only expose ldaps on rfc intranets

group_vars/kanidm.yml

@@ -1,3 +1,4 @@
 ---
 
 kanidm_domain: auth.hatecomputers.club
+kanidm_bind_address: "{{ lookup('community.general.dig', inventory_hostname) }}"

group_vars/mail.yml

@@ -5,7 +5,11 @@ postmaster_email: postmaster@hatecomputers.club
 domain: hatecomputers.club
 mail_domain: mail.hatecomputers.club
 
-ldap_server_host: "ldaps://auth.hatecomputers.club:3636"
+ldap_server: "auth.hatecomputers.club"
+ldap_server_host: "ldaps://{{ ldap_server }}:3636"
+ldap_intranet: >
+  {{ lookup('community.general.dig',
+    'auth.int.infra.hatecomputers.club') }}
 ldap_search_base: "dc=auth,dc=hatecomputers,dc=club"
 ldap_bind_dn: "dn=token"
 

playbooks/roles/kanidm/tasks/main.yml

@@ -32,11 +32,13 @@
     group: root
     mode: 0755
 
-- name: Allow all LDAPS connections from everywhere
-  ansible.builtin.ufw:
+- name: Allow LDAPS from rfc1918 networks
+  loop: "{{ rfc1918_networks }}"
+  community.general.ufw:
     rule: allow
     proto: tcp
     port: '3636'
+    from: "{{ item }}"
 
 - name: Enable kanidm
   ansible.builtin.systemd_service:

playbooks/roles/kanidm/templates/docker-compose.yml.j2

@@ -10,4 +10,4 @@ services:
       - /etc/letsencrypt:/certs:ro
     ports:
       - 127.0.0.1:8443:8443
-      - 0.0.0.0:3636:3636
+      - {{ kanidm_bind_address }}:3636:3636

playbooks/roles/mail/templates/docker-compose.yml.j2

@@ -64,3 +64,5 @@ services:
 
       - ENABLE_OAUTH2=1
       - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}
+    extra_hosts:
+      - {{ ldap_server }}:{{ ldap_intranet}}