diff --git a/.gitattributes b/.gitattributes
index 9b03811..b51a5f6 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+## Specific LFS patterns
+matomo-3.13.3-0.noarch.rpm.old filter=lfs diff=lfs merge=lfs -text
diff --git a/matomo-3.13.3-0.noarch.rpm.old b/matomo-3.13.3-0.noarch.rpm.old
new file mode 100644
index 0000000..335d6e8
--- /dev/null
+++ b/matomo-3.13.3-0.noarch.rpm.old
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dbd9601c24e96af14cdcdeb4c4fe8f26863dafd693ae65a5eddf623645c9c51f
+size 12896360
diff --git a/matomo-nginx.conf b/matomo-nginx.conf
new file mode 100644
index 0000000..65eb65e
--- /dev/null
+++ b/matomo-nginx.conf
@@ -0,0 +1,89 @@
+# If you run matomo stand alone, please redirect all traffix on port 80
+# to an SSL encrypted setup on port 443.
+# In this case, uncomment the following server section.
+#server {
+#    listen [::]:80 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
+#    listen 80 fastopen=500;
+#    server_name matomo.example.com;
+#    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
+#    location / {
+#        return 301 https://$host$request_uri;
+#    }
+#}
+
+server {
+# If you run matomo behind a load balancer like haproxy, let haproxy handle the SSL offloading
+# for you. If no, please comment the two lines below and uncomment the lines above and below
+# for SSL encrypted traffic
+    listen [::]:80 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
+    listen 80 fastopen=500;
+# If you run nginx with SSL, please adjust and uncomment the lines below
+#    listen 443 ssl http2 fastopen=500;
+#    listen [::]:443 ssl http2 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
+#    include ssl.conf; # if you want to support older browsers, please read through this file
+#    add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
+#    add_header X-Content-Type-Options "nosniff" always;
+#    add_header X-XSS-Protection "1; mode=block" always;
+#    ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
+#    ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
+
+# Please insert the correct FQDN of your server below:
+    server_name matomo.example.com;
+
+    error_log   /var/log/nginx/error.log;
+    access_log  /var/log/nginx/access.log;
+    log_not_found off;
+
+# If you run nginx behind a reverse proxy like haproxy, please
+# adjust and uncomment the lines below:
+#    set_real_ip_from  192.168.0.1;
+#    real_ip_header    X-Forwarded-For;
+
+    root __matomo_web___;
+    index index.php;
+
+    # only allow accessing the following php files
+    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
+        include /etc/nginx/fastcgi.conf;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        try_files $fastcgi_script_name =404; # protects against CVE-2019-11043
+        set $path_info $fastcgi_path_info;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
+        fastcgi_pass 127.0.0.1:9000;
+    }
+    # deny access to all other .php files
+    location ~* ^.+\.php$ {
+        deny all;
+        return 403;
+    }
+    # serve all other files normally
+    location / {
+        try_files $uri $uri/ =404;
+    }
+    # disable all access to the following directories 
+    location ~ /(config|tmp|core|lang) {
+        deny all;
+        return 403; 
+    }
+    # disable all access to files starting with .ht (apache)
+    location ~ /\.ht {
+        deny  all;
+        return 403;
+    }
+    # Cache images,CSS,JS and webfonts for an hour
+    # Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+        allow all;
+        expires 1h;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+    # disable all access to the following directories  
+    location ~ /(libs|vendor|plugins|misc/user) {
+        deny all;
+        return 403;
+    }
+}
diff --git a/matomo-php-fpm.default.conf b/matomo-php-fpm.default.conf
new file mode 100644
index 0000000..6bc02fa
--- /dev/null
+++ b/matomo-php-fpm.default.conf
@@ -0,0 +1,2 @@
+[global]
+include=/etc/php7/fpm/php-fpm.d/*.conf
diff --git a/matomo.changes b/matomo.changes
index a03e995..7249b21 100644
--- a/matomo.changes
+++ b/matomo.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Mar 20 20:16:22 UTC 2020 - lars@linux-schulserver.de - 3.13.3
+
+- install cron snipplet only on old systems and prefer 
+  systemd timer (and service) on current systems
+- new sub-packages matomo-php-fpm and matomo-nginx
+- instead of patching the manifest file (and enhancing the patch 
+  line again and again) just regenerate the manifest file from 
+  scratch
+- only config.ini.php should not get replaced during update:
+  all other php files in /etc/matomo should be replaced
+- little cleanup in the files section
+
 -------------------------------------------------------------------
 Mon Feb 24 23:16:59 UTC 2020 - Lars Vogdt <lars@linux-schulserver.de>
 
