Matomo & OpenID: a sad story…

These days I’m playing a little bit with Authentik, quite a pretty piece of software if you need a flexible identity provider for your services and don’t want to pay a ton of money for Okta or some other humongous commercial idp.

To be honest the more I spend time on Authentik the more I think It’s probably the best option if you’re looking for an “open source” Okta.

Honestly I don’t need a service like this, I have a basic experience with federation (mostly with SAML2 protocol) but I never had to setup and idp.

This time I tried to federate WordPress and Matomo with Authentik.

With WordPress it was fine, I had only one problem with the RedirectURI that has a querystring, and that means that the question mark needs an escape character, for example:


With Matomo… well It was a different story:

1. first of all I had to install the only plugin available (LoginOIDC)

2. as for WordPress I had to escape the querystring question mark for the RedirectURI

3. I had to create a rewrite rule to accept a static RedirectURI

RewriteRule oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc$1 [R=301,QSA]

4. I had to manually create the database table for the plugin to work, because the plugin installation procedure missed.

I used this SQL syntax onMariaDB 10:

CREATE TABLE piwik_loginoidc_provider (
provider_user VARCHAR(255) NOT NULL,
provider VARCHAR(255) NOT NULL,
date_connected TIMESTAMP NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
PRIMARY KEY (provider_user, provider),
UNIQUE KEY user_provider (user, provider),
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;

…and finally the OpenID federation plugin start to work.

A couple of considerations:

WordPress: how is it bloody possible that in 2024 the most used CMS, the platform that runs more than 70% of the web does not support out of the box at least one federation protocol?!?!?
This is absolutely crazy imho… stop working on the damn interface and fix this nonsense…

Matomo: c’mon guys… you pretend to be a serious alternative to Google Analytics and you don’t support out of the box at least one federation protocol???? Seriously?!?!?
And the only plugin available was updated almost 1 year ago, we have two options:
1) it has no bugs, maybe it’s the best written piece of software ever made in human history
2) its development is basically abandoned

I would like it’s the first option, but if I had to bet some money I’ll bet on the 2nd one…


RPi4 power consumption

It’s been a while since a started using a Raspberry Pi 4 as a home server instead of my old Banana PI, yesterday I was following a interesting thread on a forum regarding RPi5 compared to some x64 boards, specially those using Intel N100 processor.

This thread made me remember the good old days when I started using my ancient Via Epia board and I won a forum competition for the home server with the lowest possible power consumption.

Now seems like people complains about RPi because of its cost and it’s performance/power ratio compared to other boards, like those using Intel N100, and this pushed me to check out my beloved Pi power consumption, let’s bust some myths!

Before starting let me roughly explain how I use my RPi4, just to clarify that it’s not an idle server stuck in a closet to absorb electricity:

  • backup server (I keep the main backup copy on the Pi, every night I start a second server via PoE and I sync any backup on it and on a Backblaze B2 bucket)
  • hosting server (a few sites, mainly based on PHP cms and published via Cloudflare Tunnel)
  • personal wiki with Bookstack
  • PiHole server
  • phpIPAM server
  • Nagios server to monitor my network and my devices
  • Collectd + Collectd Graph Panel to monitor resources usage
  • Uniquiti Unifi Controller to manage my Wifi APs
  • Document management system with Paperless NGX
  • Wireguard server for VPN
  • Gitea as my private git repository
  • Webmail server with Roundcube to get any notification from my cron jobs and devices on LAN
  • Immich as a backup server for media on mobile devices
  • Jellyfin server
  • Vaultwarden as password manager
  • several LAMP stacks here and there to try things, web projects etc etc…

Not let’s take a look to my setup:

  1. Raspberry Pi 4B with 8GB of ram
  2. Crucial BX500 240GB SATA SSD as a boot device via usb on the RPi4
  3. Seagate ST1000LM024 1TB SATA 2.5″ hard drive as a data volume connected via usb to the RPi4

To measure power consumption I used a Shelly Plug and an external self powered USB hub for measuring each usb drive.

This is my RPi4 power consumption on idle with the two usb drives, as you can see we’re on a 6.4W average, not bad…


Here is the Pi with only the SSD, around 4.7W

And here’s the mechanical HDD by itself at around 2.7W

As you can see the sum of the Pi+SSD (4.7W) and the HDD (2.7W) is over the average power consumption of the three devices all together (7.4W vs 6.4W), and that’s pretty normal, attaching the HDD directly to the Pi and power it via Pi’s usb ports is more efficient, and does not have the overhead of the usb external hub (which probably is less efficient as the Pi and its PSU).

Let’s continue with the hard drives, in this test I measured the power consumption of the SSD and the HDD powered via the USB external hub.

This test imho is particularly interesting because it show something unexpected to me, the yellow box shows the HDD test while the blue box shows the SSD test.

As you can see the idle power consumption is not that different between the two drives (~2.7W), and that’s shocked me because I thought the SSD would be much more energy efficient and less power hungry. If we move to the stress test we can se a huge difference between the two, and that’s what I was expecting to see.

And finally we can see how the application load really impact on the power consumption.

