diff --git a/base/services/roowho2.nix b/base/services/roowho2.nix
index 025e797..73e9950 100644
--- a/base/services/roowho2.nix
+++ b/base/services/roowho2.nix
@@ -1,4 +1,12 @@
-{ ... }:
+{ lib, values, ... }:
 {
-  services.roowho2.enable = true;
+  services.roowho2.enable = lib.mkDefault true;
+
+  systemd.sockets.roowho2-rwhod.socketConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      values.ipv4-space
+    ];
+  };
 }