From edec4f3722fa25bfe8af2f48aa7fdffced0248db Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sun, 30 Nov 2025 22:08:46 +0100 Subject: [PATCH] Fix Matomo bootstrap logic and dependency ordering to prevent recursion (see conversation: https://chatgpt.com/share/692cb23b-fb3c-800f-98b6-ce7f61595305 ) This commit introduces several improvements to the Matomo initialization workflow: - Moves the Matomo reachability check into sys-front-inj-all/tasks/01_dependencies.yml. - Ensures web-app-matomo is only initialized when the endpoint is unreachable. - Avoids condition inheritance on include_role by removing block-level when conditions. - Adds explicit guarding conditions (inj_enabled.matomo, run_once_web_app_matomo usage). - Ensures Matomo-dependent injections (CSS, Desktop, Logout, CDN) are skipped for Matomo itself. - Fixes incorrect status_code format (now using YAML list format). - Moves utils/run_once.yml to the top of 01_core.yml to prevent recursive re-invocation of web-app-matomo. - Cleans Matomo config/main.yml feature definitions and clarifies which features are disabled during initial bootstrap. - Removes legacy global Matomo bootstrap from 02_server.yml, centralizing logic in sys-front-inj-all. - Fixes typo in inj_enabled task name. This results in a robust, idempotent, recursion-safe Matomo bootstrap sequence that works across all injected web domains. --- .../tasks/01_dependencies.yml | 52 ++++++++++++++----- roles/sys-front-inj-all/tasks/main.yml | 2 +- roles/web-app-matomo/config/main.yml | 14 +++-- roles/web-app-matomo/tasks/01_core.yml | 5 +- tasks/stages/02_server.yml | 6 --- 5 files changed, 49 insertions(+), 30 deletions(-) diff --git a/roles/sys-front-inj-all/tasks/01_dependencies.yml b/roles/sys-front-inj-all/tasks/01_dependencies.yml index 225c0770..83843bdd 100644 --- a/roles/sys-front-inj-all/tasks/01_dependencies.yml +++ b/roles/sys-front-inj-all/tasks/01_dependencies.yml @@ -1,16 +1,42 @@ -- name: "Load CDN for '{{ domain }}'" - include_role: - name: web-svc-cdn - public: false +- name: "Check if Matomo endpoint is reachable" + uri: + url: "{{ domains | get_url('web-app-matomo', WEB_PROTOCOL) }}" + method: HEAD + validate_certs: yes + status_code: [200, 301, 302] + register: matomo_reachability + failed_when: false + changed_when: false + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" when: - - application_id != 'web-svc-cdn' - - run_once_web_svc_cdn is not defined + - application_id != 'web-app-matomo' + - run_once_web_app_matomo is not defined + - inj_enabled.matomo -- name: Load Logout for '{{ domain }}' +- name: "Setup web-app-matomo because endpoint was not reachable" include_role: - name: web-svc-logout - public: false - when: - - run_once_web_svc_logout is not defined - - application_id != 'web-svc-logout' - - inj_enabled.logout \ No newline at end of file + name: web-app-matomo + when: + - matomo_reachability is defined + - matomo_reachability.status | default(0) not in [200, 301, 302] + +# Matomo can't use this dependencies - At least not on the initial setup run +- when: + - application_id != 'web-app-matomo' + block: + - name: "Load CDN for '{{ domain }}'" + include_role: + name: web-svc-cdn + public: false + when: + - application_id != 'web-svc-cdn' + - run_once_web_svc_cdn is not defined + + - name: Load Logout for '{{ domain }}' + include_role: + name: web-svc-logout + public: false + when: + - run_once_web_svc_logout is not defined + - application_id != 'web-svc-logout' + - inj_enabled.logout \ No newline at end of file diff --git a/roles/sys-front-inj-all/tasks/main.yml b/roles/sys-front-inj-all/tasks/main.yml index e789c00a..9b72e455 100644 --- a/roles/sys-front-inj-all/tasks/main.yml +++ b/roles/sys-front-inj-all/tasks/main.yml @@ -6,7 +6,7 @@ - include_tasks: utils/run_once.yml when: run_once_sys_front_inj_all is not defined -- name: Build inj_enabled +- name: Build inj_enabled for '{{ domain }}'" set_fact: inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}" diff --git a/roles/web-app-matomo/config/main.yml b/roles/web-app-matomo/config/main.yml index c229ec0b..43818083 100644 --- a/roles/web-app-matomo/config/main.yml +++ b/roles/web-app-matomo/config/main.yml @@ -1,14 +1,12 @@ features: - # If you want to use Matomo on the Matomo page, you - # have to set it here manual to true. - # It's deactivated, because the proxy setup for Matomo - # itself wouldn't be possible - matomo: false - css: false - desktop: false # Didn't work in frame didn't have high priority @todo figure out pcause and solve it central_database: true oauth2: false - logout: false # Dependency conflict. It requires CDN and CDN requires matomo + + # Matomo can't use the following settings - At least not on the initial setup run + desktop: false # Didn't work in frame didn't have high priority @todo figure out why and solve it + css: false + logout: false + matomo: false server: csp: whitelist: diff --git a/roles/web-app-matomo/tasks/01_core.yml b/roles/web-app-matomo/tasks/01_core.yml index c9c73362..8bdbfe66 100644 --- a/roles/web-app-matomo/tasks/01_core.yml +++ b/roles/web-app-matomo/tasks/01_core.yml @@ -1,3 +1,6 @@ +# Required to be set on the top to prevent infinite recursions appearing in roles/sys-front-inj-all/tasks/01_dependencies.yml +- include_tasks: utils/run_once.yml + - name: "load docker, db and proxy for {{ application_id }}" include_role: name: sys-stk-full-stateful @@ -40,5 +43,3 @@ token_auth: "{{ matomo_auth_token }}" return_content: yes status_code: 200 - -- include_tasks: utils/run_once.yml \ No newline at end of file diff --git a/tasks/stages/02_server.yml b/tasks/stages/02_server.yml index 56b81891..2fc51ca5 100644 --- a/tasks/stages/02_server.yml +++ b/tasks/stages/02_server.yml @@ -12,12 +12,6 @@ - sys-ctl-hlth-btrfs - sys-ctl-rpr-btrfs-balancer -# It is necessary to setup Matomo first, because all other web apps need it if matomo is activated -- name: setup web-app-matomo - when: ('web-app-matomo' | application_allowed(group_names, allowed_applications)) - include_role: - name: web-app-matomo - - name: "Include server roles" include_tasks: "./tasks/groups/{{ item }}-roles.yml" loop: