diff --git a/modules/nixos/services/headscale/default.nix b/modules/nixos/services/headscale/default.nix
index ed3a3e9..ee5c7ae 100644
--- a/modules/nixos/services/headscale/default.nix
+++ b/modules/nixos/services/headscale/default.nix
@@ -1,13 +1,14 @@
 { config, lib, namespace, ... }:
 let
-  inherit (lib) mkIf mkEnableOption;
+  inherit (lib) mkIf mkEnableOption types;
   cfg = config.${namespace}.services.headscale;
-  inherit (lib.${namespace}) mkBoolOpt;
+  inherit (lib.${namespace}) mkBoolOpt mkOpt;
 in
 {
   options.${namespace}.services.headscale = {
     enable = mkEnableOption "enable headscale service";
     openFirewall = mkBoolOpt false "Open firewall";
+    policy = mkOpt (types.nullOr types.path) null "Path to a HuJSON ACL policy file (file mode).";
   };
 
   options.services.headscale.settings.dns.nameservers.split = lib.mkOption {
@@ -30,6 +31,10 @@ in
       address = "0.0.0.0";
       settings = {
         server_url = "https://headscale.reichard.io";
+        policy = mkIf (cfg.policy != null) {
+          mode = "file";
+          path = toString cfg.policy;
+        };
         dns = {
           base_domain = "reichard.dev";
           nameservers = {
diff --git a/packages/pi-coding-agent/default.nix b/packages/pi-coding-agent/default.nix
index e3554eb..b1fb40b 100644
--- a/packages/pi-coding-agent/default.nix
+++ b/packages/pi-coding-agent/default.nix
@@ -18,16 +18,16 @@
 
 buildNpmPackage rec {
   pname = "pi-coding-agent";
-  version = "0.79.6";
+  version = "0.79.8";
 
   src = fetchFromGitHub {
     owner = "earendil-works";
     repo = "pi-mono";
     rev = "v${version}";
-    hash = "sha256-ZJv4YCqt10DnuS3oCwwJ9Byix0u4CDFuiVaQd01Ryhs=";
+    hash = "sha256-eH1+vHrKBu1GcUXnTdvRtNuLuf0EdReAnFit8UqiXB4=";
   };
 
-  npmDepsHash = "sha256-7QMIlG96nSd8J4M63PhCikUYh/84Hn1eaCuDBMBR3/A=";
+  npmDepsHash = "sha256-xrTpu4TkRmlflg7pMaw/QVsN+poQ41slVA5PET+NDoI=";
 
   nativeBuildInputs = [ pkg-config makeWrapper ];
 
diff --git a/systems/aarch64-linux/lin-o1-headscale/acl.hujson b/systems/aarch64-linux/lin-o1-headscale/acl.hujson
new file mode 100644
index 0000000..5dceab2
--- /dev/null
+++ b/systems/aarch64-linux/lin-o1-headscale/acl.hujson
@@ -0,0 +1,35 @@
+{
+  "tagOwners": {
+    "tag:mobile": ["evan@"],
+  },
+
+  "hosts": {
+    "lan-route": "10.0.0.0/16",
+  },
+
+  "acls": [
+    // 10.0.0.0/16
+    {
+      "action": "accept",
+      "src": ["tag:mobile"],
+      "dst": ["lan-route:*"],
+    },
+
+    // Main Net
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": [
+        "100.64.0.0/10:*",
+        "fd7a:115c:a1e0::/48:*",
+      ],
+    },
+
+    // Exit Nodes
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["autogroup:internet:*"],
+    },
+  ],
+}
diff --git a/systems/aarch64-linux/lin-o1-headscale/default.nix b/systems/aarch64-linux/lin-o1-headscale/default.nix
index f7ded9f..55214a6 100755
--- a/systems/aarch64-linux/lin-o1-headscale/default.nix
+++ b/systems/aarch64-linux/lin-o1-headscale/default.nix
@@ -1,5 +1,4 @@
 { namespace
-, config
 , pkgs
 , lib
 , modulesPath
@@ -7,8 +6,6 @@
 }:
 let
   inherit (lib.${namespace}) enabled;
-
-  cfg = config.${namespace}.user;
 in
 {
   imports = [
@@ -23,6 +20,9 @@ in
     efiInstallAsRemovable = true;
   };
 
+  # Legacy Partion Name
+  fileSystems."/boot".device = lib.mkForce "/dev/disk/by-partlabel/disk-main-ESP";
+
   reichard = {
     nix = enabled;
 
@@ -39,6 +39,7 @@ in
       headscale = {
         enable = true;
         openFirewall = true;
+        policy = ./acl.hujson;
       };
       tailscale = {
         enable = true;