diff --git a/ansible/roles/headscale/handlers/main.yml b/ansible/roles/headscale/handlers/main.yml
new file mode 100644
index 0000000..81c252f
--- /dev/null
+++ b/ansible/roles/headscale/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart caddy-hs
+  ansible.builtin.systemd:
+    name: caddy-hs
+    state: restarted
+  when: caddyfile.changed or caddysystemd.changed
+...
diff --git a/ansible/roles/headscale/tasks/main.yml b/ansible/roles/headscale/tasks/main.yml
index 05f3154..581a726 100644
--- a/ansible/roles/headscale/tasks/main.yml
+++ b/ansible/roles/headscale/tasks/main.yml
@@ -59,6 +59,26 @@
       - "%s"
   register: caddyfile
 
+- name: Enable services in the firewall
+  ansible.posix.firewalld:
+    zone: "{{ firewalld_default_zone }}"
+    service: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  with_items:
+    - http
+    - https
+  when: "firewalld_configure"
+
+- name: Expose gRPC
+  ansible.posix.firewalld:
+    port: 50443/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+  when: "firewalld_configure"
+
 # - name: Install xcaddy
 #   ansible.builtin.command:
 #     cmd: >
@@ -100,12 +120,7 @@
     state: started
     enabled: true
     daemon_reload: true
-
-- name: Restart caddy-hs
-  ansible.builtin.systemd:
-    name: caddy-hs
-    state: restarted
-  when: caddyfile.changed or caddysystemd.changed
+  notify: Restart caddy-hs
 
 - name: Fetch crt,key
   ansible.builtin.fetch: