diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 8fcfc057876ffa952b312d225c21d0c38d670ecb..6f546a0a2767702ecb3af25acf9bd9147ccb563b 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -23,6 +23,25 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/http" {
+  version     = "2.1.0"
+  constraints = "2.1.0"
+  hashes = [
+    "h1:HmUcHqc59VeHReHD2SEhnLVQPUKHKTipJ8Jxq67GiDU=",
+    "zh:03d82dc0887d755b8406697b1d27506bc9f86f93b3e9b4d26e0679d96b802826",
+    "zh:0704d02926393ddc0cfad0b87c3d51eafeeae5f9e27cc71e193c141079244a22",
+    "zh:095ea350ea94973e043dad2394f10bca4a4bf41be775ba59d19961d39141d150",
+    "zh:0b71ac44e87d6964ace82979fc3cbb09eb876ed8f954449481bcaa969ba29cb7",
+    "zh:0e255a170db598bd1142c396cefc59712ad6d4e1b0e08a840356a371e7b73bc4",
+    "zh:67c8091cfad226218c472c04881edf236db8f2dc149dc5ada878a1cd3c1de171",
+    "zh:75df05e25d14b5101d4bc6624ac4a01bb17af0263c9e8a740e739f8938b86ee3",
+    "zh:b4e36b2c4f33fdc44bf55fa1c9bb6864b5b77822f444bd56f0be7e9476674d0e",
+    "zh:b9b36b01d2ec4771838743517bc5f24ea27976634987c6d5529ac4223e44365d",
+    "zh:ca264a916e42e221fddb98d640148b12e42116046454b39ede99a77fc52f59f4",
+    "zh:fe373b2fb2cc94777a91ecd7ac5372e699748c455f44f6ea27e494de9e5e6f92",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/local" {
   version     = "1.4.0"
   constraints = "1.4.0"
diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index d156b903ac8a7d517b621a4646239b0eb6f841a5..c19819f459bffb95ac4ec09874cca4903cf068a8 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -1,4 +1,3 @@
-# https://docs.k8s.io/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-network-connectivity-user-infra_installing-platform-agnostic
 resource "hcloud_firewall" "k8s-node" {
   name = "k8s-node"
   apply_to {
diff --git a/terraform/ssh.tf b/terraform/ssh.tf
new file mode 100644
index 0000000000000000000000000000000000000000..e99707ebb9900a7f1c77819d7407daa7e1e44e2a
--- /dev/null
+++ b/terraform/ssh.tf
@@ -0,0 +1,40 @@
+data "hcloud_ssh_keys" "all_keys" {
+}
+
+# Get current public IPs to configure SSH firewall
+data "http" "myipv4" {
+  url = "https://api4.ipify.org"
+}
+data "http" "myipv6" {
+  url = "https://api6.ipify.org"
+}
+
+resource "hcloud_firewall" "k8s-ssh" {
+  name = "k8s-ssh"
+  apply_to {
+    label_selector = "k8s.io/node"
+  }
+
+  # ICMP is always a good idea
+  #
+  # Network reachability tests
+  rule {
+      description     = "ICMP"
+      direction       = "in"
+      protocol        = "icmp"
+      source_ips      = [
+        "0.0.0.0/0",
+        "::/0"
+      ]
+  }
+  rule {
+      description     = "SSH access"
+      direction       = "in"
+      protocol        = "tcp"
+      port            = "22"
+      source_ips      = [
+        "${chomp(data.http.myipv4.body)}/32",
+        "${replace(chomp(data.http.myipv6.body), "/^([0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+):.*/", "$1")}::/64",
+      ]
+  }
+}
diff --git a/terraform/ssh_keys.tf b/terraform/ssh_keys.tf
deleted file mode 100644
index db794f29d0e7b7cc56cb41a7ce3a1eedfa203cd5..0000000000000000000000000000000000000000
--- a/terraform/ssh_keys.tf
+++ /dev/null
@@ -1,2 +0,0 @@
-data "hcloud_ssh_keys" "all_keys" {
-}
diff --git a/terraform/versions.tf b/terraform/versions.tf
index 4922ac71ac2d0003abb5f403d059627742ba9f06..98407af4638033cf43344a12bf593509afbd45ca 100644
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@@ -16,6 +16,10 @@ terraform {
       source  = "hashicorp/local"
       version = "1.4.0"
     }
+    http = {
+      source  = "hashicorp/http"
+      version = "2.1.0"
+    }
   }
   required_version = ">= 0.14"
 }