diff --git a/hosts/stratus/containers/forgejo/backup.nix b/hosts/stratus/containers/forgejo/backup.nix
new file mode 100644
index 0000000..d50face
--- /dev/null
+++ b/hosts/stratus/containers/forgejo/backup.nix
@@ -0,0 +1,59 @@
+{
+  config,
+  pkgs,
+  lib,
+  dataDir,
+  ...
+}:
+{
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 750 forgejo forgejo -" ];
+
+  security.polkit = {
+    enable = true;
+    extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          action.lookup("unit") == "forgejo.service" &&
+          subject.user == "forgejo") {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+  };
+
+  myConfig.resticBackup.forgejo = {
+    enable = true;
+    user = config.users.users.forgejo.name;
+    healthchecks.enable = true;
+
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${lib.getExe' pkgs.systemd "systemctl"} stop forgejo.service
+        ${lib.getExe' config.services.postgresql.package "pg_dump"} forgejo --format=custom --file=${dataDir}/backup/db.dump
+      '';
+      backupCleanupCommand = ''
+        ${lib.getExe' pkgs.systemd "systemctl"} start forgejo.service
+      '';
+      paths = [
+        "${dataDir}/home/custom"
+        "${dataDir}/home/data"
+        "${dataDir}/home/repositories"
+        "${dataDir}/home/.ssh"
+        "${dataDir}/backup"
+      ];
+      extraBackupArgs = [ "--exclude='${dataDir}/home/custom/conf/app.ini'" ];
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "forgejo-restore";
+      text = ''
+        systemctl stop forgejo.service
+        sudo -u forgejo restic-forgejo restore --target / latest
+        sudo -u forgejo pg_restore --clean --if-exists --dbname forgejo ${dataDir}/backup/db.dump
+        systemctl start forgejo.service
+      '';
+    })
+  ];
+}
diff --git a/hosts/stratus/containers/forgejo/default.nix b/hosts/stratus/containers/forgejo/default.nix
index ed702fa..fa312da 100644
--- a/hosts/stratus/containers/forgejo/default.nix
+++ b/hosts/stratus/containers/forgejo/default.nix
@@ -7,6 +7,8 @@
       ...
     }:
     {
+      imports = [ ./backup.nix ];
+
       sops.secrets."forgejo-admin-password" = {
         owner = config.users.users.forgejo.name;
         inherit (config.users.users.forgejo) group;
diff --git a/hosts/stratus/containers/forgejo/secrets.yaml b/hosts/stratus/containers/forgejo/secrets.yaml
index da22ac5..b5d3cfb 100644
--- a/hosts/stratus/containers/forgejo/secrets.yaml
+++ b/hosts/stratus/containers/forgejo/secrets.yaml
@@ -1,5 +1,9 @@
 tailscale-auth-key: ENC[AES256_GCM,data:OnCmxHy5wFAOOIv3G3rhMsjg9JjHnjENORDQGfVe+cxNSrcqb/Vb0n12jd5SCnxlqrUM+QLjo7yUaKa43M4=,iv:VWf+KsjMsAr6E7SyaXJivJzN7udZmle1LKvXXx2cSvY=,tag:DkqNwLvf2xXu5aUMvCSLWw==,type:str]
 forgejo-admin-password: ENC[AES256_GCM,data:l/6pYXwUEsu6dvEXQAhN46dXk08XCk33G1GeoLrm,iv:Z635DD5ca4wZ9vO2VAlo1rzockKL/XC0/GrQPV/59XA=,tag:XZVQS5tOPdBfYAIURfZ5vQ==,type:str]
+restic:
+  environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str]
+  password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str]
+healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -24,8 +28,8 @@ sops:
         YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg
         bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-11T19:43:05Z"
-  mac: ENC[AES256_GCM,data:3PK5wU8J1Q3wOyFuW3N2nbHgLzQm8OIWOFw79DpmmUFxTEkuRkXPyL3sCOoiie7oX07vkijRQc9PTYlE92CaeoiWS17kdYVOQt309izMsqK6A4Ga01uBt3tsWUsKfkawdM2nQ6Nlft4S55lZUEwYrcX5gJrbmWsdwf4boQ7HVMA=,iv:gZ5sazElY7l1FKns1qQcXBdPQiS2exod0XTFbXdMkqk=,tag:2da6i6jVSHIsgRsfQdEZ9w==,type:str]
+  lastmodified: "2024-09-12T22:45:11Z"
+  mac: ENC[AES256_GCM,data:CO8Z3XKLvxavwVDVakqLmgFsDOItvnEUWwCZ9RXDITDPwqCq8qd1+XfXE/xlWtvXnu7x/ik+A8yTReP1NRDdHIoseoQSdvTDyP0LGgzGpl4YiCjJb894FDr6lSiWwexHQnI2R1Y2SGCCqfHOQifD9EZmdu8zRWSCjzEgtXIyPIQ=,iv:biKEYJR3SQPbeLuBch6rEgOup8KixafaYE6T/m5OjoQ=,tag:ZwWuNC75GFeTaDEk7Wcl7Q==,type:str]
   pgp: []
   unencrypted_suffix: _unencrypted
   version: 3.9.0