Hetzner StorageBox mounting with sops-nix for file ftorage & Jellyfin streaming

Introduction

After some tinkering, I finally have my Hetzner StorageBox mounted on my NixOS server-securely, declaratively, and ready for anything. The setup is not just robust, it’s also pretty slick: all credentials are managed with sops-nix, so there’s no plaintext password mess, and the mount is fully automated via systemd and NixOS config.

Why Hetzner StorageBox?

Cheap and scalable storage, up to 20TB if needed.

Accessible via multiple protocols (CIFS/SMB, SFTP, WebDAV).

Though I went with CIFS for native filesystem integration and best compatibility with Linux apps.

Data is protected with RAID, and snapshots are available for extra safety.

Mounting with NixOS + sops

My NixOS config uses cifs-utils for the mount and sops-nix for all secrets. The actual credentials are encrypted in a SOPS YAML file, and only decrypted at activation time. This means I can safely keep my config in git, and everything is reproducible and auditable.

environment.systemPackages = [pkgs.cifs-utils];

fileSystems."/mnt/share" = {
  device = "//uXXXXXX.your-storagebox.de/backup";
  fsType = "cifs";
  options = let
    uid = toString config.users.users.cashmere.uid;
    gid = toString config.users.groups.users.gid;
    automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
    perm_opts = "uid=${uid},gid=${gid},file_mode=0644,dir_mode=0755,forceuid,forcegid";
    access_opts = "noperm,users";
    in 
    [
  "${automount_opts},${perm_opts},${access_opts},credentials=${config.sops.templates."smb-secrets".path}"
  ];
};

The mount itself is handled declaratively in my NixOS config. I use cifs-utils to enable SMB/CIFS support, and the mount options ensure that the share is only mounted when accessed (automount), with proper permissions for my user. The credentials are not stored directly in the config, but referenced from a file that is automatically generated by sops-nix.

To manage secrets securely, I use sops-nix. Here’s the relevant part of my config:

sops = {
  templates = {
    "smb-secrets" = {
      content = ''
      username=${config.sops.placeholder."smb/username"}
      password=${config.sops.placeholder."smb/password"}
      domain=${config.sops.placeholder."smb/domain"}
        '';
      owner = "root";
      group = "root";
      mode = "0400";
    };
  };

  secrets = {
    "smb/username" = {};
    "smb/password" = {};
    "smb/domain" = {};
  };

What happens here:

Under templates, I define a file called smb-secrets that will contain my SMB username, password, and domain. The actual values are pulled in from the secrets defined below.

The owner, group, and mode ensure that only root can read the file, keeping the credentials safe.

In the secrets block, I declare which secrets should be managed by sops-nix. These are stored encrypted in a separate SOPS YAML file and only decrypted at activation time.

The credentials file is then referenced in the mount options above, so the mount process can authenticate securely without exposing sensitive data.

What do I use it for?

File Storage

All my documents, archives, and important backups are stored here. It’s basically my personal cloud, but under my control.

Media Streaming

I just point Jellyfin’s library to /mnt/share/Media and it picks up all my shows and movies.

Streaming works great for 1080p content, and even multiple users can stream at once with no issues, as long as you’re not pushing lots of 4K transcodes.

The StorageBox is mounted as a regular drive, so Jellyfin sees it just like local storage-no hacky workarounds needed.

Why is this practical you may ask?

Declarative

I can redeploy my entire setup on a new server with a single nixos-rebuild switch and everything just works.

Secure

No plaintext secrets, ever. SOPS + NixOS means my credentials are always encrypted at rest and only decrypted in memory for the mount.

Reliable

Hetzner’s StorageBox is rock solid, with snapshots and RAID for peace of mind.

Flexible

I can scale storage up or down as needed, and the mount options mean I get automounting, proper permissions, and idle timeouts out of the box.

Notes

For best performance, keep the Jellyfin server and StorageBox in the same Hetzner datacenter if possible.

If you ever need to restore or migrate, just point the mount at a new box and you’re done.

TL;DR

Hetzner StorageBox + NixOS + sops-nix = secure, automated, and super practical file and media storage. Jellyfin streams my series straight from the StorageBox, and I never have to worry about secrets or manual mounts again.