roles/flyspray: Remove duplicated register and created a task to enable and start the php-fpm@flyspray.socket.

roles/flyspray: Create a setting for the user flyspray uses and change tasks accordingly. Also created a task to deploy the php-fpm configuration.

roles/flyspray: Continuing the work on flyspray. We have the tasks.yml installing and configuring flyspray with nginx, still left to do the php-fpm service.

roles/flyspray: Initial work on the flyspray role. Created a vault for the db password and a defaults file.

CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as nginx
instead of root. logrotate creates the proper log files already so
nginx doesn't need write permissions to those directories.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

The config is based on my personal one, but stripped of many
unnecessary parts. It's an initial config to get a somewhat useable
root shell on our server.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

https://lists.archlinux.org/pipermail/aur-general/2017-January/033168.html



Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Having this in could cause partial upgrades when installing new
packages. Remove it.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

One of the things missing from the preload submission was that we
included the STS header on http connections also. Using this:
https://trac.nginx.org/nginx/ticket/289#comment:3 we are able to
only include the STS header on https connections.

After some weeks since it was proposed the addition of archlinux.org
to the HSTS Preload list, since there were no objections, we are
introducing this change and in the coming hours will add archlinux.org
domain to the list.

The domain packages.archlinux.org, used to redirect to www.archlinux.org but,
retaining the last part of the URL. That behavior was lost on the domain
redirects change, now it was added again.

roles/archweb: Properly template the archweb_admins variable to put the ADMINS when they are configured.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

A full VACUUM takes quite a long time and requires an exclusive lock on
the table. Since our current quassel host is not starved for disk space,
use a normal VACUUM instead.

This speeds up cleaning from about 50s to about 6s. Most of that is the
CLUSTER, which also requires an exclusive lock. However, stalling the
quassel core for just 6 seconds every night is a lot less likely to
cause timeouts.

roles/php-fpm: Removed the requirement of naming php-fpm users with php- prefix. Now the user is the same as the file containing the configuration.

roles/php-fpm: Change the InaccessibleDirectories directive to InaccessiblePaths, remove the /srv/vmail folder from it and make /var/lib/mysql optional.

Requested by jleclanche

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>