feat: add ngit-grasp GRASP relay container on odin

- Add ngit-grasp flake input from gitnostr repo
- Create grasp container at 192.168.1.4 with agenix-managed nsec secret
- Add cloudflare tunnel route for grasp.t5.st
- Refactor container definitions into hosts/odin/containers/default.nix

flake.nix

@@ -35,6 +35,9 @@
 
     ngit-cli.url = "github:danconwaydev/ngit-cli?shallow=true";
     ngit-cli.inputs.nixpkgs.follows = "nixpkgs-unstable";
+
+    ngit-grasp.url = "git+https://gitnostr.com/npub15qydau2hjma6ngxkl2cyar74wzyjshvl65za5k5rl69264ar2exs5cyejr/ngit-grasp.git";
+    ngit-grasp.inputs.nixpkgs.follows = "nixpkgs-unstable";
   };
 
   outputs =

hosts/odin/containers/default.nix

@@ -0,0 +1,60 @@
+{
+  config,
+  inputs,
+  outputs,
+  ...
+}:
+{
+  containers = {
+    grist-latest = {
+      autoStart = false;
+      privateNetwork = true;
+      hostAddress = "192.168.1.1";
+      localAddress = "192.168.1.2";
+      specialArgs = { inherit outputs; };
+      config = import ./grist.nix;
+    };
+
+    grasp = {
+      autoStart = false;
+      privateNetwork = true;
+      hostAddress = "192.168.1.1";
+      localAddress = "192.168.1.4";
+      specialArgs = { inherit outputs inputs; };
+
+      bindMounts = {
+        "/run/secrets/grasp-owner" = {
+          hostPath = config.age.secrets."odin/services/grasp-owner".path;
+          isReadOnly = true;
+        };
+      };
+
+      config = import ./grasp.nix;
+    };
+
+    gogs = {
+      autoStart = false;
+      privateNetwork = true;
+      hostAddress = "192.168.1.1";
+      localAddress = "192.168.1.3";
+      specialArgs = { inherit outputs; };
+
+      bindMounts = {
+        "/run/secrets/gogs-admin" = {
+          hostPath = config.age.secrets."odin/services/gogs-admin".path;
+          isReadOnly = true;
+        };
+      };
+
+      config = import ./gogs.nix;
+    };
+  };
+
+  services.caddy.virtualHosts.grist = {
+    hostName = "grist.{$DOMAIN}";
+    extraConfig = ''
+      encode gzip zstd
+      reverse_proxy 192.168.1.2:8484
+    '';
+  };
+}

hosts/odin/containers/grasp.nix

@@ -0,0 +1,42 @@
+{
+  outputs,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    outputs.modules.global.nix-config
+    "${inputs.ngit-grasp}/nix/module.nix"
+  ];
+
+  services.ngit-grasp.primary = {
+    enable = true;
+    domain = "grasp.t5.st";
+    port = 7334;
+    bindAddress = "0.0.0.0";
+    dataDir = "/var/lib/ngit-grasp";
+    relayOwnerNsecFile = "/run/secrets/grasp-owner";
+    metricsEnabled = false;
+    archiveWhitelist = [
+      "npub1z0fle6nzrw3c6mv7klxyhkycpkt7lna04p9z5e4yq5rss259dq0sky7xzd"
+    ];
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [ 7334 ];
+    interfaces.eth0 = {
+      ipv4.addresses = [
+        {
+          address = "192.168.1.4";
+          prefixLength = 24;
+        }
+      ];
+    };
+    defaultGateway = "192.168.1.1";
+    nameservers = [ "8.8.8.8" ];
+    useDHCP = false;
+  };
+
+  boot.isContainer = true;
+  system.stateVersion = "26.05";
+}

hosts/odin/default.nix

@@ -1,17 +1,16 @@
-{ config
-, lib
-, pkgs
-, outputs
-, ...
+{
+  config,
+  lib,
+  pkgs,
+  outputs,
+  ...
 }:
-let
-  age = config.age;
-in
 {
   imports = [
     # TODO: auto-import via `outputs.modules.nixos`
     outputs.modules.global.nix-config
 
+    ./containers
     ./system
     ./services
     ./users
@@ -46,53 +45,6 @@ in
     };
   };
 
-  # # Container runtime
-  # virtualisation = {
-  #   docker = {
-  #     enable = true;
-  #     storageDriver = "btrfs";
-  #     autoPrune = {
-  #       enable = true;
-  #       dates = "weekly";
-  #       flags = [ "--all" "--force" "--volumes" ];
-  #     };
-  #   };
-  # };
-
-  containers.grist-latest = {
-    autoStart = false;
-    privateNetwork = true;
-    hostAddress = "192.168.1.1";
-    localAddress = "192.168.1.2";
-    specialArgs = { inherit outputs; };
-    config = import ./containers/grist.nix;
-  };
-
-  containers.gogs = {
-    autoStart = false;
-    privateNetwork = true;
-    hostAddress = "192.168.1.1";
-    localAddress = "192.168.1.3";
-    specialArgs = { inherit outputs; };
-
-    bindMounts = {
-      "/run/secrets/gogs-admin" = {
-        hostPath = config.age.secrets."odin/services/gogs-admin".path;
-        isReadOnly = true;
-      };
-    };
-
-    config = import ./containers/gogs.nix;
-  };
-
-  services.caddy.virtualHosts.grist = {
-    hostName = "grist.{$DOMAIN}";
-    extraConfig = ''
-      encode gzip zstd
-      reverse_proxy 192.168.1.2:8484
-    '';
-  };
-
   programs.fish = {
     enable = true;
     vendor = {

hosts/odin/services/cloudflared.nix

@@ -1,7 +1,7 @@
 { config, ... }:
 let
+  inherit (config.containers) gogs grasp;
   immich = config.services.immich;
-  gogs = config.containers.gogs;
 in
 {
   services.cloudflared = {
@@ -15,6 +15,7 @@ in
       ingress = {
         "photos.t5.st".service = "http://${immich.host}:${toString immich.port}";
         "git.t5.st".service = "http://${gogs.localAddress}:3000";
+        "grasp.t5.st".service = "http://${grasp.localAddress}:7334";
       };
     };
   };

hosts/odin/system/age.nix

@@ -16,6 +16,10 @@ in
     };
     "odin/services/cloudflared".file = secrets."odin/services/cloudflared.age";
     "odin/services/cloudflared-tunnel".file = secrets."odin/services/cloudflared-tunnel.age";
+    "odin/services/grasp-owner" = {
+      file = secrets."odin/services/grasp-owner.age";
+      mode = "0444";
+    };
     "odin/services/gogs-admin" = {
       file = secrets."odin/services/gogs-admin.age";
       mode = "0444";