access_control:
  default_policy: deny
  rules:

   # Allow free access from local network
  #   - domain: "*.{{ env "TRAEFIK_DOMAIN" }}"
  #     policy: bypass
  #     networks:
  #     - 192.168.0.0/16
  #     - 172.16.0.0/12
  #     - 10.0.0.0/8

  # #  Put WAN Access rules here
    - domain: "*.{{ env "TRAEFIK_DOMAIN" }}"
      policy: bypass

  #   - domain: {{ env "TRAEFIK_DOMAIN" }}
  #     resources:
  #       - "^/.well-known([/?].*)?$"
  #     policy: bypass

  #   - domain: {{ env "TRAEFIK_DOMAIN" }}
  #     subject: "group:admin"
  #     policy: two_factor

  #   - domain: headscale.{{ env "TRAEFIK_DOMAIN" }}
  #     policy: bypass

    # Customer stacks: authenticated subscribers with one_factor
    - domain_regex: '^[a-z0-9-]+\.{{ env "TRAEFIK_DOMAIN" }}$'
      subject:
        - "group:customers"
      policy: one_factor

    # Customer demo subdomains (e.g. clientname.app.a250.ca)
    - domain_regex: '^[a-z0-9-]+\.app\.a250\.ca$'
      subject:
        - "group:customers"
      policy: one_factor

    # ss-atlas app public routes (landing, webhook)
    - domain: 'app.{{ env "TRAEFIK_DOMAIN" }}'
      policy: bypass
      resources:
        - '^/$'
        - '^/subscribe$'
        - '^/success(\?.*)?$'
        - '^/webhook/stripe$'
        - '^/health$'

    # ss-atlas activate requires any authenticated user (not yet in customers group)
    - domain: 'app.{{ env "TRAEFIK_DOMAIN" }}'
      resources:
        - '^/activate$'
      policy: one_factor

    # ss-atlas dashboard requires auth
    - domain: 'app.{{ env "TRAEFIK_DOMAIN" }}'
      subject:
        - "group:customers"
      policy: one_factor

    # Admin services require two-factor authentication
    - domain:
        - "portainer.a250.ca"
        - "login.a250.ca"
        - "git.nixc.us"
      subject:
        - "group:admins"
      policy: two_factor
    
    # General admin access (less sensitive services)
    - domain: "*.a250.ca"
      subject:
        - "group:admins"
    #    - "group:dev"
      policy: one_factor
    # traefik monitor
    - domain: 
        - "monitor-ertest.a250.ca"
      subject:
        - "group:monitor-ertest"
      policy: one_factor
    # guacamole
    - domain: 
        - "guac.a250.ca"
      subject:
        - "group:guac"
      policy: one_factor
    # uptime-kuma
    - domain: 
        - "uptime.a250.ca"
      subject:
        - "group:uptime-kuma"
      policy: one_factor
    # Filebrowser and Bypass
    - domain:
        - "fb.a250.ca"
        - "fbi.a250.ca"
      subject:
        - "group:admins"
      policy: one_factor
    - domain:
        - "fb.a250.ca"
        - "fbi.a250.ca"
      policy: bypass
      resources:
        - '^/api/(.*)?$'
        - '^/share/(.*)?$'
        - '^/static/(.*)?$'
    ## Transfer.sh
    - domain:
        - "tx.a250.ca"
      subject:
        - "group:transfer"
      policy: one_factor
    ## Firefox
    - domain:
        - "ff.a250.ca"
      subject:
        - "group:firefox"
      policy: one_factor
    - domain:
        - "oracle.a250.ca"
      subject:
        - "group:oracle"
      policy: one_factor
    ## Stash
    - domain:
        - "fb.a250.ca"
      subject:
        - "group:fansdb"
      policy: one_factor
    # Filebrowser and Bypass
    - domain:
        - "fb-stash.a250.ca"
      subject:
        - "group:stash_admin"
      policy: one_factor
    # Graylog access (sensitive logs require two-factor)
    - domain: 
        - "log.a250.ca"
      subject:
        - "group:graylog"
      policy: two_factor
    # whisper access
    - domain: 
        - "whisper.a250.ca"
      subject:
        - "group:kwlug"
      policy: one_factor
    # whisper access
    - domain: 
        - "marketing-browser.a250.ca"
      subject:
        - "group:mrc"
      policy: one_factor
    # scanner access
    - domain: 
        - "scanner.oid.a250.ca"
      subject:
        - "group:mrc"
      policy: one_factor