Fix Matomo bootstrap logic and dependency ordering to prevent recursion (see conversation: https://chatgpt.com/share/692cb23b-fb3c-800f-98b6-ce7f61595305 )

This commit introduces several improvements to the Matomo initialization workflow: - Moves the Matomo reachability check into sys-front-inj-all/tasks/01_dependencies.yml. - Ensures web-app-matomo is only initialized when the endpoint is unreachable. - Avoids condition inheritance on include_role by removing block-level when conditions. - Adds explicit guarding conditions (inj_enabled.matomo, run_once_web_app_matomo usage). - Ensures Matomo-dependent injections (CSS, Desktop, Logout, CDN) are skipped for Matomo itself. - Fixes incorrect status_code format (now using YAML list format). - Moves utils/run_once.yml to the top of 01_core.yml to prevent recursive re-invocation of web-app-matomo. - Cleans Matomo config/main.yml feature definitions and clarifies which features are disabled during initial bootstrap. - Removes legacy global Matomo bootstrap from 02_server.yml, centralizing logic in sys-front-inj-all. - Fixes typo in inj_enabled task name. This results in a robust, idempotent, recursion-safe Matomo bootstrap sequence that works across all injected web domains.
2025-12-02 15:39:57 +00:00 · 2025-11-30 22:08:46 +01:00
parent 8d3874f432
commit edec4f3722
5 changed files with 49 additions and 30 deletions
--- a/roles/sys-front-inj-all/tasks/01_dependencies.yml
+++ b/roles/sys-front-inj-all/tasks/01_dependencies.yml
@@ -1,16 +1,42 @@
- name: "Load CDN for '{{ domain }}'"
-  include_role:
-    name: web-svc-cdn
-    public: false
+- name: "Check if Matomo endpoint is reachable"
+  uri:
+    url: "{{ domains | get_url('web-app-matomo', WEB_PROTOCOL) }}"
+    method: HEAD
+    validate_certs: yes
+    status_code: [200, 301, 302]
+  register: matomo_reachability
+  failed_when: false
+  changed_when: false
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
  when:
-    - application_id != 'web-svc-cdn'
-    - run_once_web_svc_cdn is not defined
+    - application_id != 'web-app-matomo'
+    - run_once_web_app_matomo is not defined
+    - inj_enabled.matomo

- name: Load Logout for '{{ domain }}'
+- name: "Setup web-app-matomo because endpoint was not reachable"
  include_role:
-    name: web-svc-logout
-    public: false
+    name: web-app-matomo
  when:
-    - run_once_web_svc_logout is not defined
-    - application_id != 'web-svc-logout'
-    - inj_enabled.logout
+    - matomo_reachability is defined
+    - matomo_reachability.status | default(0) not in [200, 301, 302]
+
+# Matomo can't use this dependencies - At least not on the initial setup run
+- when:
+    - application_id != 'web-app-matomo'
+  block:
+    - name: "Load CDN for '{{ domain }}'"
+      include_role:
+        name: web-svc-cdn
+        public: false
+      when:
+        - application_id != 'web-svc-cdn'
+        - run_once_web_svc_cdn is not defined
+
+    - name: Load Logout for '{{ domain }}'
+      include_role:
+        name: web-svc-logout
+        public: false
+      when: 
+        - run_once_web_svc_logout is not defined
+        - application_id != 'web-svc-logout'
+        - inj_enabled.logout
--- a/roles/sys-front-inj-all/tasks/main.yml
+++ b/roles/sys-front-inj-all/tasks/main.yml
@@ -6,7 +6,7 @@
    - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_all is not defined

- name: Build inj_enabled
+- name: Build inj_enabled for '{{ domain }}'"
  set_fact:
    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"

--- a/roles/web-app-matomo/config/main.yml
+++ b/roles/web-app-matomo/config/main.yml
@@ -1,14 +1,12 @@
 features:
-  # If you want to use Matomo on the Matomo page, you 
-  # have to set it here manual to true. 
-  # It's deactivated, because the proxy setup for Matomo
-  # itself wouldn't be possible 
-  matomo:             false 
-  css:                false
-  desktop:            false  # Didn't work in frame didn't have high priority @todo figure out pcause and solve it
  central_database:   true
  oauth2:             false
-  logout:             false  # Dependency conflict. It requires CDN and CDN requires matomo
+
+  # Matomo can't use the following settings - At least not on the initial setup run
+  desktop:            false  # Didn't work in frame didn't have high priority @todo figure out why and solve it
+  css:                false
+  logout:             false
+  matomo:             false 
 server:
  csp:
    whitelist:
--- a/roles/web-app-matomo/tasks/01_core.yml
+++ b/roles/web-app-matomo/tasks/01_core.yml
@@ -1,3 +1,6 @@
+# Required to be set on the top to prevent infinite recursions appearing in roles/sys-front-inj-all/tasks/01_dependencies.yml
+- include_tasks: utils/run_once.yml
+
 - name: "load docker, db and proxy for {{ application_id }}"
  include_role:
    name: sys-stk-full-stateful
@@ -40,5 +43,3 @@
      token_auth: "{{ matomo_auth_token }}"
    return_content: yes
    status_code: 200
-
- include_tasks: utils/run_once.yml
--- a/tasks/stages/02_server.yml
+++ b/tasks/stages/02_server.yml
@@ -12,12 +12,6 @@
    - sys-ctl-hlth-btrfs
    - sys-ctl-rpr-btrfs-balancer

-# It is necessary to setup Matomo first, because all other web apps need it if matomo is activated
- name: setup web-app-matomo
-  when: ('web-app-matomo' | application_allowed(group_names, allowed_applications))
-  include_role:
-    name: web-app-matomo
-
 - name: "Include server roles"
  include_tasks: "./tasks/groups/{{ item }}-roles.yml"
  loop: