diff --git a/ansible/group_vars/all/ssh.yml b/ansible/group_vars/all/ssh.yml
new file mode 100644
index 0000000..41be9b2
--- /dev/null
+++ b/ansible/group_vars/all/ssh.yml
@@ -0,0 +1 @@
+expose_ssh: false
diff --git a/ansible/host_vars/intersect.yml b/ansible/host_vars/intersect.yml
new file mode 100644
index 0000000..c6a60bc
--- /dev/null
+++ b/ansible/host_vars/intersect.yml
@@ -0,0 +1 @@
+expose_ssh: true
diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config
index 88e808d..bd05525 100644
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@@ -2,8 +2,11 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port 7743
 
-# Deny all other users besides the following
+{% if expose_ssh %}
 AllowUsers {{ user }}
+{% else %}
+AllowUsers {{ user }}@{{ wireguard.cidr }}
+{% endif %}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0