Matomo
Audience
PLANA staff. Matomo is PLANA's self-hosted analytics; customer-facing analytics would be a separate concern.
PLANA uses Matomo (the open-source Google Analytics alternative) to track usage of planapulse.ai and the documentation site. Self-hosted, EU-resident, no third-party tag fired.
Deployment
| Component | Location |
|---|---|
| Matomo server | matomo namespace |
| Database | MariaDB 11 in the same namespace |
| Storage | Exoscale block storage, retain reclaim |
| Domain | analytics.planapulse.com |
Helm chart from upstream Matomo; reconciled by Flux from infra/k8s/matomo/.
What it tracks
Sites configured in Matomo:
| Site ID | URL | What |
|---|---|---|
| 1 | planapulse.ai | Marketing site analytics |
| 2 | docs.planapulse.com | Documentation analytics (page views, search terms) |
Custom dimensions: visitor type (anonymous / customer), edition tier, country.
What it does NOT track
Customer tenant ERPs (*.planapulse.app) | Not tagged; their data is theirs |
| BOS workspace usage | Tracked separately in PLANA:executions Redis log; not Matomo |
| Authentication events | In Authentik's own log |
Two access modes
Public tracking endpoints
The matomo.php / matomo.js paths are reachable without authentication — the websites being tracked load them via <script src="…matomo.js">. Configured at the gateway level via a dedicated ingress for these specific paths.
Admin UI
The Matomo admin (everything else under https://analytics.planapulse.com/) is protected by Authentik proxy mode — staff sign in via Authentik SSO, the embedded outpost forwards them to Matomo.
| Path | Auth |
|---|---|
/matomo.php, /matomo.js, /piwik.php, /piwik.js | Public (tracking endpoints) |
/ (everything else) | Authentik proxy SSO |
SSO button on the login page
For the rare case where someone goes directly to Matomo's login page, the LoginOIDC plugin adds a "Sign in with Authentik" button that authenticates via Authentik's OIDC provider PK=14.
This is separate from the proxy mode — the proxy intercepts traffic before Matomo sees the request, so the LoginOIDC plugin handles the edge case where someone reaches Matomo's login directly.
Users
| User | Role | |
|---|---|---|
admin | chudomir.monevski@plana.solutions | Superuser |
elena.encheva-blagoeva | (same domain) | Superuser |
Other staff have read-only access via Authentik proxy mode (their SSO claim grants read-only by default).
Outpost detail
The Authentik embedded outpost (PK 10e469fe-…) handles the Matomo proxy:
| Provider | PK | Mode |
|---|---|---|
matomo-analytics | 13 | Proxy |
matomo-oidc-login | 14 | OAuth2/OIDC (for the LoginOIDC button) |
The outpost handles /outpost.goauthentik.io/ callback paths only when the Host header is the APP domain (analytics.planapulse.com), not the auth domain. We learned this the hard way; documented in Authentik SSO.
Where to read more
- Authentik SSO — the IdP authenticating Matomo admin
- Architecture → Domains — public vs admin path routing
- Source:
infra/k8s/matomo/