diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix
index 10acca6..cbaf9a0 100644
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@@ -119,6 +119,12 @@ let
         description = "SSH public keys used to access the build server.";
         default = [ ];
       };
+
+      external-interfaces = mkOption {
+        type = listOf str;
+        description = "A list of interfaces on which to enable the firewall.";
+        default = [ ];
+      };
     };
   };
 
@@ -155,6 +161,11 @@ in {
         "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ];
         "::1" = [ "${hostname}.${domain-name}" "${hostname}" ];
       };
+
+      firewall = {
+        enable = (length host-cfg.external-interfaces) > 0;
+        allowedTCPPorts = [ 22 ];
+      };
     };
 
     environment.etc.hosts = mkForce {