diff --git a/cookbooks/nomad/attributes.rb b/cookbooks/nomad/attributes.rb
index 6e0a6ea..367b2d7 100644
--- a/cookbooks/nomad/attributes.rb
+++ b/cookbooks/nomad/attributes.rb
@@ -4,6 +4,6 @@
 node.reverse_merge!({
   'nomad' => {
     'manager' => false,
-    'client' => true
+    'client' => false
   }
 })
diff --git a/cookbooks/nomad/default.rb b/cookbooks/nomad/default.rb
index 6a73243..64ce176 100644
--- a/cookbooks/nomad/default.rb
+++ b/cookbooks/nomad/default.rb
@@ -2,6 +2,8 @@ include_recipe './attributes.rb'
 
 include_recipe './install.rb'
 
-include_recipe './setup.rb'
+if node['nomad']['manager'] || node['nomad']['client']
+  include_recipe './setup.rb'
 
-include_recipe './shared_dir.rb'
+  include_recipe './shared_dir.rb'
+end
diff --git a/cookbooks/nomad/files/etc/nomad.d/acl.hcl b/cookbooks/nomad/files/etc/nomad.d/acl.hcl
new file mode 100644
index 0000000..f88f1d2
--- /dev/null
+++ b/cookbooks/nomad/files/etc/nomad.d/acl.hcl
@@ -0,0 +1,3 @@
+acl {
+  enabled = true
+}
diff --git a/cookbooks/nomad/files/etc/nomad.d/server.hcl b/cookbooks/nomad/files/etc/nomad.d/server.hcl
index 385e208..6b8cf5e 100644
--- a/cookbooks/nomad/files/etc/nomad.d/server.hcl
+++ b/cookbooks/nomad/files/etc/nomad.d/server.hcl
@@ -1,4 +1,4 @@
 server {
   enabled          = true
-  bootstrap_expect = 3
+  bootstrap_expect = 1
 }
diff --git a/cookbooks/nomad/setup.rb b/cookbooks/nomad/setup.rb
index f03b6ec..34b42b1 100644
--- a/cookbooks/nomad/setup.rb
+++ b/cookbooks/nomad/setup.rb
@@ -19,12 +19,14 @@ remote_file '/etc/nomad.d/datadir.hcl' do
 end
 
 if node['nomad']['manager']
-  remote_file '/etc/nomad.d/server.hcl' do
-    owner 'nomad'
-    group 'nomad'
-    mode '664'
+  %w( server.hcl acl.hcl ).each do |conf|
+    remote_file "/etc/nomad.d/#{conf}" do
+      owner 'nomad'
+      group 'nomad'
+      mode '664'
 
-    notifies :restart, 'service[nomad]'
+      notifies :restart, 'service[nomad]'
+    end
   end
 end
 
diff --git a/roles/base.rb b/roles/base.rb
index acd267d..fe08b14 100644
--- a/roles/base.rb
+++ b/roles/base.rb
@@ -7,3 +7,4 @@ include_recipe '../cookbooks/fzf/default.rb'
 include_recipe '../cookbooks/promtail/default.rb'
 include_recipe '../cookbooks/vector/default.rb'
 include_recipe '../cookbooks/prometheus-exporters/default.rb'
+include_recipe '../cookbooks/nomad/default.rb'