There is a setting to hide the login button in AtoM, but it does not include options to hide it for public IPs and display it for internal network users. See:
With this setting in place, your staff users would manually navigate to /user/login to authenticate.
One additional step you could take would be to use a custom rule for your Nginx webserver to restrict access to /user/login to anyone who does not originate from a specific IP address or range. You can find examples of how to add such a rule to the Nginx configuration block in the Nginx documentation, and many other places online.
Unfortunately, I am not sure it would be possible to use Nginx to hide a specific page element like the login button on the homepage (or any other public page) depending on IP.
Finally, one additional option for larger sites or more security-oriented sites would be to use a two-site deployment, with a replication script to copy content periodically from your internal staff edit site to your read-only public AtoM site. For more information on this, see: