access_control:
  default_policy: deny
  rules:

   # Allow free access from local network
    - domain: "*.{{ env "TRAEFIK_DOMAIN" }}"
      policy: bypass
      networks:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8

  #  Put WAN Access rules here
    - domain: {{ env "TRAEFIK_DOMAIN" }}
      resources:
        - "^/.well-known([/?].*)?$"
      policy: bypass

    - domain: {{ env "TRAEFIK_DOMAIN" }}
      subject: "group:admin"
      policy: two_factor

    - domain: headscale.{{ env "TRAEFIK_DOMAIN" }}
      policy: bypass