nixos-configuration/hosts/pi4/security/firewall.nix

{
  networking = {
    firewall = {
      enable = true;
      trustedInterfaces = [ "tailscale0" ];
      extraInputRules =
        let
          localIPv4Range = "192.168.10.0/24";
        in
        ''
          ip saddr ${localIPv4Range} tcp dport 22 accept
          ip saddr ${localIPv4Range} udp dport 22 accept
        '';
    };
    nftables.enable = true;
  };
}