diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix
index 82c0235..4d8bef0 100644
--- a/hosts/architect/options.nix
+++ b/hosts/architect/options.nix
@@ -96,23 +96,29 @@ in
                   description = "The host for the location.";
                   default = "127.0.0.1";
                 };
-                
+
                 port = mkOption {
                   type = types.int;
                   description = "The port number for the location.";
                 };
-                
+
                 allow = mkOption {
                   type = types.listOf types.str;
                   default = [ ];
                   description = "IP address or CIDR block to allow.";
                 };
-                
+
                 path = mkOption {
                   type = types.str;
                   default = "";
                 };
 
+                allowWAN = mkOption {
+                  type = types.bool;
+                  default = false;
+                  description = "If set to false, deny all WAN traffic.";
+                };
+
                 deny = mkOption {
                   type = types.listOf types.str;
                   default = [ ];
@@ -140,9 +146,9 @@ in
             proxyPass = "http://${location.host}:${toString location.port}${location.path}";
             proxyWebsockets = location.proxyWebsockets;
             extraConfig = ''
-              ${optionalString location.allowLan "deny 10.0.0.1;"}
-              ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
               ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
+              ${optionalString (!location.allowWAN) "deny all;"}
+              ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
               ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
             '' + location.extraConfig;
           })