diff --git a/secret/hosts/attic.nix b/secret/hosts/attic.nix
index 4c114d9..a793b5b 100644
Binary files a/secret/hosts/attic.nix and b/secret/hosts/attic.nix differ
diff --git a/system/hosts/attic.nix b/system/hosts/attic.nix
index 25a2537..632d73a 100644
--- a/system/hosts/attic.nix
+++ b/system/hosts/attic.nix
@@ -17,6 +17,8 @@ in
 
     (import ../nixos/atticd.nix (args // { inherit secret; }))
 
+    (import ../nixos/home-proxy.nix (args // { inherit secret; }))
+
     ../nixos/tailscale.nix
   ];
 
diff --git a/system/nixos/home-proxy.nix b/system/nixos/home-proxy.nix
new file mode 100644
index 0000000..8ffb7c2
--- /dev/null
+++ b/system/nixos/home-proxy.nix
@@ -0,0 +1,17 @@
+{ pkgs, config, secret, ... }:
+
+{
+  services.nginx.streamConfig = ''
+    upstream home {
+      resolver 1.1.1.1 ipv6=off;
+      server ${secret.nginx.upstream.home.hostname}:${secret.nginx.upstream.home.port};
+    }
+
+    server {
+      listen ${secret.nginx.upstream.home.port};
+      proxy_pass home;
+    }
+  '';
+
+  networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ secret.nginx.upstream.home.port ];
+}