diff --git a/headscale/acl.json b/headscale/acl.json
new file mode 100644
index 0000000..8cdbfbf
--- /dev/null
+++ b/headscale/acl.json
@@ -0,0 +1,60 @@
+{
+	"groups": {
+		"group:admin": ["davide"],
+		"group:family": ["davide", "dario"],
+		"group:services": ["services"],
+		"group:external": []
+	},
+	"tagOwners": {
+		"tag:web": ["group:admin"],
+		"tag:dns": ["group:admin"],
+		"tag:web": ["group:admin"],
+		"tag:game": ["group:admin", "group:family"]
+	},
+	"acls": [
+		// Family and admin should be able to access every service
+		{
+			"action": "accept",
+			"src": ["group:admin", "group:family"],
+			"dst": [
+				"tag:web:*",
+				"tag:dns:*",
+				"tag:exitnode:*"
+			]
+		},
+		// External can access only hosted games
+		{
+			"action": "accept",
+			"src": ["group:external"],
+			"dst": [
+				"tag:game:*"
+			]
+		},
+		// And possibly the DNS server (or we break their internet connection)
+		{
+			"action": "accept",
+			"src": ["group:external"],
+			"proto": "udp",
+			"dst": [
+				"tag:dns:53"
+			]
+		},
+		// Web services should be able to make DNS queries
+		{
+			"action": "accept",
+			"src": ["tag:web"],
+			"proto": "udp",
+			"dst": [
+				"tag:dns:53"
+			]
+		},
+		{
+			"action": "accept",
+			"src": ["davide", "dario"],
+			"dst": [
+				"davide:*",
+				"dario:*"
+			]
+		}
+	]
+}