diff --git a/config/services/homebox.nix b/config/services/homebox.nix
new file mode 100644
index 0000000..b025359
--- /dev/null
+++ b/config/services/homebox.nix
@@ -0,0 +1,75 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.forgejo.settings.server.HTTP_PORT];
+  };
+  systemd.services.homebox = {
+    after = ["network.target"];
+    environment = {
+      HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
+    };
+    script = ''
+      ${lib.getExe pkgs.homebox} \
+      --mode production \
+      --web-port 3000 \
+      --storage-data ./data \
+      --storage-sqlite-url "./data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1" \
+      --options-allow-registration false
+    '';
+    serviceConfig = {
+      User = "homebox";
+      Group = "homebox";
+      DynamicUser = true;
+      StateDirectory = "homebox";
+      WorkingDirectory = "/var/lib/homebox";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      Restart = "always";
+
+      # Hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "@pkey"
+      ];
+      UMask = "0077";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/homebox/";
+      user = "homebox";
+      group = "homebox";
+      mode = "750";
+    }
+  ];
+}
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 4e52ae4..ed02a57 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -24,6 +24,7 @@
       netbird = "netbird";
       actual = "actual";
       firefly = "money";
+      homebox = "homebox";
     };
   in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
   # TODO hard coded elisabeth nicht so schÃ¶n
@@ -160,6 +161,7 @@ in {
       (blockOf "paperless" {maxBodySize = "5G";})
       (proxyProtect "ttrss" {port = 80;} true)
       (blockOf "yourspotify" {port = 80;})
+      (blockOf "homebox" {})
       ((proxyProtect "firefly" {port = 80;} true)
         // {
         })
@@ -269,6 +271,7 @@ in {
     // mkContainer "ddclient" {}
     // mkContainer "ollama" {}
     // mkContainer "murmur" {}
+    // mkContainer "homebox" {}
     // mkContainer "ttrss" {}
     // mkContainer "firefly" {}
     // mkContainer "yourspotify" {}
diff --git a/hosts/elisabeth/secrets/homebox/host.pub b/hosts/elisabeth/secrets/homebox/host.pub
new file mode 100644
index 0000000..0412d8b
--- /dev/null
+++ b/hosts/elisabeth/secrets/homebox/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBq0dfFQA4Fs6mpzbAnM3Qa9pKoLk6eUezOvnp2iVA7W
diff --git a/pkgs/homebox.nix b/pkgs/homebox.nix
index 5f5bfec..4f41a34 100644
--- a/pkgs/homebox.nix
+++ b/pkgs/homebox.nix
@@ -128,5 +128,7 @@ in
     '';
 
     meta = with lib; {
+      mainProgram = "api";
+      maintainers = with maintainers; [patrickdag];
     };
   }
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index ad61f8e..5ba8bb9 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-homebox.age b/secrets/wireguard/elisabeth/keys/elisabeth-homebox.age
new file mode 100644
index 0000000..d611b91
Binary files /dev/null and b/secrets/wireguard/elisabeth/keys/elisabeth-homebox.age differ
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-homebox.pub b/secrets/wireguard/elisabeth/keys/elisabeth-homebox.pub
new file mode 100644
index 0000000..e6178b1
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-homebox.pub
@@ -0,0 +1 @@
+QZ8sx7wJ0pMAfxyA1hDgcemyI26/Vfaf7TICofiXPhM=
diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-homebox.age b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-homebox.age
new file mode 100644
index 0000000..ca80602
--- /dev/null
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-homebox.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 h2wNST4+qSw4uCVCUqSoprjByli3t11plBHp9y7dRGA
+DCCsXoA+stUFmu0aNcNJSClOFTF9pNjgN6hsZjHkOrA
+-> piv-p256 XTQkUA AvmTYpnMbBf4FiesxT0+RahR55nXJbmCsPh9jSXCk28K
+AUOUpit2AsUMCh3KRqwMMSLJlSUlGBeoJZWyey3S41Q
+-> piv-p256 ZFgiIw Ax8nhmzow+Pshj2paySHEdKc+V+BBP55FpwNa/HOumWu
+1vnybx4PiWiep4LKISh9+DQzDcv46iTf0BytjwsVPqo
+-> piv-p256 5vmPtQ A5l+gaNbTzurlEnGVdjdYBrXjF5R+xdxBANv3V9W74Tq
+AmWUmtqPpGCG2G9xEswFwnCLNWS0iP9wdaS7UhMIA68
+-> piv-p256 ZFgiIw Aq2tikCz8rv/r8PcY/3PKws74HTRdKC5WP1Ht/0ifeC+
+kSiDUso530lPlYN2P0JIVG1LgEbL2TkRK9v8YQpUQ7A
+-> =3mcTXky-grease |'ZI-R @E>y{ m){w =.h
+yyiAGQon2cSKl+YqqZzrHRtsAnSVkg88UlO9Oj6nAdMc7/X+kNmoV0roz471Qcst
+5WRDl9zm+ZUTS5bCqDdLThdKlxe2BFc4vp5WWd/QBVrlGuKPza8
+--- JfX5HKp3fQCfBufji0c+DBERd4JPBp1v/HG5vXkRUzY
++{|Æ\X,50†¶tº+½KcÎ€(¥²ôÃ p¼àN²³—[¶d
+ÇW:MÈ°Í•¼ÜJŽã”­*ìnË™a­9xþ-]
\ No newline at end of file