diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index 9059fcf2..ea6962ff 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -15,6 +15,7 @@ in
 
     ./containers.nix
     ./backup.nix
+    ./grist.nix
     # ./plex.nix
     ./samba.nix
     ./paperless.nix
@@ -287,6 +288,11 @@ in
           import podmanRedirWithAuth http://archivebox:8000 
         }
       }
+      @grist host grist.hailsatan.eu
+      handle @grist {
+          import podmanRedir http://grist:8484
+        
+      }
       @snipe-it host snipe-it.hailsatan.eu
       handle @snipe-it {
         root * ${pkgs.snipe-it}/share/php/snipe-it/public
diff --git a/hosts/ds9/grist.nix b/hosts/ds9/grist.nix
new file mode 100644
index 00000000..6ab4ede5
--- /dev/null
+++ b/hosts/ds9/grist.nix
@@ -0,0 +1,34 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  ragon.agenix.secrets.ds9GristEnv = { };
+  virtualisation.quadlet = {
+    containers.grist = {
+      containerConfig = {
+        image = "docker.io/gristlabs/grist-oss";
+        networks = [
+          "podman"
+          "db-net"
+        ];
+        volumes = [
+          "grist:/persist"
+        ];
+        environments = {
+          GRIST_SANDBOX_FLAVOR = "gvisor";
+          APP_HOME_URL = "https://grist.hailsatan.eu";
+          GRIST_FORCE_LOGIN = "true";
+          GRIST_TELEMETRY_LEVEL = "off";
+          GRIST_ALLOW_AUTOMATIC_VERSION_CHECKING = "false";
+        };
+        addCapabilities = [ "SYS_PTRACE" ];
+        environmentFiles = [
+          config.age.secrets.ds9GristEnv.path
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets/ds9GristEnv.age b/secrets/ds9GristEnv.age
new file mode 100644
index 00000000..b559970a
Binary files /dev/null and b/secrets/ds9GristEnv.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 16fcea48..ea8211ec 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,7 @@ in
   "ds9SyncoidHealthCheckUrl.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9DynDns.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9SnipeIt.age".publicKeys = pubkeys.ragon.host "ds9";
+  "ds9GristEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9PostgresEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9ImmichEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9AuthentikEnv.age".publicKeys = pubkeys.ragon.host "ds9";