diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
new file mode 100755
index 00000000..4dc98c51
--- /dev/null
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -0,0 +1,23 @@
+#!/bin/sh -e
+#
+# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+if [ -e "/$__object_id" ]
+then getfacl "/$__object_id" | grep -E '^((default:|)(user|group)):[a-z]' || true
+fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
new file mode 100755
index 00000000..a59d49e0
--- /dev/null
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -0,0 +1,81 @@
+#!/bin/sh -e
+#
+# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os="$( cat "$__global/explorer/os" )"
+
+acl_path="/$__object_id"
+
+acl_is="$( cat "$__object/explorer/acl_is" )"
+
+acl_should="$( for parameter in user group
+do
+    if [ ! -f "$__object/parameter/$parameter" ]
+    then continue
+    fi
+    while read -r l
+    do
+        echo "$parameter:$l"
+
+        if [ -f "$__object/parameter/default" ]
+        then echo "default:$parameter:$l"
+        fi
+    done < "$__object/parameter/$parameter"
+done )"
+
+setfacl_exec='setfacl'
+
+if [ -f "$__object/parameter/recursive" ]
+then
+    if echo "$os" | grep -E 'macosx|netbsd|freebsd|openbsd'
+    then
+        echo "$os setfacl do not support recursive operations" >&2
+    else
+        setfacl_exec="$setfacl_exec -R"
+    fi
+fi
+
+if [ -f "$__object/parameter/remove" ]
+then
+    if echo "$os" | grep 'solaris'
+    then
+        # Solaris setfacl behaves differently.
+        # We will not support Solaris for now, because no way to test it.
+        # But adding support should be easy (use -s instead of -m on modify).
+        echo "$os setfacl do not support -x flag for ACL remove" >&2
+    else
+        echo "$acl_is" | while read -r acl
+        do
+            if echo "$acl_should" | grep -Fq "$acl"
+            then continue
+            fi
+
+            no_bits="$( echo "$acl" | sed -r 's/:[rwx-]+$//' )"
+
+            echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
+        done
+    fi
+fi
+
+for acl in $acl_should
+do
+    if ! echo "$acl_is" | grep -Eq "^$acl"
+    then echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
+    fi
+done
diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
new file mode 100644
index 00000000..39db4d75
--- /dev/null
+++ b/cdist/conf/type/__acl/man.rst
@@ -0,0 +1,62 @@
+cdist-type__acl(7)
+==================
+
+NAME
+----
+cdist-type__acl - Basic wrapper around `setfacl`
+
+
+DESCRIPTION
+-----------
+ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
+
+See setfacl(1) and acl(5) for more details.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+user
+   Add user ACL entry.
+
+group
+   Add group ACL entry.
+
+
+BOOLEAN PARAMETERS
+------------------
+recursive
+   Operate recursively (Linux only).
+
+default
+   Add default ACL entries.
+
+remove
+   Remove undefined ACL entries (Solaris not supported).
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __acl /srv/project \
+        --recursive \
+        --default \
+        --remove \
+        --user alice:rwx \
+        --user bob:r-x \
+        --group project-group:rwx \
+        --group some-other-group:r-x
+
+
+AUTHORS
+-------
+Ander Punnar <ander-at-kvlt-dot-ee>
+
+
+COPYING
+-------
+Copyright \(C) 2018 Ander Punnar. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/cdist/conf/type/__acl/parameter/boolean b/cdist/conf/type/__acl/parameter/boolean
new file mode 100644
index 00000000..8b96693f
--- /dev/null
+++ b/cdist/conf/type/__acl/parameter/boolean
@@ -0,0 +1,3 @@
+recursive
+default
+remove
diff --git a/cdist/conf/type/__acl/parameter/optional_multiple b/cdist/conf/type/__acl/parameter/optional_multiple
new file mode 100644
index 00000000..22f5a52c
--- /dev/null
+++ b/cdist/conf/type/__acl/parameter/optional_multiple
@@ -0,0 +1,2 @@
+user
+group