Hosts · 3 min read

Add a host manually

The most explicit onboarding path: type in the SSH hostname, port, and username yourself, pick an identity, save. Use this when the host isn't in your ~/.ssh/config, isn't on your LAN, and isn't part of a list you can paste.

Open the form

In the sidebar toolbar, click + and choose Add host… (keyboard: ⌘N). The host detail form opens in the main content area. Cancel anytime — nothing's persisted until you click Save.

Fields

Display name
Free-text label shown in the sidebar and on the dashboard. Use whatever the box is called in conversation (edge-nuc, plex-tower, pi-dns) rather than the IP — easier to scan in a long list. Required.
SSH hostname
IP, FQDN, or any string your local resolver understands (10.0.1.42, nuc.lan, plex.home.arpa). Bonjour .local names work fine on macOS. Required.
SSH port
Defaults to 22. Override for hosts behind port-knocking, non-standard SSH daemons (e.g. 2222 on TrueNAS), or jump boxes that map per-host ports.
Username
The account Noxen logs in as. Most homelabs use a single admin account (paul, admin, root); enterprises typically have a service account. Read-only access is enough — Noxen never writes to remote hosts.
Identity
Pick an SSH private key from your keychain or browse to a .pem/id_ed25519 file. Ed25519 only in v1.0 — RSA, ECDSA, and encrypted keys land in v1.1. Generate one with ssh-keygen -t ed25519 if you don't have one yet, then ssh-copy-id to the target host.
Tags (optional)
Comma-separated labels for grouping in the sidebar and filtering in exports (homelab, plex, ubuntu-24.04, client-acme). MSP tier adds multi-tenant grouping on top of plain tags.

Where the credentials go

The display name, hostname, port, username, and tags are SwiftData records — synced via your private CloudKit container if iCloud is enabled, kept locally otherwise. The SSH private key is Keychain — never CloudKit-synced, never written to disk in plaintext, scoped to the Noxen app group so the scheduled-scan agent can read it for nightly runs. See Privacy & data for the full picture.

Save and scan

Hit Save. The host shows up in the sidebar immediately with a grey indicator (never scanned). Click Scan now in the toolbar to run the first scan — typically 10–60 seconds, see how the scan engine works for what each probe does.

Common errors

SSH authentication failed
Most common cause: the bundled key isn't on the remote host's ~/.ssh/authorized_keys. Run ssh-copy-id -i <path-to-key> <user>@<host> from your Mac, then retry. Second cause: RSA / ECDSA keys are not yet supported — only Ed25519 in v1.0.
Connection refused
Port mismatch (SSH daemon listens on a non-standard port — edit the host's port field), firewall blocking (ufw/firewalld/the LAN router), or sshd is genuinely down. nc -vz <host> <port> from Terminal disambiguates.
Connection timed out
Routing or DNS — the hostname doesn't resolve to a reachable IP. ping <host> first; if that fails, you're on a different subnet to the host or VPN-disconnected.

Faster paths

If you have multiple hosts, the manual form is the slow option: