Migrate bugtracker to php7 package

As flyspray does not support PHP 8 as of yet, transition to the php7
package by simply introducing a new php7_fpm role.

playbooks/bugs.archlinux.org.yml

@@ -12,7 +12,7 @@
     - { role: nginx }
     - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
     - { role: sudo }
-    - { role: php_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
+    - { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
     - { role: flyspray }
     - { role: borg_client, tags: ["borg"] }
     - { role: postfix, postfix_relayhost: "mail.archlinux.org" }

roles/flyspray/tasks/main.yml

@@ -62,10 +62,10 @@
 
 - name: configure php-fpm
   template:
-    src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ flyspray_user }}.conf"
+    src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ flyspray_user }}.conf"
     owner=root group=root mode=0644
   notify:
-    - restart php-fpm@flyspray
+    - restart php-fpm7@flyspray
 
 - name: install fail2ban register ban filter
   template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-flyspray-register.local owner=root group=root mode=0644
@@ -82,4 +82,4 @@
     - fail2ban
 
 - name: start and enable systemd socket
-  service: name=php-fpm@flyspray.socket state=started enabled=true
+  service: name=php-fpm7@flyspray.socket state=started enabled=true

roles/flyspray/templates/nginx.d.conf.j2

 upstream flyspray {
-    server unix:///run/php-fpm/flyspray.socket;
+    server unix:///run/php-fpm7/flyspray.socket;
 }
 
 server {

roles/flyspray/templates/php-fpm.conf.j2

@@ -3,7 +3,7 @@ error_log = syslog
 daemonize = no
 
 [{{ flyspray_user }}]
-listen = /run/php-fpm/flyspray.socket
+listen = /run/php-fpm7/flyspray.socket
 listen.owner = {{ flyspray_user }}
 listen.group = http
 listen.mode = 0660

roles/php7_fpm/defaults/main.yml

+---
+php_extensions:
+  - curl
+  - zip
+
+zend_extensions:
+  - opcache

roles/php7_fpm/files/php-fpm7@.service

+[Unit]
+Description=PHP-FPM service for %i
+After=syslog.target network.target
+After=mysqld.service postfix.service
+Requires=php-fpm7@.socket
+
+[Service]
+Type=notify
+
+PrivateTmp=true
+NoNewPrivileges=true
+;PrivateNetwork=true
+PrivateDevices=true
+
+# AURweb's rendercomment script git bindings requires access to /home:
+# failed to stat '/home/aur/.gitconfig
+ProtectHome=tmpfs
+ProtectSystem=full
+InaccessiblePaths=-/var/lib/mysql
+
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectClock=true
+
+RestrictRealtime=true
+RestrictNamespaces=true
+
+# Restricts the set of socket address families accessible to the processes of this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+
+MemoryAccounting=yes
+CPUAccounting=yes
+IOAccounting=yes
+
+User=%i
+Group=%i
+Environment="FPM_SOCKETS=/run/php-fpm7/%i.socket=3"
+ExecStart=/usr/bin/php-fpm7 --nodaemonize --fpm-config /etc/php7/php-fpm.d/%i.conf
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target

roles/php7_fpm/files/php-fpm7@.socket

+[Unit]
+Description=PHP-FPM socket for %i
+
+[Socket]
+ListenStream=/run/php-fpm7/%i.socket
+SocketMode=0660
+SocketUser=%i
+SocketGroup=http
+
+[Install]
+WantedBy=sockets.target

roles/php7_fpm/handlers/main.yaml

+---
+- name: daemon reload
+  systemd:
+    daemon-reload: yes

roles/php7_fpm/tasks/main.yaml

+---
+- name: install php7-fpm
+  pacman: name=php7-fpm,php7-gd,php7-pgsql state=present
+
+- name: install php7-fpm units
+  copy: >
+    src={{ item }} dest=/etc/systemd/system/{{ item }}
+    owner=root group=root mode=0644
+  with_items:
+    - php-fpm7@.socket
+    - php-fpm7@.service
+  notify: daemon reload
+
+- name: configure default php.ini
+  template: >
+    src=php.ini.j2 dest=/etc/php7/php.ini
+    owner=root group=root mode=0644