diff --git a/ansible/roles/headscale/files/acls.json b/ansible/roles/headscale/files/acls.json
new file mode 100644
index 0000000..5a0a171
--- /dev/null
+++ b/ansible/roles/headscale/files/acls.json
@@ -0,0 +1,13 @@
+{
+    "tagOwners": {
+        "tag:client": []
+
+    },
+    "acls": [
+        {
+            "action": "accept",
+            "src": ["tag:client"],
+            "dst": ["*:*"]
+        }
+    ]
+}
diff --git a/ansible/roles/headscale/files/headscale.yml b/ansible/roles/headscale/files/headscale.yml
index a55a684..6101483 100644
--- a/ansible/roles/headscale/files/headscale.yml
+++ b/ansible/roles/headscale/files/headscale.yml
@@ -188,7 +188,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+acl_policy_path: "/etc/headscale/acls.json"
 
 ## DNS
 #
diff --git a/ansible/roles/headscale/tasks/main.yml b/ansible/roles/headscale/tasks/main.yml
index dc69ea0..ab1cfe6 100644
--- a/ansible/roles/headscale/tasks/main.yml
+++ b/ansible/roles/headscale/tasks/main.yml
@@ -11,7 +11,16 @@
     src: files/headscale.yml
     dest: /etc/headscale/config.yaml
     owner: headscale
-    mode: "0644"
+    mode: "0600"
+  notify: restart headscale
+  become: true
+
+- name: Install ACLs
+  template:
+    src: files/acls.json
+    dest: /etc/headscale/acls.json
+    owner: headscale
+    mode: "0600"
   notify: restart headscale
   become: true