{ config, lib, ... }:
with lib;
let cfg = config.desktop.ssh.onlyTinc;
in {
  options.desktop.ssh.onlyTinc = mkOption {
    type = with types; bool;
    default = true;
    description = ''
      make sure ssh is only available trough the tinc
    '';
  };
  config = mkIf cfg {
    networking.firewall.extraCommands = ''
      iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
    '';
  };
}