Skip to content
Provision a secure, personal Matomo instance with a single command.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
group_vars
host_vars
roles/common
.gitignore
README.md
Vagrantfile
inventory
local.yml
site.yml

README.md

Secure Matomo Provision

An Ansible playbook to provision a secure Matomo instance.

With support for local provisioning via Vagrant (useful to quickly testing changes).

Both local and non-local provisions were tested on a Ubuntu 18.04 instance.

Blog post: https://jonbake.com/blog/2019/08/17/setting-up-a-personal-matamo-instance.html

Provisioning Locally

  • Requires Vagrant to be installed.

Simply run:

vagrant up

Then navigate to https://localhost:8443/. Note: because it is using a self-signed certificate, you will receive a warning when opening the page within a browser.

Provisioning a Production, i.e. Remote, Site

  • Requires Ansible to be installed.

First make sure there is a remote Ubuntu 18.04 instance that you want to install Matomoo on. Also, make sure you can ssh in, i.e. running the command ssh root@my-matomo-instace.com should be successful.

Then make sure to update the inventory's prod entry:

[prod]
my-matomo-instace.com ansible_user=root

Running the playbook to provision the instance

Certbot requires certificate_contact_email and certificate_domain to be set. These can be passed as extra vars when invoking the playbook:

ansible-playbook -i inventory site.yml -e "certificate_contact_email=admin@my-matomo-instace.com" -e "certificate_domain=my-matomo-instace.com"

Default Database Credentials

db_username: matomo
db_password: 'Jana705&loge'

These can be overridden by passing in extra vars like in the above command.

Other Configuration Notes

Make sure to off the Archive reports when viewed from the browser settings option. The provision creates a cron job to automatically archive reports.

Archive reports when viewed from the browser off

Security Features

  • UFW Firewall enabled with 443 (SSL) port and rate-limited 22 (SSH) port exposed.
  • Uses Apache HTTP Server.
  • Automatic security upgrades are enabled via unattended-upgrade.
  • SSL/HTTPS enable out of the box using LetsEncrypt/Certbot. SSL is enforced always.
You can’t perform that action at this time.