name _;
+
+	# pass PHP scripts to FastCGI server
+	#
+	location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
+		include snippets/fastcgi-php.conf;
+                #try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
+                fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
+	#
+	#	# With php-fpm (or other unix sockets):
+		fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	}
+
+
+        ## deny access to all other .php files
+        location ~* ^.+\.php$ {
+            deny all;
+            return 403;
+        }
+
+        ## serve all other files normally
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        ## disable all access to the following directories
+        location ~ ^/(config|tmp|core|lang) {
+            deny all;
+            return 403; # replace with 404 to not show these directories exist
+        }
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	location ~ /\.ht {
+		deny all;
+                return 403;
+	}
+
+
+    location ~ js/container_.*_preview\.js$ {
+        expires off;
+        add_header Cache-Control 'private, no-cache, no-store';
+    }
+
+    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+        allow all;
+        ## Cache images,CSS,JS and webfonts for an hour
+        ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+        expires 1h;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+
+    location ~ ^/(libs|vendor|plugins|misc/user|node_modules) {
+        deny all;
+        return 403;
+    }
+
+    ## properly display textfiles in root directory
+    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+        default_type text/plain;
+    }
+
+
+}
+

confs/matomo/nginx/sites-enabled/stub_status

@@ -0,0 +1,29 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 8080;
+
+	#server_name 127.0.0.1;
+
+        stub_status on;
+
+}
+

confs/matomo/systemd/email-failures@.service

@@ -0,0 +1 @@
+../../common/systemd/system/[email protected]

confs/matomo/systemd/mariadb.service.d/override.conf

@@ -0,0 +1,3 @@
+[Unit]
+OnFailure=email-failures@mariadb-%l.service
+

confs/matomo/systemd/matomo-archive.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Archive matomo requests
+Requires=mariadb.service
+
+# email on failure
+OnFailure=email-failures@matomo-archive-%l.service
+
+[Service]
+Environment=TZ=UTC
+# oneshot because it is driven by a timer
+Type=oneshot
+ExecStart=/usr/bin/php /var/www/html/matomo/console core:archive --url=http://analytics.openfoodfacts.org/ 
+StandardOutput=file:/var/log/matomo/matomo-archive.log
+StandardError=file:/var/log/matomo/matomo-archive-err.log
+# place a timeout for bad cases as this process sometimes hangs
+# note: we have to use TimeoutStartSec as it's a Type=oneshot service
+TimeoutStartSec=1h
+

confs/matomo/systemd/matomo-archive.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Run Matomo archive process every 5 minutes
+
+[Timer]
+# every 5 minutes
+OnBootSec=5m
+OnUnitInactiveSec=5m
+
+[Install]
+WantedBy=timers.target
+

confs/matomo/systemd/matomo-tracking.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Process matomo tracking requests from Redis
+Requires=mariadb.service
+Requires=redis-server.service
+
+# email on failure
+OnFailure=email-failures@matomo-archive-%l.service
+
+[Service]
+Environment=TZ=UTC
+# oneshot because it is driven by a timer
+Type=oneshot
+# see https://matomo.org/faq/on-premise/how-to-configure-matomo-to-handle-unexpected-peak-in-traffic/
+ExecStart=/usr/bin/php /var/www/html/matomo/console queuedtracking:process --no-ansi 
+StandardOutput=file:/var/log/matomo/matomo-tracking.log
+StandardError=file:/var/log/matomo/matomo-tracking-err.log
+# place a timeout for bad cases
+# note: we have to use TimeoutStartSec as it's a Type=oneshot service
+TimeoutStartSec=20m

confs/matomo/systemd/matomo-tracking.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Run Matomo tracking process every minutes
+
+[Timer]
+# every 1 minutes
+OnBootSec=60s
+OnUnitInactiveSec=60s
+
+[Install]
+WantedBy=timers.target
+

confs/matomo/systemd/php7.3-fpm.service.d/override.conf

@@ -0,0 +1,3 @@
+[Unit]
+[email protected]%l.service
+

confs/matomo/systemd/redis-server.service.d/override.conf

@@ -0,0 +1,3 @@
+[Unit]
+OnFailure=email-failures@redis-server-%l.service
+