diff --git a/cluster/services/consul/agent.nix b/cluster/services/consul/agent.nix
index 1e0a087..c91a6f5 100644
--- a/cluster/services/consul/agent.nix
+++ b/cluster/services/consul/agent.nix
@@ -28,6 +28,10 @@ in
       bootstrap_expect = builtins.length cfg.nodes.agent;
       addresses.http = config.links.consulAgent.ipv4;
       ports.http = config.links.consulAgent.port;
+      acl = {
+        enabled = true;
+        default_policy = "deny";
+      };
     };
   };