Fixes: 26f289b7 ("Capitalize the first letter of all task names")

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

Nothing fancy, just something to prevent automated form submissions.

[1] archlinux/archlinux-keyring#9

To be used as we begin migrating Flyspray tasks to GitLab.

Fix #320

The repository has been migrated to Gitlab as cgit will be removed in
due time.

Retain permissions as how they are on the live system, setting 750 will
make nginx unable to read the flyspray directory. Fix when: condition.

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Stop uncontrolled requests before reach php backend

Closes: #276

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

A extra access_log entry was added with the following commands:
$ cd roles
$ grep -lr access_log | xargs -P 1 -n 1 sed -i '/access_log/ s/\(.*\)\( \)\(\(reduced\|main\);$\)/\1 \3\n\1.json json_\3/'

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

As flyspray does not support PHP 8 as of yet, transition to the php7
package by simply introducing a new php7_fpm role.

Frederik Schwan authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

also use systemd instead of service module

As flyspray has no captcha for registering, we deploy this stop gap
measure to stop bots registering spam accounts.

The gitdirs are just clones of public repos and don't seem to contain
anything sensitive but better safe than sorry.

Thanks to Christian Rebischke <chris@shibumi.dev>

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites

The discovery script now uses a regex and no longer cares where exactly
accounting is enabled. Follow systemd upstream by enabling it by
default.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

For proxy/fastcgi/uwsgi blocks, logging is still set to the old format,
but for everything else (= static data) a reduced format is used that
excludes items that no longer make sense (request_time, remote_user) and
those that are personal information all the time (remote_addr, http_x_forwarded_for).

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

This is the same as used on luna and as expected by the zabbix nginx
monitoring service.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.

Added the missing index rewrites. They are used for sorting the issues,
and they were not working, because nginx needs it to be an absolute regex,
ending in $ for it to work, otherwise it replaces the index files finding
logic.

The task rewrites were not working because the location regex was
matching only up to the task id.

CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as
nginx instead of root. logrotate creates the proper log files
already so nginx doesn't need write permissions to those directories.