diff --git a/modules/networking.nix b/modules/networking.nix
index 44cf17c..87905e1 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,6 +1,10 @@
 { pkgs, ... }: {
+  # Don't expose SSH via public interfaces
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+
   services.openssh = {
     enable = true;
+    openFirewall = lib.mkDefault false;
     settings = {
       PermitRootLogin = "prohibit-password";
       PasswordAuthentication = false;