diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix
index 67d113e..8cdd77c 100644
--- a/hosts/cirrus/default.nix
+++ b/hosts/cirrus/default.nix
@@ -31,6 +31,7 @@
         enable = true;
         domain = "git.sstork.dev";
         ssh.enable = true;
+        backups.enable = true;
       };
 
       caddy.virtualHosts = {
diff --git a/modules/system/services/forgejo/backups.nix b/modules/system/services/forgejo/backups.nix
new file mode 100644
index 0000000..a1ef598
--- /dev/null
+++ b/modules/system/services/forgejo/backups.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  user = config.users.users.forgejo.name;
+in
+{
+  options.custom.services.forgejo.backups.enable = lib.mkEnableOption "";
+
+  config = lib.mkIf config.custom.services.forgejo.backups.enable {
+    security.polkit = {
+      enable = true;
+      extraConfig =
+        let
+          service = "forgejo.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
+    custom.services.resticBackup.forgejo = {
+      inherit user;
+      healthchecks.enable = true;
+
+      extraConfig = {
+        backupPrepareCommand = "${lib.getExe' pkgs.systemd "systemctl"} stop forgejo.service";
+        backupCleanupCommand = "${lib.getExe' pkgs.systemd "systemctl"} start forgejo.service";
+        paths = [ config.services.forgejo.stateDir ];
+      };
+    };
+
+    environment.systemPackages = [
+      (pkgs.writeShellApplication {
+        name = "forgejo-restore";
+        text = ''
+          sudo --user=${user} bash -c "
+            systemctl stop forgejo.service
+            restic-forgejo restore latest --target /
+            systemctl start forgejo.service
+          "
+        '';
+      })
+    ];
+  };
+}