stacks/auth/authelia/access_control.yml

1.2 KB · 56 lines · 2025-01-05 · d4ef120
# stacks/auth/authelia/access_control.yml
# Rules evaluated top-to-bottom; first match wins.
# default_policy: deny is set in configuration.yml, so anything not
# matched here is rejected.

- domain: "*.home.arpa"
  policy: bypass
  networks:
    - 10.10.0.0/24   # LAN management vlan
    - 10.10.20.0/24  # trusted workstations

- domain: auth.home.arpa
  policy: bypass

- domain: status.home.arpa
  policy: one_factor

- domain: "jellyfin.home.arpa"
  policy: one_factor
  resources:
    - "^/web/.*$"
    - "^/Users/AuthenticateByName$"

- domain: "jellyfin.home.arpa"
  policy: bypass
  resources:
    - "^/socket.*$"
    - "^/Items/.*/(Images|HLS|Master).*$"

- domain: ["sonarr.home.arpa", "radarr.home.arpa", "prowlarr.home.arpa", "bazarr.home.arpa"]
  policy: two_factor
  subject:
    - "group:admins"

- domain: "grafana.home.arpa"
  policy: one_factor
  subject:
    - "group:users"

- domain: "prometheus.home.arpa"
  policy: two_factor
  subject:
    - "group:admins"

- domain: "gitea.home.arpa"
  policy: one_factor

- domain: ["qbt.home.arpa", "portainer.home.arpa"]
  policy: two_factor
  subject:
    - "group:admins"

- domain: "*.home.arpa"
  policy: two_factor
  subject:
    - "group:admins"