diff --git a/hosts/stratus/containers/nspawn/default.nix b/hosts/stratus/containers/nspawn/default.nix
index 9e881bc..ea66462 100644
--- a/hosts/stratus/containers/nspawn/default.nix
+++ b/hosts/stratus/containers/nspawn/default.nix
@@ -48,9 +48,9 @@ in
 
     bindMounts = {
       "/run/secrets/container/tailscale-auth-key" = { };
-      "/run/secrets/container/${name}" = { };
-      "/run/secrets/restic" = { };
-      "/run/secrets/healthchecks-ping-key" = { };
+      "/run/secrets/container/${name}".isReadOnly = false;
+      "/run/secrets/restic".isReadOnly = false;
+      "/run/secrets/healthchecks-ping-key".isReadOnly = false;
 
       ${dataDirOf name}.isReadOnly = false;
       "/var/lib/tailscale" = {
diff --git a/modules/system/restic-backup.nix b/modules/system/restic-backup.nix
index cc1c954..7c1a824 100644
--- a/modules/system/restic-backup.nix
+++ b/modules/system/restic-backup.nix
@@ -31,11 +31,19 @@ in
   };
 
   config = lib.mkIf (cfg != { }) {
-    systemd.tmpfiles.rules = lib.mapAttrsToList (
-      name: value: "d /var/cache/restic-backups-${name} 700 ${value.user} ${value.user} -"
-    ) cfg;
+    systemd.tmpfiles.rules =
+      (lib.optionals (!config.myConfig.sops.enable) [
+        "z /run/secrets/restic/environment 440 root ${config.users.groups.backup.name} -"
+        "z /run/secrets/restic/password 440 root ${config.users.groups.backup.name} -"
+        "z /run/secrets/healthchecks-ping-key 440 root ${config.users.groups.backup.name} -"
+      ])
+      ++ lib.mapAttrsToList (
+        name: value: "d /var/cache/restic-backups-${name} 700 ${value.user} ${value.user} -"
+      ) cfg;
 
-    users.groups.backup.members = lib.mapAttrsToList (_: value: value.user) cfg;
+    users.groups.backup.members = builtins.filter (user: user != config.users.users.root.name) (
+      lib.mapAttrsToList (_: value: value.user) cfg
+    );
 
     sops.secrets = lib.optionalAttrs config.myConfig.sops.enable (
       let