diff --git a/modules/services/headscale/acl-policy.json b/modules/services/headscale/acl-policy.json
new file mode 100644
index 0000000..3cfd2ed
--- /dev/null
+++ b/modules/services/headscale/acl-policy.json
@@ -0,0 +1,37 @@
+{
+  "groups": {
+    "group:admin": ["motiejus@", "servers@"]
+  },
+  
+  "tagOwners": {
+    "tag:public-server": ["group:admin"]
+  },
+  
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "dst": ["*:*"]
+    },
+    
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["tag:public-server:*"]
+    },
+    
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "tcp",
+      "dst": ["*:22"]
+    },
+    
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "icmp",
+      "dst": ["*:*"]
+    }
+  ]
+}
diff --git a/modules/services/headscale/default.nix b/modules/services/headscale/default.nix
index 2f9c471..0e1a879 100644
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@@ -28,6 +28,7 @@
           ip_prefixes = [ config.mj.services.headscale.subnetCIDR ];
           prefixes.v4 = config.mj.services.headscale.subnetCIDR;
           log.level = "warn";
+          policy.path = ./acl-policy.json;
           dns = {
             nameservers.global = [
               "1.1.1.1"