For this test I measured only the Pi power consumption without SSD or HDD, in the first section (marked in the yellow box) you can see the Pi consumption on idle with only the basic OS (Debian 11) running on it, then I started all the application I usually run on it, all together (check the spike in the blue box), then finally the Pi with all the services running on it (red box).

As you can see there’s no such difference between an idle system with basically no services running on it, and the system with all the services I mentioned at the beginning running on it.

Obviously we’re talking about a home server solution, with basically one user and a few hosted sites (but we’re still talking about small WordPress sites with a few Matomo instances and not a lot of visitors)



I hope this will be helpful if you’re thinking about buying a Raspberry Pi as your own home server.


Using KeeAgent with Cygwin OpenSSH

As I said in the previous post I’m in love with Cygwin… but I’m also in love with Keepass… and I also live with ssh… so how to make my life easier?

The answer is simple: KeeAgent

KeeAgent is a Keepass plugin that can work as a ssh agent, in this way:

  1. you can save you ssh private keys in a safe and encrypted Keepass database –> NO MORE PRIVATE KEYS ON FILESYSTEM
  2. you don’t have to deal with ssh private keys passphrases, because they’re stored in the Keepass entries where you’ll save private keys –> NO MORE UNENCRYPTED PRIVATE KEYS
  3. you can easily retrieve public keys to authorize hosts access without searching like a hound on your filesystem, in a couple of clicks KeeAgent will provide them

Apparently the setup of all this thing may seem complex, in reality it’s quite simple:

  1. download and install KeeAgent from https://github.com/dlech/KeeAgent/releases
  2. in KeeAgent options (Tools -> Options -> KeeAgent) put this string into “Cygwin/MSYS Integration” Path
  3. restart Keepass and check if there’s the file .keeagent.sock in your home and it’s a socket file
    file ~/.keeagent.sock
  4. export SSH_AUTH_SOCK variable and put it on your .bashrc file, the value of the variable should be the path of the socket file you set at the point number 2.
    echo "export SSH_AUTH_SOCK=~/.keeagent.sock" >> ~/.bashrc
  5. make sure you have installed Cygwin OpenSSH and you’re not using Windows ssh

The setup is complete, now you only have to create key entries in your Keepass database, attach private key files, fill the password field and enable those entries to be loaded with KeeAgent.

For more details check the super clear KeeAgent documentation.


Windows home as Cygwin home

Working as a GNU/Linux sysadmin means working all day long on a terminal, it doesn’t matter if you’re dealing with a server, a container or a Kubernetes cluster, and for me terminal means Cygwin.

Microsoft made huge changes since Windows 10 to make it easy to work with GNU/Linux on a Windows workstation, think about OpenSSH available by default or WSL, but for me Cygwin is still the 1st choice, no virtualization, no  WSL network issues, (almost) all the GNU/Linux utils available, fast and native to Windows.

But sometimes having two home directories (one for Cygwin, one for your Windows user) is not convenient at all… but there’s a solution for that, it’s easy and it’s fast and do not involve any workaround or symlinks, you can tell Cygwin to use the Windows home directory as a Cygwin home.

For doing it you simply have to edit the /etc/nsswitch.conf file and change the db_home variable, using as value “/%H”, here’s the result:

tas@tas ~
$ grep ^db_home /etc/nsswitch.conf
db_home: /%H

The next terminal you’ll open will have its home into “C:\Users\<user>” or if you are a Cygwin lover “/cygdrive/c/Users/<user>” ;)


Windows 11 is PITA

Finally after 11 years with my old gaming PC I made it! I finally got a new build with a brand new Ryzen 5 CPU!

Maybe I’ll make a post about it, specially for some power consumption considerations, but now it’s PITA time, to be precise it’s Windows 11 PITA time.

Yes, I installed Windows 11 on this new pc, Windows was an obvious choice for a gaming pc, and Windows 11 was the only choice that made sense for a new configuration.

But yes… Windows 11 is a PITA (for those who don’t know this means “Pain In The Ass”), there are many reasons for that, maybe I’ll post about them while I’ll encouter them, but for now let’s start with the first PITA example: default app selection for a certain type of file.

I know it’s not a new thing, also Windows 10 had this problem, but you can solve it easily with a few click here and there, but Windows 11 added a new layer of complexity on top of that.

Right now I spent half an hour finding how could I open PNG files by default with IrfanViewe (btw go to https://www.irfanview.net/ and install it, it’s the best image viewer and basic editor on the planet) because by default Windows 11 associate .png file with the Microsoft Photo app (which is really bad and slow compared to IrfanView).

The main problem is that the .png file are not listed in the default app (Microsoft Photo), same goes for .png file extention, and you can’t uninstall the Microsoft Photo app using the Windows Apps window.

But thanks to PowerShell and administrator rights you can do it.

  1. open PowerShell with administrator rights
  2. use “get-appxpackage *photos*” to get the details on the default app for photos
  3. use “get-appxpackage *photos* | remove-appxpackage” to uninstall the default app for photos.
  4. try to open a png file and select IrfanView as a default app.

« Post precedenti