diff --git a/.gitignore b/.gitignore
index 0c54f60..f7bafcd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 data/
 .env
+01-headscale/config/.acl.json.swp
diff --git a/01-headscale/config/acl.json b/01-headscale/config/acl.json
new file mode 100644
index 0000000..3b22347
--- /dev/null
+++ b/01-headscale/config/acl.json
@@ -0,0 +1,32 @@
+{
+	"tagOwners": {
+		"tag:ferris": ["weckyy702@"]
+	},
+
+	"hosts": {
+		"duke.veltnet": "10.10.0.135/32",
+		"homenet": "10.10.0.0/16"
+	},
+
+	"acls": [
+		/*Untagged devices have access to everything*/
+		{
+			"action": "accept",
+			"src": ["autogroup:member"],
+			"dst": [
+				"autogroup:internet:*",
+				"autogroup:member:*",
+				"autogroup:tagged:*",
+				"homenet:*"
+			]
+		},
+		/*Ferris can only access the services hosted on duke*/
+		{
+			"action": "accept",
+			"src": ["tag:ferris"],
+			"dst": [
+				"duke.veltnet:*"
+			]
+		}
+	]
+}
diff --git a/01-headscale/config/config.yaml b/01-headscale/config/config.yaml
index d69714a..8dfa07b 100644
--- a/01-headscale/config/config.yaml
+++ b/01-headscale/config/config.yaml
@@ -20,7 +20,7 @@ listen_addr: 0.0.0.0:8080
 
 # Address to listen to /metrics and /debug, you may want
 # to keep this endpoint private to your internal network
-metrics_listen_addr: 0.0.0.0:9090
+# metrics_listen_addr: 0.0.0.0:9090
 
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
@@ -243,7 +243,7 @@ policy:
   mode: file
   # If the mode is set to "file", the path to a
   # HuJSON file containing ACL policies.
-  path: ""
+  path: "/etc/headscale/acl.json"
 
 ## DNS
 #