diff --git a/common/configuration.nix b/common/configuration.nix
index 1f42b03..420614e 100644
--- a/common/configuration.nix
+++ b/common/configuration.nix
@@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 
 {
+  imports = [
+    ./secrets-permissions.nix
+  ];
+
   # Enable the OpenSSH daemon
   services.openssh.enable = true;
   services.openssh.settings.PermitRootLogin = lib.mkDefault "no";
@@ -21,13 +25,12 @@
     wget
     htop
     tmux
-    bmon # Shows network activity
+    bmon
     nixfmt
-    jnettop
-    iperf3
     ncdu
     git
     tig
+    restic
   ];
 
   # required when using kitty
diff --git a/common/secrets-permissions.nix b/common/secrets-permissions.nix
new file mode 100644
index 0000000..4534e2b
--- /dev/null
+++ b/common/secrets-permissions.nix
@@ -0,0 +1,22 @@
+# This module enforces permissions on secrets stored on the machines.
+
+{ config, ... }:
+
+{
+  system.activationScripts."secrets-permissions" = ''
+    # Default to restrictive permissions on secrets.
+    # Root can alway read/write/traverse directories no matter the permissions
+    # set.
+
+    chown --recursive root:root /etc/secrets
+    chmod --recursive 600 /etc/secrets
+
+    # Relax permissions on some secrets.
+
+    # The top directory must be readable and traversable by thoses who need to
+    # access secrets.
+    chmod 755 /etc/secrets
+
+    # ... add chowns & chmods to specific users/groups when needed
+  '';
+}
\ No newline at end of file
diff --git a/pastila/backups.nix b/pastila/backups.nix
new file mode 100644
index 0000000..119cf96
--- /dev/null
+++ b/pastila/backups.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.restic.backups."borgbase" = {
+    paths = [
+      "/home"
+      "/root"
+      "/etc/secrets"
+      "/var"
+      "/srv"
+    ];
+
+    exclude = [
+      "/var/cache"
+      "/home/*/.cache"
+      "/var/log"
+      ".opam"
+    ];
+
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "5h";
+      Persistent = true;
+    };
+
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 6"
+      "--keep-yearly 3"
+    ];
+
+    repositoryFile = /etc/secrets/restic/repo;
+    passwordFile = "/etc/secrets/restic/password";
+  };
+
+}
\ No newline at end of file
diff --git a/pastila/configuration.nix b/pastila/configuration.nix
index 6920763..e1d4cd3 100644
--- a/pastila/configuration.nix
+++ b/pastila/configuration.nix
@@ -11,6 +11,7 @@ in
   imports =
     [
       ./hardware-configuration.nix
+      ./backups.nix
       ../common/configuration.nix
     ];