From 40523baacc16e2e3fa40a0fe2f67470af96ab917 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Mon, 25 Mar 2024 13:43:12 -0400
Subject: [PATCH] only expose ldaps on rfc intranets

---
 group_vars/kanidm.yml                                  | 1 +
 group_vars/mail.yml                                    | 6 +++++-
 playbooks/roles/kanidm/tasks/main.yml                  | 6 ++++--
 playbooks/roles/kanidm/templates/docker-compose.yml.j2 | 2 +-
 playbooks/roles/mail/templates/docker-compose.yml.j2   | 2 ++
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/group_vars/kanidm.yml b/group_vars/kanidm.yml
index 996fbaa..2ae89d4 100644
--- a/group_vars/kanidm.yml
+++ b/group_vars/kanidm.yml
@@ -1,3 +1,4 @@
 ---
 
 kanidm_domain: auth.hatecomputers.club
+kanidm_bind_address: "{{ lookup('community.general.dig', inventory_hostname) }}"
diff --git a/group_vars/mail.yml b/group_vars/mail.yml
index 1bae194..8b3efb3 100644
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@@ -5,7 +5,11 @@ postmaster_email: postmaster@hatecomputers.club
 domain: hatecomputers.club
 mail_domain: mail.hatecomputers.club
 
-ldap_server_host: "ldaps://auth.hatecomputers.club:3636"
+ldap_server: "auth.hatecomputers.club"
+ldap_server_host: "ldaps://{{ ldap_server }}:3636"
+ldap_intranet: >
+  {{ lookup('community.general.dig',
+    'auth.int.infra.hatecomputers.club') }}
 ldap_search_base: "dc=auth,dc=hatecomputers,dc=club"
 ldap_bind_dn: "dn=token"
 
diff --git a/playbooks/roles/kanidm/tasks/main.yml b/playbooks/roles/kanidm/tasks/main.yml
index 142adbe..37cc0da 100644
--- a/playbooks/roles/kanidm/tasks/main.yml
+++ b/playbooks/roles/kanidm/tasks/main.yml
@@ -32,11 +32,13 @@
     group: root
     mode: 0755
 
-- name: Allow all LDAPS connections from everywhere
-  ansible.builtin.ufw:
+- name: Allow LDAPS from rfc1918 networks
+  loop: "{{ rfc1918_networks }}"
+  community.general.ufw:
     rule: allow
     proto: tcp
     port: '3636'
+    from: "{{ item }}"
 
 - name: Enable kanidm
   ansible.builtin.systemd_service:
diff --git a/playbooks/roles/kanidm/templates/docker-compose.yml.j2 b/playbooks/roles/kanidm/templates/docker-compose.yml.j2
index 0bb5527..c0c16bc 100644
--- a/playbooks/roles/kanidm/templates/docker-compose.yml.j2
+++ b/playbooks/roles/kanidm/templates/docker-compose.yml.j2
@@ -10,4 +10,4 @@ services:
       - /etc/letsencrypt:/certs:ro
     ports:
       - 127.0.0.1:8443:8443
-      - 0.0.0.0:3636:3636
+      - {{ kanidm_bind_address }}:3636:3636
diff --git a/playbooks/roles/mail/templates/docker-compose.yml.j2 b/playbooks/roles/mail/templates/docker-compose.yml.j2
index bde0d82..bb9c362 100644
--- a/playbooks/roles/mail/templates/docker-compose.yml.j2
+++ b/playbooks/roles/mail/templates/docker-compose.yml.j2
@@ -64,3 +64,5 @@ services:
 
       - ENABLE_OAUTH2=1
       - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}
+    extra_hosts:
+      - {{ ldap_server }}:{{ ldap_intranet}}