diff --git a/hosts/common/optional/nixos-containers/backup-server.nix b/hosts/common/optional/nixos-containers/backup-server.nix
new file mode 100644
index 0000000..d18ed5e
--- /dev/null
+++ b/hosts/common/optional/nixos-containers/backup-server.nix
@@ -0,0 +1,87 @@
+{
+  pkgs,
+  configVars,
+  lib,
+  ...
+}: let
+  containerName = "backup-server";
+  containerIp = configVars.networking.addresses.backup-server.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
+in {
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-+"];
+  networking.nat.externalInterface = "br0";
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${containerName}"
+    ];
+  };
+
+  containers."${containerName}" = {
+    autoStart = true;
+    privateNetwork = true;
+    hostBridge = "br0";
+    nixpkgs = pkgs.path;
+    bindMounts = {
+      "/srv/backup" = {
+        hostPath = "/media/main-ssd/backup";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      pkgs,
+      lib,
+      ...
+    }: {
+      networking = {
+        defaultGateway = "${gatewayIp}";
+        interfaces.eth0.ipv4.addresses = [
+          {
+            "address" = "${containerIp}";
+            "prefixLength" = 24;
+          }
+        ];
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [
+            8000
+          ];
+        };
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+
+      environment.systemPackages = [
+        pkgs.vim
+        pkgs.git
+        pkgs.python311
+        pkgs.restic
+        pkgs.apacheHttpd
+      ];
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users = {
+        root = {
+          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+        };
+      };
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "0.0.0.0:8000";
+        dataDir = "/srv/backup/restic";
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+}
diff --git a/hosts/common/optional/restic-backup.nix b/hosts/common/optional/restic-backup.nix
new file mode 100644
index 0000000..8c702ed
--- /dev/null
+++ b/hosts/common/optional/restic-backup.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  configVars,
+  ...
+}: let
+  passwordFile = config.sops.secrets."software/restic-passphrase".path;
+  resticServerCredentials = config.sops.secrets."software/restic-server-credentials".path;
+  backupServerIp = configVars.networking.addresses.backup-server.ip;
+in {
+  sops.secrets = {
+    "software/restic-passphrase" = {};
+    "software/restic-server-credentials" = {};
+  };
+  sops.secrets = {};
+  services.restic.backups = {
+    daily = {
+      initialize = true;
+      passwordFile = passwordFile;
+      paths = [
+      ];
+      repository = "rest:http://${backupServerIp}:8000/";
+      environmentFile = "${resticServerCredentials}";
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+      ];
+    };
+  };
+}