NixOS Home Server

Declarative NixOS configuration with RAID1+LVM storage, OpenVPN, Dynamic DNS, HTTPS, and Traefik.

Creating Secrets

One-Time Setup

Get server SSH public key and save to file:

ssh leon@192.168.3.100 "cat /etc/ssh/ssh_host_ed25519_key.pub" > /tmp/server-ssh.pub

Verify secrets/secrets.nix lists the correct recipients (already configured for this repo)

Creating a New Secret

Create a temporary file with your secret content:

echo "your_secret_value" > /tmp/my-secret

Encrypt using SSH public keys directly:

cat /tmp/my-secret | nix-shell -p age --run 'age --encrypt -R ~/.ssh/home.pub -R /tmp/server-ssh.pub -o secrets/my-secret.age'

Clean up and add to secrets.nix:

rm /tmp/my-secret

Add to secrets/secrets.nix:

"my-secret.age".publicKeys = [ personal server ];

Reference in configuration:

age.secrets.my-secret = {
  file = ./secrets/my-secret.age;
  mode = "400";
};

Important Notes

Always use -R <ssh-public-key-file> NOT -r age1... when encrypting
Encrypt to BOTH your local SSH key (~/.ssh/home.pub) and server key (/tmp/server-ssh.pub)
For secrets with env var format (like Traefik), include the prefix: CF_DNS_API_TOKEN=value
For secrets as raw values (like ddclient), just the value: value
Never commit unencrypted secrets or /tmp/ files

What Should Be Secret?

YES (encrypted with agenix):

API tokens (CloudFlare, etc.)
Private keys
Passwords (plain text)
Database credentials

NO (safe to commit):

SSH public keys (public by design)
Email addresses
Domain names
Hashed passwords (already hashed with argon2)

Router Setup

Forward these ports to 192.168.3.100:

UDP 1194 (OpenVPN)
TCP 80 (ACME challenges)
TCP 443 (HTTPS)

CloudFlare DNS Setup

Add these records:

A * → your public IPv4
AAAA * → your public IPv6 (if available)

ddclient will auto-update them.

Service Access

Service	Domain	Access
OpenVPN	vpn.husmann.me:1194	Internet
Traefik	traefik.husmann.me	Local + VPN (default)
Future	*.husmann.me	Add `middlewares = [ "allow-public" ];` for internet access

Updates

nix run nixpkgs#nixos-rebuild -- --flake .#home --target-host leon@192.168.3.100 --build-host leon@192.168.3.100 --sudo boot
ssh leon@192.168.3.100 "sudo reboot"

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
.gemini		.gemini
modules		modules
secrets		secrets
GEMINI.md		GEMINI.md
README.md		README.md
configuration.nix		configuration.nix
disko.nix		disko.nix
flake.lock		flake.lock
flake.nix		flake.nix
hardware-configuration.nix		hardware-configuration.nix

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

NixOS Home Server

Creating Secrets

One-Time Setup

Creating a New Secret

Important Notes

What Should Be Secret?

Router Setup

CloudFlare DNS Setup

Service Access

Updates

About

Uh oh!

Releases

Packages

Languages

leonhusmann/home

Folders and files

Latest commit

History

Repository files navigation

NixOS Home Server

Creating Secrets

One-Time Setup

Creating a New Secret

Important Notes

What Should Be Secret?

Router Setup

CloudFlare DNS Setup

Service Access

Updates

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages