diff --git a/doc/architecture.md b/doc/architecture.md
index 1ffd550..1d964ff 100644
--- a/doc/architecture.md
+++ b/doc/architecture.md
@@ -32,7 +32,8 @@
 - the YANG modules for `netopeer2-server` are added via `netopeer2-install-yang.service` (via our Buildroot patches),
 - CzechLight-specific YANG modules and their initial data are added via [`czechlight-install-yang.service`](../package/cla-sysrepo/czechlight-install-yang.service),
 - system configuration is restored from the persistent location in `/cfg` via [`cfg-restore-sysrepo.service`](../package/czechlight-cfg-fs/cfg-restore-sysrepo.service),
-- configuration of the Netopeer server gets re-checked via 'netopeer2-setup.service` (once again in our Buildroot patches); this is needed especially during the first boot with no previous configuration to restore,
+- configuration of the Netopeer server gets re-checked via `netopeer2-setup.service` (once again in our Buildroot patches); this is needed especially during the first boot with no previous configuration to restore,
+- configuration of NACM is applied via [`nacm-restore.service`](../package/czechlight-cfg-fs/nacm-restore.service),
 - finally, any daemons that use sysrepo are started.
 
 We are also [using a `tmpfs` mount at `/run/sysrepo`](../package/reset-sysrepo/run-sysrepo.mount) that [gets wiped out whenever a sysrepo service fails](../package/reset-sysrepo/reset-sysrepo.mk).
diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 2cf20b0..8263bc8 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -1,9 +1,9 @@
 [Unit]
 Description=CzechLight __MODEL__ driver
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 Before=rauc-mark-good.service velia-hardware-g1.service velia-hardware-g2.service
 PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 StartLimitIntervalSec=0
 ConditionKernelCommandLine=|czechlight=__MODEL__
 ConditionKernelCommandLine=|czechlight=__MODEL__-g2
diff --git a/package/czechlight-cfg-fs/czechlight-cfg-fs.mk b/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
index aebc14b..cabfabe 100644
--- a/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
+++ b/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
@@ -22,6 +22,12 @@
 		$(TARGET_DIR)/sbin/init-czechlight.sh
 	$(INSTALL) -D -m 0755 $(@D)/czechlight-random-seed $(TARGET_DIR)/sbin/czechlight-random-seed
 	mkdir -p $(TARGET_DIR)/cfg
+	$(INSTALL) -D -m 0644 \
+	    --target-directory $(TARGET_DIR)/usr/lib/systemd/system/ \
+	    $(BR2_EXTERNAL_CZECHLIGHT_PATH)/package/czechlight-cfg-fs/nacm-restore.service
+	$(INSTALL) -D -m 0644 \
+	    --target-directory $(TARGET_DIR)/usr/share/yang-data/ \
+	    $(BR2_EXTERNAL_CZECHLIGHT_PATH)/package/czechlight-cfg-fs/nacm.json
 	$(ifeq ($(CZECHLIGHT_CFG_FS_PERSIST_SYSREPO),y))
 		mkdir -p $(TARGET_DIR)/usr/lib/systemd/system/multi-user.target.wants/
 		$(INSTALL) -D -m 0644 \
diff --git a/package/czechlight-cfg-fs/nacm-restore.service b/package/czechlight-cfg-fs/nacm-restore.service
new file mode 100644
index 0000000..96dfb7c
--- /dev/null
+++ b/package/czechlight-cfg-fs/nacm-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore NACM rules
+After=netopeer2-install-yang.service czechlight-install-yang.service cfg.mount
+Requires=netopeer2-install-yang.service czechlight-install-yang.service cfg.mount
+Before=netopeer2-setup.service netopeer2.service sysrepo-persistent-cfg.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sysrepocfg -d startup -m ietf-netconf-acm -f json --import=/usr/share/yang-data/nacm.json
+ExecStart=/bin/sysrepocfg -C startup
+
+[Install]
+WantedBy=multi-user.target
diff --git a/package/czechlight-cfg-fs/nacm.json b/package/czechlight-cfg-fs/nacm.json
new file mode 100644
index 0000000..f3e5fbd
--- /dev/null
+++ b/package/czechlight-cfg-fs/nacm.json
@@ -0,0 +1,32 @@
+{
+    "ietf-netconf-acm:nacm": {
+        "rule-list": [
+            {
+                "name": "Allow DWDM control to the optics group",
+                "group": ["optics"],
+                "rule": [
+                    {
+                        "name": "czechlight-roadm-device",
+                        "module": "czechlight-roadm-device",
+                        "action": "permit"
+                    },
+                    {
+                        "name": "czechlight-inline-amp",
+                        "module": "czechlight-inline-amp",
+                        "action": "permit"
+                    },
+                    {
+                        "name": "czechlight-coherent-add-drop",
+                        "module": "czechlight-coherent-add-drop",
+                        "action": "permit"
+                    },
+                    {
+                        "name": "czechlight-calibration-device",
+                        "module": "czechlight-calibration-device",
+                        "action": "permit"
+                    }
+                ]
+            }
+        ]
+    }
+}
diff --git a/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service b/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service
index 69cfad0..f903427 100644
--- a/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service
+++ b/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=lldp-systemd-networkd-sysrepo is a sysrepo application announcing LLDP neighbours from systemd-networkd.
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 PartOf=netopeer2.service
 
 [Service]
diff --git a/package/reset-sysrepo/reset-sysrepo.mk b/package/reset-sysrepo/reset-sysrepo.mk
index 89e653c..1fba992 100644
--- a/package/reset-sysrepo/reset-sysrepo.mk
+++ b/package/reset-sysrepo/reset-sysrepo.mk
@@ -22,6 +22,7 @@
 		lldp-systemd-networkd-sysrepo.service \
 		netopeer2.service \
 		sysrepo-persistent-cfg.service \
+		nacm-restore.service \
 		velia-system.service \
 		velia-hardware-g1.service \
 		velia-hardware-g2.service \
diff --git a/package/velia/velia-hardware-g1.service b/package/velia/velia-hardware-g1.service
index dceb28e..bef35f6 100644
--- a/package/velia/velia-hardware-g1.service
+++ b/package/velia/velia-hardware-g1.service
@@ -1,9 +1,9 @@
 [Unit]
 Description=Tracking hardware metrics
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 Before=rauc-mark-good.service
 PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 ConditionKernelCommandLine=|czechlight=sdn-inline
 ConditionKernelCommandLine=|czechlight=sdn-roadm-add-drop
 ConditionKernelCommandLine=|czechlight=sdn-roadm-coherent-a-d
diff --git a/package/velia/velia-hardware-g2.service b/package/velia/velia-hardware-g2.service
index 2d71f43..f3021e4 100644
--- a/package/velia/velia-hardware-g2.service
+++ b/package/velia/velia-hardware-g2.service
@@ -1,9 +1,9 @@
 [Unit]
 Description=Tracking hardware metrics
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 Before=rauc-mark-good.service
 PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 ConditionKernelCommandLine=|czechlight=sdn-inline-g2
 ConditionKernelCommandLine=|czechlight=sdn-roadm-add-drop-g2
 ConditionKernelCommandLine=|czechlight=sdn-roadm-coherent-a-d-g2
diff --git a/package/velia/velia-system.service b/package/velia/velia-system.service
index 57a9a40..cd8db60 100644
--- a/package/velia/velia-system.service
+++ b/package/velia/velia-system.service
@@ -1,9 +1,9 @@
 [Unit]
 Description=System management via sysrepo
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 Before=rauc-mark-good.service
 PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
 ConditionKernelCommandLine=czechlight
 
 [Service]
diff --git a/submodules/velia b/submodules/velia
index 0eefdf1..1f21fae 160000
--- a/submodules/velia
+++ b/submodules/velia
@@ -1 +1 @@
-Subproject commit 0eefdf13b13ebdecc2392d21f045f3bee867c539
+Subproject commit 1f21fae9aef64630cba8939b5807c724de2886c9