Created
September 7, 2021 07:38
-
-
Save javierguzman/0914a7dda6f7454c0213b179e892d9e3 to your computer and use it in GitHub Desktop.
Matomo in Kubernetes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
name: matomo-server-configmap-$VERSION | |
data: | |
matomo-php-config: | | |
memory_limit=1536M | |
max_execution_time=1440 | |
matomo-nginx-fastcgi: | | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param QUERY_STRING $query_string; | |
fastcgi_param REQUEST_METHOD $request_method; | |
fastcgi_param CONTENT_TYPE $content_type; | |
fastcgi_param CONTENT_LENGTH $content_length; | |
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
fastcgi_param REQUEST_URI $request_uri; | |
fastcgi_param DOCUMENT_URI $document_uri; | |
fastcgi_param DOCUMENT_ROOT $document_root; | |
fastcgi_param SERVER_PROTOCOL $server_protocol; | |
fastcgi_param REQUEST_SCHEME $scheme; | |
fastcgi_param HTTPS $https if_not_empty; | |
fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; | |
fastcgi_param REMOTE_ADDR $remote_addr; | |
fastcgi_param REMOTE_PORT $remote_port; | |
fastcgi_param SERVER_ADDR $server_addr; | |
fastcgi_param SERVER_PORT $server_port; | |
fastcgi_param SERVER_NAME $server_name; | |
# PHP only, required if PHP was built with --enable-force-cgi-redirect | |
fastcgi_param REDIRECT_STATUS 200; | |
matomo-nginx-config: | | |
server { | |
listen [::]:5005; # remove this if you don't want Matomo to be reachable from IPv6 | |
listen 5005; | |
server_name analytics.blabla.com; | |
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. | |
location / { | |
return 301 https://$host$request_uri; | |
} | |
} | |
server { | |
listen [::]:443 ssl http2; # remove this if you don't want Matomo to be reachable from IPv6 | |
listen 443 ssl http2; | |
server_name analytics.blabla.com; # list all domains Matomo should be reachable from | |
access_log /var/log/nginx/matomo.access.log; | |
error_log /var/log/nginx/matomo.error.log; | |
## uncomment if you want to enable HSTS with 6 months cache | |
## ATTENTION: Be sure you know the implications of this change (you won't be able to disable HTTPS anymore) | |
#add_header Strict-Transport-Security max-age=15768000 always; | |
## replace with your SSL certificate | |
# ssl_certificate /etc/letsencrypt/live/analytics.blabla.com/fullchain.pem; | |
# ssl_certificate_key /etc/letsencrypt/live/analytics.blabla.com/privkey.pem; | |
# include ssl.conf; # if you want to support older browsers, please read through this file | |
add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header X-XSS-Protection "1; mode=block" always; | |
root /var/www/html/; # replace with path to your matomo instance | |
index index.php; | |
## only allow accessing the following php files | |
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ { | |
include fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf | |
try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. | |
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/ | |
#fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file | |
fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container) | |
} | |
## deny access to all other .php files | |
location ~* ^.+\.php$ { | |
deny all; | |
return 403; | |
} | |
## serve all other files normally | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
## disable all access to the following directories | |
location ~ ^/(config|tmp|core|lang) { | |
deny all; | |
return 403; # replace with 404 to not show these directories exist | |
} | |
location ~ /\.ht { | |
deny all; | |
return 403; | |
} | |
location ~ js/container_.*_preview\.js$ { | |
expires off; | |
add_header Cache-Control 'private, no-cache, no-store'; | |
} | |
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { | |
allow all; | |
## Cache images,CSS,JS and webfonts for an hour | |
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade | |
expires 1h; | |
add_header Pragma public; | |
add_header Cache-Control "public"; | |
} | |
location ~ ^/(libs|vendor|plugins|misc|node_modules) { | |
deny all; | |
return 403; | |
} | |
## properly display textfiles in root directory | |
location ~/(.*\.md|LEGALNOTICE|LICENSE) { | |
default_type text/plain; | |
} | |
} | |
# vim: filetype=nginx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: matomo-server-deployment-$VERSION | |
annotations: | |
app.gitlab.com/app: ${CI_PROJECT_PATH_SLUG} | |
app.gitlab.com/env: ${CI_ENVIRONMENT_SLUG} | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
subsystem: matomo-server-$VERSION | |
strategy: | |
type: RollingUpdate | |
rollingUpdate: | |
maxSurge: 50% | |
maxUnavailable: 50% | |
template: | |
metadata: | |
labels: | |
subsystem: matomo-server-$VERSION | |
annotations: | |
app.gitlab.com/app: ${CI_PROJECT_PATH_SLUG} | |
app.gitlab.com/env: ${CI_ENVIRONMENT_SLUG} | |
spec: | |
initContainers: | |
- name: wait-for-database | |
image: busybox:1.32 | |
command: ['sh', '-c', 'until nslookup matomo-database-service-$VERSION; do echo waiting for database; sleep 2; done;'] | |
volumes: | |
- name: matomo-config-volume-$VERSION | |
configMap: | |
name: matomo-server-configmap-$VERSION | |
- name: matomo-server-storage-$VERSION | |
persistentVolumeClaim: | |
claimName: matomo-server-persistent-volume-claim-$VERSION | |
containers: | |
- name: matomo-server-$VERSION | |
image: matomo:4.4-fpm-alpine | |
ports: | |
- containerPort: 9000 | |
volumeMounts: | |
- name: matomo-config-volume-$VERSION | |
mountPath: /usr/local/etc/php/conf.d/php-configuration.ini | |
subPath: matomo-php-config | |
- name: matomo-server-storage-$VERSION | |
mountPath: /var/www/html | |
env: | |
- name: MATOMO_DATABASE_USERNAME | |
valueFrom: | |
secretKeyRef: | |
name: blabla | |
key: blabla | |
- name: MATOMO_DATABASE_PASSWORD | |
valueFrom: | |
secretKeyRef: | |
name: blabla | |
key: blabla | |
- name: MATOMO_DATABASE_DBNAME | |
value: blabla | |
- name: MATOMO_DATABASE_TABLES_PREFIX | |
value: matomo_ | |
- name: MATOMO_DATABASE_ADAPTER | |
value: mysql | |
- name: MATOMO_DATABASE_HOST | |
value: blabla | |
livenessProbe: | |
tcpSocket: | |
port: 9000 | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
readinessProbe: | |
tcpSocket: | |
port: 9000 | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
- name: matomo-nginx-$VERSION | |
image: bitnami/nginx:latest | |
ports: | |
- containerPort: 5005 | |
livenessProbe: | |
tcpSocket: | |
port: 5005 | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
readinessProbe: | |
tcpSocket: | |
port: 5005 | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
volumeMounts: | |
- name: matomo-config-volume-$VERSION | |
mountPath: /opt/bitnami/nginx/conf/server_blocks/matomo_nginx.conf | |
subPath: matomo-nginx-config | |
- name: matomo-config-volume-$VERSION | |
mountPath: /opt/bitnami/nginx/conf/fastcgi-php.conf | |
subPath: matomo-nginx-fastcgi | |
- name: matomo-server-storage-$VERSION | |
mountPath: /var/www/html |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: matomo-server-service-$VERSION | |
annotations: | |
app.gitlab.com/app: ${CI_PROJECT_PATH_SLUG} | |
app.gitlab.com/env: ${CI_ENVIRONMENT_SLUG} | |
spec: | |
type: ClusterIP | |
selector: | |
subsystem: matomo-server-$VERSION | |
ports: | |
- port: 5005 | |
targetPort: 5005 | |
- port: 9000 | |
targetPort: 9000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment