Fixes: 26f289b7 ("Capitalize the first letter of all task names")

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

To be used as we begin migrating Flyspray tasks to GitLab.

Fix #320

The repository has been migrated to Gitlab as cgit will be removed in
due time.

Retain permissions as how they are on the live system, setting 750 will
make nginx unable to read the flyspray directory. Fix when: condition.

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

As flyspray does not support PHP 8 as of yet, transition to the php7
package by simply introducing a new php7_fpm role.

As flyspray has no captcha for registering, we deploy this stop gap
measure to stop bots registering spam accounts.

The discovery script now uses a regex and no longer cares where exactly
accounting is enabled. Follow systemd upstream by enabling it by
default.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.

CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as
nginx instead of root. logrotate creates the proper log files
already so nginx doesn't need write permissions to those directories.

When cloning the empty repository for the first time, there can't
be a setup directory, otherwise the clone will fail. We check if
the user was created on that run or not and don't create the setup
directory in that case.

The setup directory for flyspray is present on our git, so, instead of being
deleted after the installation, it remains on the repository. To avoid issues
with it, it has permissions 000 when not in use. But, for cloning, it is
required to have write permissions. So, we do this permission juggling before
cloning.

roles/flyspray: Changed the flyspray user from php-flyspray to flyspray and made the template of the php-fpm.conf to follow.

roles/flyspray: Remove duplicated register and created a task to enable and start the php-fpm@flyspray.socket.

roles/flyspray: Create a setting for the user flyspray uses and change tasks accordingly. Also created a task to deploy the php-fpm configuration.

roles/flyspray: Continuing the work on flyspray. We have the tasks.yml installing and configuring flyspray with nginx, still left to do the php-fpm service.