diff --git a/matomo.spec b/matomo.spec
index 94e542c..9f737fc 100644
--- a/matomo.spec
+++ b/matomo.spec
@@ -31,6 +31,12 @@
 %endif
 %{!?_tmpfilesdir:%global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
+%if 0%{?suse_version} >= 01230
+%bcond_without systemd
+%else
+%bcond_with systemd
+%endif
+
 Name:           matomo
 Version:        3.13.3
 Release:        0
@@ -47,6 +53,9 @@ Source11:       %{name}-archive.service
 Source12:       %{name}-archive.timer
 Source13:       %{name}.my.cnf
 Source14:       %{name}-tmpfile.conf
+Source15:       %{name}-php-fpm.conf
+Source16:       %{name}-php-fpm.default.conf
+Source17:       %{name}-nginx.conf 
 Source99:       %{name}.rpmlintrc
 BuildArch:      noarch
 %if 0%{?suse_version} >= 1500
@@ -60,6 +69,7 @@ BuildRequires:  cron
 BuildRequires:  fdupes
 BuildRequires:  logrotate
 BuildRequires:  mariadb
+BuildRequires:  php-fpm >= 7
 BuildRequires:  unzip
 BuildRequires:  pkgconfig(systemd)
 Requires:       apache2
@@ -87,44 +97,80 @@ Recommends:     php-geoip
 Recommends:     php-openssl
 Recommends:     apache2-mod_geoip
 Recommends:     mariadb
-Recommends:     cron
 Conflicts:      piwik
+%if %{with systemd}
+BuildRequires:  systemd
+%{?systemd_requires}
+%else
+Recommends:     cron
+%endif
 
 %description
 Matomo, formerly Piwik, is a web analytics platform that gives
 insights into a website's visitors and marketing campaigns, so the
 strategy and online experience of visitors may be optimized.
 
+%package php-fpm
+Summary:        PHP FPM configuration for %{name}
+Group:          Productivity/Networking/Web/Utilities
+Requires:       php-fpm >= 7
+Requires(pre):  php-fpm >= 7
+%if %{with systemd}
+%{?systemd_requires}
+%endif
+
+%description php-fpm
+This package contains the PHP FPM configuration file to run
+Matomo with php-fpm.
+
+Please remember to setup php-fpm correctly (by creating a working
+/etc/php7/fpm/php-fpm.conf first).
+
+%package nginx
+Summary:        Nginx configuration for running Matomo
+Group:          Productivity/Networking/Web/Utilities
+Requires:       %{name}-php-fpm >= %{version}
+Requires(pre):  nginx
+Requires:       nginx
+%if %{with systemd}
+%{?systemd_requires}
+%endif
+
+%description nginx
+This package contains a small nginx configuration that should help you get your
+own Matomo instance running and start collecting your own analytics.
+
+Please read through the %{_sysconfdir}/nginx/vhosts.d/matomo.conf and adjust
+it to your needs. Please remember that you also need to check/configure the 
+%{name}-php-fpm package and enable and run php-fpm. 
+
 %prep
 %setup -q -n %{name}
-install -m644 %{SOURCE4} README.SUSE
 # remove unwanted files
 find . -type f "(" -name .htaccess -o -name .travis.sh -o -name .gitkeep ")" -delete
 #find . -name ".git*" -exec rm -Rf "{}" "+"
 find . -type f "(" -name "*.c" -o -name "*.h" -o -name "*.js.orig" ")" -delete
+# remove doc from subdirs
+find plugins vendor libs -type f "(" -iname README.md -o -iname CHANGELOG.md -iname CONTRIBUTING.md -iname UPGRADE.md ")" -delete
+rm -rf vendor/szymach/c-pchart/doc
 # env-script-interpreter
 find . -type f -exec sed -i -e 's|\/usr\/bin\/env php|\/usr\/bin\/php|g' {} +
-
 #
 # disable the auto updater, it can't work properly with the new, more secure permissions and is a bad idea on a RPM based setup anyways.
 #
 sed -i '/enable_auto_update/s/1$/0/' config/global.ini.php
-
 #
-# Fix integrity check triggered from fix of rpmlint errors.
-# Drop moved files
-for i in CHANGELOG.md CONTRIBUTING.md PRIVACY.md README.md SECURITY.md LEGALNOTICE LICENSE 'misc\/cron\/.htaccess' 'misc\/How to install Matomo.html' 'vendor\/tecnickcom\/tcpdf\/tools\/.htaccess' 'vendor\/twig\/twig\/ext\/twig\/php_twig.h' 'vendor\/twig\/twig\/ext\/twig\/twig.c' 'js\/piwik.js.orig'
-do
-  sed -i "/\W\"${i}\"\W/d" config/manifest.inc.php
-done
-# Insert new hashes for chanded files
-for file in console 'vendor/leafo/lessphp/plessc' 'vendor/tecnickcom/tcpdf/tools/tcpdf_addfont.php' 'config/global.ini.php' 'core/CliMulti/Output.php'
-do
-  size=$(ls -l $file | awk '{ print $5 }')
-  checksum=$(md5sum $file  | awk '{ print $1 }')
-  file2=$(echo "$file" | sed 's/\//\\\//g')
-  sed -i "/\W\"$file2\"\W/c \"$file\" => array(\"$size\", \"$checksum\")," config/manifest.inc.php
-done
+# regenerate the manifest file
+#
+find ./ -type f -printf '%s ' -exec md5sum {} \; \
+		| grep -E -v 'config/manifest.inc.php|vendor/autoload.php|vendor/composer/autoload_real.php' \
+		| grep -E -v ' ./LEGALNOTICE| ./LICENSE|misc/How to install Matomo.html' \
+		| grep -E -v ' ./CHANGELOG.md| ./CONTRIBUTING.md| ./PRIVACY.md| ./README.md| ./SECURITY.md' \
+		| sed '1,$ s/\([0-9]*\) \([a-z0-9]*\) *\.\/\(.*\)/\t\t"\3" => array("\1", "\2"),/;' \
+		| sort \
+		| sed '1 s/^/<?php\n\/\/ This file is automatically generated during the Matomo build process \
+namespace Piwik;\nclass Manifest {\n\tstatic $files=array(\n/; $ s/$/\n\t);\n}/' \
+		> ./config/manifest.inc.php
 
