rootless php

[USA-RedDragon]

Adds -rootless versions of the images in order to facilitate migration to rootless containers.

The containers run as www-data:www-data and on port 8080.

The existing images are adjusted in some minor ways:

• /var/lib/nginx/tmp and /var/log/nginx are created by default
• WORKDIR /app is not set in base as none of the build instructions seem to rely on that (also, so we can create it after we swap users with USER in base-rootless)
• The nginx port is now templated through NGINX_PORT, but this should result in the same output as prior to this PR after a clevyr-build
• A s6-svscan-rootless utility is added that uses /tmp to provide a place for the .s6-svscan file to live. This goes unused in the base image that's not rootless, but does exist in the filesystem.

I have a draft PR 1291 in another repo that I won't link due to the name of it being a privacy concern that shows how this might look on the application side