From ea1f52814dd5bfe7307f36e347d2906494ba8376 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 30 Dec 2018 15:18:31 -0600
Subject: [PATCH] roles/apache: Configure mod_userdir

By default, per-user directories (i.e. `/~username/`) are disabled in
Fedora's configuration of Apache. This commit introduces a new variable,
`apache_userdir`, which can be used to enable this feature. It should be
set to a string other than *disabled*, which is the path under users'
home directories that will be served, if it is accessible. Normally, the
value would be `public_html`.
---
 roles/apache/tasks/main.yml                  | 12 ++++++
 roles/apache/templates/userdir.httpd.conf.j2 | 44 ++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 roles/apache/templates/userdir.httpd.conf.j2

diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index 5636fc1..6fd58a8 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -57,6 +57,18 @@
     setype=httpd_config_t
   notify: reload httpd
 
+- name: ensure apache userdir module is configured
+  template:
+    src=userdir.httpd.conf.j2
+    dest=/etc/httpd/conf.d/userdir.conf
+    mode=0644
+  notify: reload httpd
+- name: ensure selinux is configured for apache user directories
+  seboolean:
+    name=httpd_enable_homedirs
+    persistent=yes
+    state={{ 'yes' if apache_userdir is defined else 'no' }}
+
 - name: ensure apache mpm module is configured
   template:
     src=mpm.httpd.conf.j2
diff --git a/roles/apache/templates/userdir.httpd.conf.j2 b/roles/apache/templates/userdir.httpd.conf.j2
new file mode 100644
index 0000000..891d58c
--- /dev/null
+++ b/roles/apache/templates/userdir.httpd.conf.j2
@@ -0,0 +1,44 @@
+#
+# UserDir: The name of the directory that is appended onto a user's home
+# directory if a ~user request is received.
+#
+# The path to the end user account 'public_html' directory must be
+# accessible to the webserver userid.  This usually means that ~userid
+# must have permissions of 711, ~userid/public_html must have permissions
+# of 755, and documents contained therein must be world-readable.
+# Otherwise, the client will only receive a "403 Forbidden" message.
+#
+<IfModule mod_userdir.c>
+    #
+    # UserDir is disabled by default since it can confirm the presence
+    # of a username on the system (depending on home directory
+    # permissions).
+    #
+{% if apache_userdir is defined %}
+    #UserDir disabled
+{% else %}
+    UserDir disabled
+{% endif %}
+
+    #
+    # To enable requests to /~user/ to serve the user's public_html
+    # directory, remove the "UserDir disabled" line above, and uncomment
+    # the following line instead:
+    # 
+{% if apache_userdir is defined %}
+    UserDir {{ apache_userdir }}
+{% else %}
+    #UserDir public_html
+{% endif %}
+</IfModule>
+
+#
+# Control access to UserDir directories.  The following is an example
+# for a site where these directories are restricted to read-only.
+#
+<Directory "/home/*/public_html">
+    AllowOverride FileInfo AuthConfig Limit Indexes
+    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    Require method GET POST OPTIONS
+</Directory>
+