 %build
 # nothing to build
@@ -134,9 +180,8 @@ done
 install -d -m0755 %{buildroot}/%{ap_serverroot}/%{name}
 install -d -m0755 %{buildroot}/%{ap_serverroot}/%{name}/tmp
 install -d -m0755 %{buildroot}/%{_sysconfdir}/%{name}
-install -d -m0755 %{buildroot}/%{_defaultdocdir}/%{name}
 # copy src from build to buildroot
-mv *SUSE %{buildroot}/%{_defaultdocdir}/%{name}
+install -D -m644 %{SOURCE4} %{buildroot}/%{_defaultdocdir}/%{name}/README.SUSE
 mv LEGALNOTICE %{buildroot}/%{_defaultdocdir}/%{name}
 mv LICENSE %{buildroot}/%{_defaultdocdir}/%{name}
 mv "misc/How to install Matomo.html" %{buildroot}/%{_defaultdocdir}/%{name}
@@ -148,6 +193,16 @@ sed -e 's|__matomo_web__|%{ap_serverroot}/%{name}|g' \
 	-e 's|__matomo_conf__|%{_sysconfdir}/%{name}|g' \
 	-e 's|__matomo_log__|/var/log/%{name}|g' \
 	%{SOURCE2} > %{buildroot}/%{ap_sysconfdir}/conf.d/%{name}.conf
+# install php-fpm configuration
+mkdir -p %{buildroot}/etc/php7/fpm/php-fpm.d
+sed -e 's|__matomo_web__|%{ap_serverroot}/%{name}|g' \
+        -e 's|__matomo_conf__|%{_sysconfdir}/%{name}|g' \
+        -e 's|__matomo_log__|/var/log/%{name}|g' \
+        %{SOURCE15} > %{buildroot}%{_sysconfdir}/php7/fpm/php-fpm.d/matomo-php-fpm.conf
+install -m 0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/php7/fpm/php-fpm.conf
+# install nginx configuration
+install -D -m 0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/nginx/vhosts.d/matomo.conf
+sed -i 's|__matomo_web__|%{ap_serverroot}/%{name}|g' %{buildroot}%{_sysconfdir}/nginx/vhosts.d/matomo.conf
 # install logrotate
 install -D -m0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
 # move config to etc/matomo and make symlink
@@ -156,28 +211,35 @@ mv %{buildroot}/%{ap_serverroot}/%{name}/config/* \
 rm -d %{buildroot}/%{ap_serverroot}/%{name}/config
 ln -s %{_sysconfdir}/%{name} %{buildroot}/%{ap_serverroot}/%{name}/config
 # install cronscript and systemd-timer
-install -d -m 0755 %{buildroot}/%{_sysconfdir}/cron.d
 install -d -m 0755 %{buildroot}/var/log/%{name}
-install -D -m 0644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/cron.d/%{name}-archive
+%if %{with systemd}
 install -D -m 0644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}-archive.service
 install -D -m 0644 %{SOURCE12} %{buildroot}%{_unitdir}/%{name}-archive.timer
 install -D -m 0644 %{SOURCE14} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_sysconfdir}/cron.d/%{name}-archive
 sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_unitdir}/%{name}-archive.service
+%else
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/cron.d
+install -D -m 0644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/cron.d/%{name}-archive
+sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_sysconfdir}/cron.d/%{name}-archive
+%endif
 # install changes for mariadb
 install -D -m0644 %{SOURCE13} %{buildroot}/%{_sysconfdir}/my.cnf.d/%{name}.my.cnf
+# touch config.ini.php (ghost)
+touch %{buildroot}%{_sysconfdir}/%{name}/config.ini.php
 
