diff --git a/ansible/host_vars/deluge.yml b/ansible/host_vars/deluge.yml
deleted file mode 100644
index c6a60bc..0000000
--- a/ansible/host_vars/deluge.yml
+++ /dev/null
@@ -1 +0,0 @@
-expose_ssh: true
diff --git a/ansible/host_vars/forrest.yml b/ansible/host_vars/forrest.yml
index a1c3f3d..65e9214 100644
--- a/ansible/host_vars/forrest.yml
+++ b/ansible/host_vars/forrest.yml
@@ -1,3 +1 @@
-expose_ssh: true
-
 protected_ip: "{{ pve_hosts.forrest.internal_ip }}"
diff --git a/ansible/host_vars/ingress.yml b/ansible/host_vars/ingress.yml
deleted file mode 100644
index c6a60bc..0000000
--- a/ansible/host_vars/ingress.yml
+++ /dev/null
@@ -1 +0,0 @@
-expose_ssh: true
diff --git a/ansible/host_vars/jellyfin.yml b/ansible/host_vars/jellyfin.yml
deleted file mode 100644
index c6a60bc..0000000
--- a/ansible/host_vars/jellyfin.yml
+++ /dev/null
@@ -1 +0,0 @@
-expose_ssh: true
diff --git a/ansible/host_vars/pve-docker.yml b/ansible/host_vars/pve-docker.yml
index b8a9add..a71b000 100644
--- a/ansible/host_vars/pve-docker.yml
+++ b/ansible/host_vars/pve-docker.yml
@@ -1,5 +1,3 @@
-expose_ssh: true
-
 private_ip: "{{ pve_hosts.pve_docker.ip }}"
 protected_ip: "{{ pve_hosts.pve_docker.internal_ip }}"
 
diff --git a/ansible/host_vars/pve.yml b/ansible/host_vars/pve.yml
index b74abd5..a9db0a6 100644
--- a/ansible/host_vars/pve.yml
+++ b/ansible/host_vars/pve.yml
@@ -1,5 +1,3 @@
-expose_ssh: true
-
 private_ip: "{{ pve_hosts.pve.ip }}"
 protected_ip: "{{ pve_hosts.pve.internal_ip }}"
 
diff --git a/ansible/roles/base/defaults/main.yml b/ansible/roles/base/defaults/main.yml
deleted file mode 100644
index 41be9b2..0000000
--- a/ansible/roles/base/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-expose_ssh: false
diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config
index 9b33b71..cede24c 100644
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@@ -2,11 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-{% if expose_ssh %}
-AllowUsers {{ user }}
-{% else %}
-AllowUsers {{ user }}@{{ wireguard.cidr }}
-{% endif %}
+AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0