nixos-config/system/desktop/sshd.nix

{ config, ... }: {
  # make sure ssh is only available trough the tinc
  networking.firewall.extraCommands = ''
    iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
  '';
}