 %fdupes %{buildroot}/%{_prefix}
 %fdupes %{buildroot}/srv
 
+%if %{with systemd}
 %pre
 %service_add_pre matomo-archive.timer matomo-archive.service
+%endif
 
 %post
-# BSC#1154324
-# # # chown -R %{ap_usr}:%{ap_grp} %{ap_serverroot}/%{name}
+%if %{with systemd}
 %service_add_post matomo-archive.timer matomo-archive.service apache2.service
 %tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+%endif
 if [ $1 -gt 1 ]; then
   # Update matomo if this is an upgrade $1 == 2
   echo "matomo: Update matomo:core..."
@@ -189,37 +251,68 @@ if [ $1 -gt 1 ]; then
   :
 fi
 
+%if %{with systemd}
 %preun
 %service_del_preun matomo-archive.timer matomo-archive.service
 
 %postun
 %service_del_postun matomo-archive.timer matomo-archive.service apache2.service
 
+%pre php-fpm
+%service_add_pre php-fpm.service
+
+%post php-fpm
+%service_add_post php-fpm.service
+
+%preun php-fpm
+%service_del_preun php-fpm.service
+
+%postun php-fpm
+%service_del_postun php-fpm.service
+
+%pre nginx
+%service_add_pre nginx.service
+
+%post nginx
+%service_add_post nginx.service
+
+%preun nginx
+%service_del_preun nginx.service
+
+%postun nginx
+%service_del_postun nginx.service
+%endif
+
 %files
-%defattr(-,root,root,-)
+%defattr(0644,root,root,0755)
 %dir %{_defaultdocdir}/%{name}
 %{_defaultdocdir}/%{name}/*
 %config(noreplace) %{ap_sysconfdir}/conf.d/%{name}.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
-%config(noreplace) %{_sysconfdir}/cron.d/%{name}-archive
 %config(noreplace) %{_sysconfdir}/my.cnf.d/%{name}.my.cnf
+%if %{with systemd}
 %{_unitdir}/%{name}-archive.service
 %{_unitdir}/%{name}-archive.timer
 %{_tmpfilesdir}/%{name}.conf
+%else
+%config(noreplace) %{_sysconfdir}/cron.d/%{name}-archive
+%endif
 %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}
 %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment
+%{_sysconfdir}/%{name}/environment/*php
 %attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/*.php
 %attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment/*.php
 %ghost %attr(0750,%{ap_usr},%{ap_grp}) /run/%{name}_sessions
-%defattr(644,root,root,755)
 %dir %{ap_serverroot}/%{name}
 %dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/js
 %dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc
 %dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/plugins
 %dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/tmp
 %dir %attr(0750,%{ap_usr},%{ap_grp}) /var/log/%{name}
-%config(noreplace)  %attr(600,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/*php
-%{_sysconfdir}/%{name}/environment/*php
+%ghost %config(noreplace)  %attr(600,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/config.ini.php
+%config %attr(600,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/global.ini.php
+%config %attr(600,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/global.php
+%config %attr(600,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/manifest.inc.php
 %attr(0644,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/matomo.js
 %attr(0644,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/piwik.js
 %attr(0644,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/js/piwik.min.js
@@ -228,7 +321,6 @@ fi
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/log-analytics/import_logs.py
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/composer/clean-xhprof.sh
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/composer/build-xhprof.sh
-#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/plugins/TestRunner/scripts/on_instance_launch.sh
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/package.sh
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/lessify
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/plessc
@@ -238,4 +330,15 @@ fi
 %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/twig/twig/drupal_test.sh
 %{ap_serverroot}/%{name}/*
 
+%files php-fpm
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/php7/fpm/php-fpm.conf
+%config(noreplace) %{_sysconfdir}/php7/fpm/php-fpm.d/matomo-php-fpm.conf
+
+%files nginx
+%defattr(-,root,root,-)
+%dir %{_sysconfdir}/nginx
+%dir %{_sysconfdir}/nginx/vhosts.d
+%config(noreplace) %{_sysconfdir}/nginx/vhosts.d/matomo.conf
+
 %changelog