diff --git a/hosts/stratus/containers/default.nix b/hosts/stratus/containers/default.nix
index 8e7d9c7..5bdbb15 100644
--- a/hosts/stratus/containers/default.nix
+++ b/hosts/stratus/containers/default.nix
@@ -66,10 +66,7 @@ in
         ...
       }:
       {
-        imports = [
-          "${self}/modules/system/sops.nix"
-          "${self}/modules/system/tailscale.nix"
-        ];
+        imports = [ self.nixosModules.default ];
 
         system = {
           inherit stateVersion;
diff --git a/hosts/stratus/containers/nextcloud/backup.nix b/hosts/stratus/containers/nextcloud/backup.nix
index 6fc18c8..9e837ce 100644
--- a/hosts/stratus/containers/nextcloud/backup.nix
+++ b/hosts/stratus/containers/nextcloud/backup.nix
@@ -6,49 +6,26 @@
   ...
 }:
 {
-  sops.secrets = {
-    "restic/environment" = {
-      owner = config.users.users.nextcloud.name;
-      inherit (config.users.users.nextcloud) group;
-    };
-    "restic/password" = {
-      owner = config.users.users.nextcloud.name;
-      inherit (config.users.users.nextcloud) group;
-    };
-  };
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 700 nextcloud nextcloud -" ];
 
-  systemd.tmpfiles.rules = [
-    "d ${dataDir}/backup 700 nextcloud nextcloud -"
-    "d /var/cache/restic-backups-nextcloud 700 nextcloud nextcloud -"
-  ];
-
-  services.restic.backups.nextcloud = {
-    initialize = true;
+  myConfig.resticBackup.nextcloud = {
+    enable = true;
     user = config.users.users.nextcloud.name;
 
-    repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/nextcloud";
-    environmentFile = config.sops.secrets."restic/environment".path;
-    passwordFile = config.sops.secrets."restic/password".path;
-
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 5"
-      "--keep-monthly 6"
-      "--keep-yearly 1"
-    ];
-
-    backupPrepareCommand = ''
-      ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --on
-      ${lib.getExe' config.services.postgresql.package "pg_dump"} nextcloud --format=custom --file=${dataDir}/backup/db.dump
-    '';
-    backupCleanupCommand = ''
-      ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --off
-    '';
-    paths = [
-      "${dataDir}/home/data"
-      "${dataDir}/home/config/config.php"
-      "${dataDir}/backup"
-    ];
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --on
+        ${lib.getExe' config.services.postgresql.package "pg_dump"} nextcloud --format=custom --file=${dataDir}/backup/db.dump
+      '';
+      backupCleanupCommand = ''
+        ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --off
+      '';
+      paths = [
+        "${dataDir}/home/data"
+        "${dataDir}/home/config/config.php"
+        "${dataDir}/backup"
+      ];
+    };
   };
 
   environment.systemPackages = [
diff --git a/hosts/stratus/containers/paperless/backup.nix b/hosts/stratus/containers/paperless/backup.nix
index f2c631b..fd83def 100644
--- a/hosts/stratus/containers/paperless/backup.nix
+++ b/hosts/stratus/containers/paperless/backup.nix
@@ -6,52 +6,30 @@
   ...
 }:
 {
-  sops.secrets = {
-    "restic/environment" = {
-      owner = config.users.users.paperless.name;
-      inherit (config.users.users.paperless) group;
-    };
-    "restic/password" = {
-      owner = config.users.users.paperless.name;
-      inherit (config.users.users.paperless) group;
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "d ${dataDir}/backup 700 paperless paperless -"
-    "d /var/cache/restic-backups-paperless 700 paperless paperless -"
-  ];
-
-  services.restic.backups.paperless = {
-    initialize = true;
-    inherit (config.services.paperless) user;
-
-    repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/paperless";
-    environmentFile = config.sops.secrets."restic/environment".path;
-    passwordFile = config.sops.secrets."restic/password".path;
-
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 5"
-      "--keep-monthly 6"
-      "--keep-yearly 1"
-    ];
-
-    backupPrepareCommand = ''
-      ${dataDir}/paperless-manage document_exporter ${dataDir}/backup ${
-        lib.concatStringsSep " " [
-          "--compare-checksums"
-          "--delete"
-          "--split-manifest"
-          "--use-filename-format"
-          "--no-progress-bar"
-        ]
-      }
-    '';
-    paths = [ "${dataDir}/backup" ];
-  };
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 700 paperless paperless -" ];
 
   users.users.paperless.extraGroups = [ "redis-paperless" ];
+
+  myConfig.resticBackup.paperless = {
+    enable = true;
+    user = config.users.users.paperless.name;
+
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${dataDir}/paperless-manage document_exporter ${dataDir}/backup ${
+          lib.concatStringsSep " " [
+            "--compare-checksums"
+            "--delete"
+            "--split-manifest"
+            "--use-filename-format"
+            "--no-progress-bar"
+          ]
+        }
+      '';
+      paths = [ "${dataDir}/backup" ];
+    };
+  };
+
   environment.systemPackages = [
     (pkgs.writeShellApplication {
       name = "paperless-restore";
diff --git a/modules/system/restic-backup.nix b/modules/system/restic-backup.nix
new file mode 100644
index 0000000..b552aff
--- /dev/null
+++ b/modules/system/restic-backup.nix
@@ -0,0 +1,61 @@
+{ config, lib, ... }:
+let
+  cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
+in
+{
+  options.myConfig.resticBackup = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        options = {
+          enable = lib.mkEnableOption "";
+          user = lib.mkOption {
+            type = lib.types.str;
+            default = config.users.users.root.name;
+          };
+          extraConfig = lib.mkOption {
+            type = lib.types.attrsOf lib.types.anything;
+            default = { };
+          };
+        };
+      }
+    );
+    default = { };
+  };
+
+  config = lib.mkIf (cfg != { }) {
+    systemd.tmpfiles.rules = lib.mapAttrsToList (
+      name: value: "d /var/cache/restic-backups-${name} 700 ${value.user} ${value.user} -"
+    ) cfg;
+
+    users.groups.restic.members = lib.mapAttrsToList (_: value: value.user) cfg;
+
+    sops.secrets = {
+      "restic/environment" = {
+        mode = "440";
+        group = config.users.groups.restic.name;
+      };
+      "restic/password" = {
+        mode = "440";
+        group = config.users.groups.restic.name;
+      };
+    };
+
+    services.restic.backups = lib.mapAttrs (
+      name: value:
+      {
+        inherit (value) user;
+        initialize = true;
+        repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}";
+        environmentFile = config.sops.secrets."restic/environment".path;
+        passwordFile = config.sops.secrets."restic/password".path;
+        pruneOpts = [
+          "--keep-daily 7"
+          "--keep-weekly 5"
+          "--keep-monthly 6"
+          "--keep-yearly 1"
+        ];
+      }
+      // value.extraConfig
+    ) cfg;
+  };
+}