diff --git a/hosts/grail/default.nix b/hosts/grail/default.nix
index 2118a0b..58a18e3 100644
--- a/hosts/grail/default.nix
+++ b/hosts/grail/default.nix
@@ -1,4 +1,4 @@
-tools: {
+tools: rec {
   ssh.enable = true;
   ssh.id = with tools.dns; {
     publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBi5Fm2pmMBhRgJms+me1ldt9Vgj9cMSnB7UllSz3mpY";
@@ -16,6 +16,15 @@ tools: {
     };
   };
 
+  hyprspace = {
+    enable = true;
+    id = "12D3KooWN31twBvdEcxz2jTv4tBfPe3mkNueBwDJFCN4xn7ZwFbi";
+    listenPort = 995;
+    routes = [
+      "${interfaces.vstub.addr}/32"
+    ];
+  };
+
   enterprise = {
     subdomain = "node";
   };
diff --git a/hosts/grail/system.nix b/hosts/grail/system.nix
index 8a13920..16e40db 100644
--- a/hosts/grail/system.nix
+++ b/hosts/grail/system.nix
@@ -11,6 +11,8 @@ in
     depot.inputs.agenix.nixosModules.age
 
     depot.nixosModules.serverBase
+
+    depot.nixosModules.hyprspace
   ];
 
   zramSwap.enable = true;
diff --git a/secrets.nix b/secrets.nix
index 6e7f133..7658b06 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -69,6 +69,7 @@ in with hosts;
   "secrets/hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
+  "secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
   "secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
   "secrets/hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
diff --git a/secrets/hyprspace-key-grail.age b/secrets/hyprspace-key-grail.age
new file mode 100644
index 0000000..b836504
Binary files /dev/null and b/secrets/hyprspace-key-grail.age differ