apt-get install mariadb-server nginx php8.2-fpm php8.2-gd php8.2-xml php8.2-mysql

wget https://builds.matomo.org/matomo-latest.zip
unzip matomo-latest.zip
cp matomo /var/www

chown -R www-data:www-data /var/www/matomo
find /var/www/matomo/tmp -type f -exec chmod 644 {} \;
find /var/www/matomo/tmp -type d -exec chmod 755 {} \;
find /var/www/matomo/tmp/assets/ -type f -exec chmod 644 {} \;
find /var/www/matomo/tmp/assets/ -type d -exec chmod 755 {} \;
find /var/www/matomo/tmp/cache/ -type f -exec chmod 644 {} \;
find /var/www/matomo/tmp/cache/ -type d -exec chmod 755 {} \;
find /var/www/matomo/tmp/logs/ -type f -exec chmod 644 {} \;
find /var/www/matomo/tmp/logs/ -type d -exec chmod 755 {} \;
find /var/www/matomo/tmp/tcpdf/ -type f -exec chmod 644 {} \;
find /var/www/matomo/tmp/tcpdf/ -type d -exec chmod 755 {} \;
find /var/www/matomo/tmp/templates_c -type f -exec chmod 644 {} \;
find /var/www/matomo/tmp/templates_c -type d -exec chmod 755 {} \;

mariadb-secure-installation
mariadb -u root -p

SQL:

CREATE DATABASE matomo;CREATE USER 'matomo'@'localhost' IDENTIFIED BY 'matomopassword';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, DROP, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON matomo.* TO 'matomo'@'localhost';
FLUSH PRIVILEGES;
quit

nano /etc/mysql/my.cnf

[mysqld]
max_allowed_packet=64M

php.ini

extension=mysqli.so
extension=pdo.so
extension=pdo_mysql.so

https://github.com/matomo-org/matomo-nginx#readme

matomo.conf

server {
    listen [::]:80; # remove this if you don't want Matomo to be reachable from IPv6
    listen 80;
    server_name matomo.example.com;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen [::]:443 ssl http2; # remove this if you don't want Matomo to be reachable from IPv6
    listen 443 ssl http2;
    server_name matomo.example.com; # list all domains Matomo should be reachable from
    access_log /var/log/nginx/matomo.access.log;
    error_log /var/log/nginx/matomo.error.log;

    ## uncomment if you want to enable HSTS with 6 months cache
    ## ATTENTION: Be sure you know the implications of this change (you won't be able to disable HTTPS anymore)
    #add_header Strict-Transport-Security max-age=15768000 always;

    ## replace with your SSL certificate
    ssl_certificate /etc/letsencrypt/live/matomo.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/matomo.example.com/privkey.pem;

    include ssl.conf; # if you want to support older browsers, please read through this file

    add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    root /var/www/matomo/; # replace with path to your matomo instance

    index index.php;

    ## only allow accessing the following php files
    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
        include snippets/fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf
        try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
        fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file
        #fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container)
    }

    ## deny access to all other .php files
    location ~* ^.+\.php$ {
        deny all;
        return 403;
    }

    ## serve all other files normally
    location / {
        try_files $uri $uri/ =404;
    }

    ## disable all access to the following directories
    location ~ ^/(config|tmp|core|lang) {
        deny all;
        return 403; # replace with 404 to not show these directories exist
    }

    location ~ /\.ht {
        deny  all;
        return 403;
    }

    location ~ js/container_.*_preview\.js$ {
        expires off;
        add_header Cache-Control 'private, no-cache, no-store';
    }

    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$ {
        allow all;
        ## Cache images,CSS,JS and webfonts for an hour
        ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
        expires 1h;
        add_header Pragma public;
        add_header Cache-Control "public";
    }

    location ~ ^/(libs|vendor|plugins|misc|node_modules) {
        deny all;
        return 403;
    }

    ## properly display textfiles in root directory
    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
        default_type text/plain;
    }
}
# vim: filetype=nginx

    location /matomo/ {
        alias /var/www/matomo/;
        try_files $uri $uri/ /matomo/index.php?$args;

        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
    }