diff --git a/modules/web01/borgbackup.nix b/modules/web01/borgbackup.nix
new file mode 100644
index 0000000..d298076
--- /dev/null
+++ b/modules/web01/borgbackup.nix
@@ -0,0 +1,64 @@
+{ config, ... }: {
+  # 100GB storagebox is under the nix-community hetzner account
+
+  # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
+  sops.secrets.hetzner-borgbackup-ssh = { };
+  # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
+  sops.secrets.hetzner-borgbackup-passphrase = { };
+
+  systemd.services.borgbackup-job-nixpkgs-update.serviceConfig.ReadWritePaths = [
+    "/var/log/telegraf"
+  ];
+
+  services.borgbackup.jobs.clan-lol = {
+    paths = [
+      "/home"
+      "/var"
+      "/root"
+    ];
+    exclude = [
+      "*.pyc"
+      "/home/*/.direnv"
+      "/home/*/.cache"
+      "/home/*/.cargo"
+      "/home/*/.npm"
+      "/home/*/.m2"
+      "/home/*/.gradle"
+      "/home/*/.opam"
+      "/home/*/.clangd"
+      "/var/lib/containerd"
+      # already included in database backup
+      "/var/lib/postgresql"
+      # not so important
+      "/var/lib/docker/"
+      "/var/log/journal"
+      "/var/cache"
+      "/var/tmp"
+      "/var/log"
+    ];
+    repo = "u359378@u359378.your-storagebox.de:/./borgbackup";
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
+    };
+    compression = "auto,zstd";
+    startAt = "daily";
+    environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
+    preHook = ''
+      set -x
+    '';
+
+    postHook = ''
+      cat > /var/log/telegraf/borgbackup-clan-lol <<EOF
+      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+      EOF
+    '';
+
+    prune.keep = {
+      within = "1d"; # Keep all archives from the last day
+      daily = 7;
+      weekly = 4;
+      monthly = 0;
+    };
+  };
+}
diff --git a/modules/web01/default.nix b/modules/web01/default.nix
index e672be4..59ee238 100644
--- a/modules/web01/default.nix
+++ b/modules/web01/default.nix
@@ -5,6 +5,7 @@
     ./postfix.nix
     ./harmonia.nix
     ./dendrite.nix
+    ./borgbackup.nix
     ../zerotier
     ../zerotier/ctrl.nix
   ];
diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml
index 63bb4a0..0e03b57 100644
--- a/targets/web01/secrets.yaml
+++ b/targets/web01/secrets.yaml
@@ -1,4 +1,6 @@
 cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str]
+hetzner-borgbackup-ssh: ENC[AES256_GCM,data:/x2bRdkv6Q7ymBmiedK0eV+FxKAS3R192KjReIvixLvPLOZFr9ajFy0mHSZiDjjzPn7vaP2/PI9/PWzGrkWeXv4MAbU9S8QvgUFPYbfUSQV2srSh1/UTl7rv0o2tw/LuCIbBivSu5d4xMWtHE4e/x50eWImG6e20q4+5ZF4hSXPGLmSayCGptbSq7JlgtcVNmTHFSdxPesGx7t50553nzU2ZoJxn9GDnhuVbSOmvhDpwaUYCDY/bGhmMpk32inzUxtPFacgz2JSygo3JCyWxervaE2OMd69fGI24F6cbqPV4ORWNymOnGGsFmMiTCyfKZjOVxhnBXAyeP444PE7MeNf6s2fFhAyV1M/mToa/ElYPHeJbY9t4bK0UPBXtral3vqMVNP6sYMzIPl0DBYsPeY71uEo5ctGJMum+AIhSulYzfTPq7IdPqo1NZGIXQbPb+8P+FZxUOEBm6imLdhG1DmL4Ji80yAPJ7w6Qgs7VoJPHdYTOOE+Z/s/1o52VUtGsSVergP8macRGHR432UIZjRvIxjdu7wvs7GLM,iv:af8J70mGekRpNCT15NjrYkgmoBQyTzBR866fRyrSmos=,tag:ZWLvsFQCFz72ih6UCDP2uA==,type:str]
+hetzner-borgbackup-passphrase: ENC[AES256_GCM,data:Stu8kYR+jP9aOjWz16/DhUTpxf4xwK8e7kJo,iv:rU6Gi0yoe7EBxQJ4wczDEjZG4GrB2mPmB1dD143HyeA=,tag:sSR3Do4vepb0vaMRhkj1Vw==,type:str]
 initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str]
 ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
 ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:k5T5CX56wSm1DADOH47sGb1h65aPk3NSvQR6Rgu7ZzRrq4pF84ofaRMEJU5d9MHnb+Eg92jnibRNwKUH36e5c9PJXtU14aY2f7HzOCyVk7WXd8H0eOuOfzG5ICQ=,iv:CcqwTYnk1NkJpn9q1Rnz4ERxhhnn60h3sXqMd3ILTk4=,tag:LhAIzkeozvT4L7+vJ9ojnQ==,type:str]
@@ -41,8 +43,8 @@ sops:
             Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
             KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-18T12:55:47Z"
-    mac: ENC[AES256_GCM,data:suFEE3xr2EZtidjH2Qpp1TvcYIn7dBorWcRUqef82TCf0o8/zQmd02g4eqSXKSl+SQ8/cUm72EuEVqZtvzo+pqw6cJht1pkeRMHJGPMjlz7MelUZwQpb0PoUy5he6neA9BfLi455DTuFIpi7fQi/c9E0B9IfR3ocsDdOQzf8Le0=,iv:wh8MeQbQ/Azf1eSQk/XWT3vv0KNh+QBL++ob5aKZaC0=,tag:U/lQvBtvuZKqgm5bVdqAxQ==,type:str]
+    lastmodified: "2023-07-19T12:39:56Z"
+    mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3