Enable Gancio service on NixOS

Gancio is available as a nixOS service since NixOS 24.11, by default it will use sqlite and nginx (with ssl activated).

Example configuration for use with PostgresSQL and Telegram plugin

{
  pkgs,
  ...
}: {
  services.gancio = {
    enable = true;
    package = pkgs.gancio;
    plugins = [ pkgs.gancioPlugins.telegram-bridge ];
    settings = {
      hostname = "agenda.example.org";
      db.dialect = "postgres";
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
}

The services.gancio.settings attribute is used to generate the configuration file, see gancio configuration for available options.

Other options for the NixOS Gancio service are documented on search.nixos.org.

Additional useful configuration

Automatic backup with Restic

Eg. on a nextcloud instance:

{
  pkgs,
  ...
}: {
  services.restic.backups.gancio = {
    user = "gancio";
    initialize = true;
    repository = "rclone:nextcloud:gancio";
    rcloneConfigFile = /path/to/rclone.config;
    passwordFile = /path/to/restic-backup-password;
    paths = [
      "/var/lib/gancio"
    ];
    backupPrepareCommand = ''
      cd /var/lib/gancio
      ${pkgs.postgresql}/bin/pg_dump -Fc gancio > gancio-db.dump
    '';
    pruneOpts = [
      "--keep-daily 3"
      "--keep-weekly 1"
      "--keep-monthly 1"
    ];
  };
}

with rclone.config being something like

[nextcloud]
type = webdav
url = https://nexcloud.example.com/remote.php/dav/files/gancio-backup
vendor = nextcloud
user = gancio-backup
pass = xxxxx

Intrusion prevention with Fail2Ban

{
  ...
}: {
  services.fail2ban = {
    enable = true;
    bantime-increment.enable = true;
    jails = {
      nginx-http-auth.settings.enabled = true;
      nginx-botsearch.settings.enabled = true;
      nginx-bad-request.settings.enabled = true;
    };
  };
}