ATLAS/docker/authelia/config/configuration.acl.yml

access_control:
  default_policy: deny
  rules:

   # Allow free access from local network
  #   - domain: "*.{{ env "TRAEFIK_DOMAIN" }}"
  #     policy: bypass
  #     networks:
  #     - 192.168.0.0/16
  #     - 172.16.0.0/12
  #     - 10.0.0.0/8

  # #  Put WAN Access rules here
  #   - domain: {{ env "TRAEFIK_DOMAIN" }}
  #     resources:
  #       - "^/.well-known([/?].*)?$"
  #     policy: bypass

  #   - domain: {{ env "TRAEFIK_DOMAIN" }}
  #     subject: "group:admin"
  #     policy: two_factor

  #   - domain: headscale.{{ env "TRAEFIK_DOMAIN" }}
  #     policy: bypass

    # Admin services require two-factor authentication
    - domain:
        - "portainer.nixc.us"
        - "login.nixc.us"
        - "git.nixc.us"
      subject:
        - "group:admins"
      policy: two_factor
    
    # General admin access (less sensitive services)
    - domain: "*.nixc.us"
      subject:
        - "group:admins"
    #    - "group:dev"
      policy: one_factor
    # traefik monitor
    - domain: 
        - "monitor-ertest.nixc.us"
      subject:
        - "group:monitor-ertest"
      policy: one_factor
    # guacamole
    - domain: 
        - "guac.nixc.us"
      subject:
        - "group:guac"
      policy: one_factor
    # uptime-kuma
    - domain: 
        - "uptime.nixc.us"
      subject:
        - "group:uptime-kuma"
      policy: one_factor
    # Filebrowser and Bypass
    - domain:
        - "fb.nixc.us"
        - "fbi.nixc.us"
      subject:
        - "group:admins"
      policy: one_factor
    - domain:
        - "fb.nixc.us"
        - "fbi.nixc.us"
      policy: bypass
      resources:
        - '^/api/(.*)?$'
        - '^/share/(.*)?$'
        - '^/static/(.*)?$'
    ## Transfer.sh
    - domain:
        - "tx.nixc.us"
      subject:
        - "group:transfer"
      policy: one_factor
    ## Firefox
    - domain:
        - "ff.nixc.us"
      subject:
        - "group:firefox"
      policy: one_factor
    - domain:
        - "oracle.nixc.us"
      subject:
        - "group:oracle"
      policy: one_factor
    ## Stash
    - domain:
        - "fb.nixc.us"
      subject:
        - "group:fansdb"
      policy: one_factor
    # Filebrowser and Bypass
    - domain:
        - "fb-stash.nixc.us"
      subject:
        - "group:stash_admin"
      policy: one_factor
    # Graylog access (sensitive logs require two-factor)
    - domain: 
        - "log.nixc.us"
      subject:
        - "group:graylog"
      policy: two_factor
    # whisper access
    - domain: 
        - "whisper.nixc.us"
      subject:
        - "group:kwlug"
      policy: one_factor
    # whisper access
    - domain: 
        - "marketing-browser.nixc.us"
      subject:
        - "group:mrc"
      policy: one_factor