docs: add odin server docs, Gogs container, and push-to-mirror setup +1

README.md

@@ -7,6 +7,7 @@ A comprehensive Nix configuration for managing multiple machines with a unified
 This repository manages the following machines:
 - **meili** - macOS laptop (aarch64-darwin)
 - **modgud** - Linux server (x86_64-linux)
+- **odin** - Home server (x86_64-linux)
 
 Each machine has its own system configuration and home-manager setup, with shared modules and features.
 
@@ -17,13 +18,15 @@ Each machine has its own system configuration and home-manager setup, with share
 ├── flake.nix              # Main flake configuration
 ├── hosts/                 # System-specific configurations
 │   ├── meili/             # macOS laptop configuration
-│   └── modgud/            # Linux server configuration
+│   ├── modgud/            # Linux server configuration
+│   └── odin/              # Home server configuration (NixOS with containers)
 ├── home/                  # My home-manager configurations
 │   └── features/          # Shared home-manager features
 │       ├── cli/           # CLI tools (git, fish, tmux, etc.)
 │       ├── desktop/       # Desktop applications (aerospace, ghostty, etc.)
 │       └── nvim/          # Neovim configuration
 ├── modules/               # Shared NixOS/Darwin modules
+│   └── nixos/             # NixOS modules (gogs, grist)
 ├── packages/              # Custom packages
 ├── lib/                   # Helper functions
 └── overlays/              # Nixpkgs overlays
@@ -116,6 +119,9 @@ sudo dnf install ghostty
 
 This repository includes several custom packages:
 
+- `gogs` - Git hosting service (NixOS container on odin)
+- `gogs-themes` - Dark & responsive themes for Gogs
+- `grist-core` - Spreadsheet server (NixOS container on odin)
 - `photo-cli` - Photo management and organization tool
 - `tmux-select-pane-no-wrap` - TMUX pane selection without wrapping
 - `aerospace-tmux-focus` - Integration between AeroSpace and TMUX
@@ -129,11 +135,16 @@ This repository includes several custom packages:
 - **Location**: America/Los_Angeles timezone
 - **Services**: Remote login enabled
 
-### modgud (Linux Server)
+### odin (Home Server)
 - **System**: x86_64-linux
-- **Features**: Server-focused configuration with minimal desktop components
-- **Location**: Europe/Amsterdam timezone
-- **Services**: Reverse proxy, identity provider, P2P mesh network
+- **Role**: NixOS host running containers for Gogs (git hosting), Grist (spreadsheets), and Immich (photos)
+- **Features**: Cloudflare tunnel ingress, Btrfs with impermanence, age-encrypted secrets
+- **Location**: Europe/Vienna timezone
+- **Services**:
+  - **Gogs** at `git.t5.st` - Self-hosted Git service with dark theme, registration disabled
+  - **Grist** at `grist.odin.t5.st` - Spreadsheet server
+  - **Immich** at `photos.t5.st` - Photo management
+  - **Cloudflare Tunnel** - Ingress for all public services
 
 ## Development
 

hosts/odin/README.md

@@ -19,7 +19,112 @@ nix run github:nix-community/nixos-anywhere -- \
   --target-host [email protected]
 ```
 
-## Install Script
+## Containers
+
+odin runs several services inside NixOS containers. Each container is a standalone `nixosConfiguration` in the flake.
+
+### Gogs (git.t5.st)
+
+Self-hosted Git service accessible at `https://git.t5.st` via Cloudflare tunnel.
+
+**Container config:** `hosts/odin/containers/gogs.nix`
+
+**Module:** `modules/nixos/gogs.nix`
+
+**Features:**
+- Dark theme with accent color variants (configure via `services.gogs.theme`)
+- Registration disabled, admin user provisioned via age secret on first start
+- SSH server on port 2222 (`[email protected]`)
+- SQLite3 database (persisted on `@services` Btrfs subvolume)
+
+**Deploy:**
+```bash
+# Rebuild and restart the host
+nixos-rebuild switch --flake .#odin
+
+# Enter the container
+nixos-container root-login gogs
+
+# Check service status
+systemctl status gogs
+```
+
+**Config example:**
+```nix
+services.gogs = {
+  enable = true;
+  theme = "dark-blue";
+  adminUser = {
+    name = "control";
+    email = "[email protected]";
+    passwordFile = "/run/secrets/gogs-admin";
+  };
+  settings = {
+    auth.DISABLE_REGISTRATION = true;
+    server = {
+      DOMAIN = "git.t5.st";
+      EXTERNAL_URL = "https://git.t5.st/";
+      HTTP_PORT = 3000;
+      SSH_PORT = 2222;
+      START_SSH_SERVER = true;
+    };
+  };
+};
+```
+
+#### Push-to-Mirror
+
+To mirror a repository on Gogs to an upstream (e.g., Codeberg), set up a **post-receive hook** per-repo via the Gogs web UI:
+
+`https://git.t5.st/{owner}/{repo}/settings/hooks/git/post-receive`
+
+**Hook script using a Codeberg PAT:**
+```sh
+#!/bin/sh
+while read oldrev newrev refname; do
+    branch=$(git rev-parse --symbolic --abbrev-ref "$refname")
+    if [ "master" = "$branch" ]; then
+        PAT=$(cat /run/secrets/codeberg-pat)
+        git push --quiet --force --mirror \
+          "https://x-access-token:${PAT}@codeberg.org/{owner}/{repo}.git"
+    fi
+done
+```
+
+**Prerequisites:**
+1. Generate a Codeberg PAT with `repo` scope at `codeberg.org` → Settings → Applications
+2. Add the PAT as an age secret in `hosts/odin/system/age.nix`:
+   ```nix
+   "odin/services/codeberg-pat" = {
+     file = secrets."odin/services/codeberg-pat.age";
+     mode = "0444";
+   };
+   ```
+3. Bind-mount the secret into the container in `hosts/odin/default.nix`:
+   ```nix
+   containers.gogs.bindMounts."/run/secrets/codeberg-pat" = {
+     hostPath = config.age.secrets."odin/services/codeberg-pat".path;
+     isReadOnly = true;
+   };
+   ```
+4. Create the age-encrypted file with the PAT as content:
+   ```bash
+   echo -n "YOUR_CODEGERG_PAT" | agenix -e secrets/odin/services/codeberg-pat.age
+   ```
+
+### Grist (grist.odin.t5.st)
+
+Spreadsheet server accessible at `https://grist.odin.t5.st` via Caddy reverse proxy.
+
+**Container config:** `hosts/odin/containers/grist.nix`
+
+**Deploy:**
+```bash
+nixos-container create grist --flake .#grist --host-address 192.168.1.1 --local-address 192.168.1.2
+nixos-container start grist
+```
+
+## Fan Control
 
 ```bash
 #!/usr/bin/env bash