diff --git a/machines/renge/configuration.nix b/machines/renge/configuration.nix
index 151d032..4538c8e 100644
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@@ -12,6 +12,7 @@
     ./services/element-web.nix
     ./services/gitea.nix
     ./services/grafana.nix
+    ./services/grocy.nix
     ./services/hedgedoc.nix
     ./services/invidious
     ./services/libreddit.nix
diff --git a/machines/renge/services/grocy.nix b/machines/renge/services/grocy.nix
new file mode 100644
index 0000000..83707ca
--- /dev/null
+++ b/machines/renge/services/grocy.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+{
+  services.grocy = {
+    enable = true;
+    hostName = "grocy.sbruder.de";
+    settings = {
+      currency = "EUR";
+      culture = "de";
+      calendar = {
+        firstDayOfWeek = 1; # it certainly isn’t Sunday
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${config.services.grocy.hostName}" =
+    let
+      # workaround for nginx dropping parent headers
+      # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
+      parentHeaders = lib.concatStringsSep "\n" (lib.filter
+        (lib.hasPrefix "add_header ")
+        (lib.splitString "\n" config.services.nginx.commonHttpConfig));
+    in
+    {
+      locations."~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = ''
+        ${parentHeaders}
+        add_header Cache-Control "public, max-age=15778463";
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy no-referrer;
+        access_log off;
+      '';
+    };
+}