From 39d19cb3ea30e8392be12e9aea4c272306a69792 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 11 Dec 2023 10:36:01 -0600
Subject: [PATCH] authelia: Restrict access to firefly

Since we've configured the Ingress for Firefly III to log everyone in as
*dustin* via a faked `Remote-User` request header, any user on the
Pyrocufflink domain would be able to see my finances.  Using Authelia's
access control mechanism, we can restrict this to only users in a
specific group.
---
 authelia/configuration.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/authelia/configuration.yml b/authelia/configuration.yml
index 810870a..a3b1a0f 100644
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -14,6 +14,20 @@ access_control:
     policy: bypass
   - domain: firefly.pyrocufflink.blue
     policy: two_factor
+    subject:
+    - 'group:Firefly III Users'
+  - domain: firefly-importer.pyrocufflink.blue
+    policy: two_factor
+    subject:
+    - 'group:Firefly III Users'
+  - domain: firefly-importer.pyrocufflink.blue
+    policy: one_factor
+    subject:
+      - 'user:svc.xactfetch'
+  - domain: firefly.pyrocufflink.blue
+    policy: deny
+  - domain: firefly-importer.pyrocufflink.blue
+    policy: deny
   - domain: scan.pyrocufflink.blue
     networks:
     - internal