diff --git a/modules/system/services/actualbudget/backups.nix b/modules/system/services/actualbudget/backups.nix
index 5912804..59dd18f 100644
--- a/modules/system/services/actualbudget/backups.nix
+++ b/modules/system/services/actualbudget/backups.nix
@@ -11,30 +11,10 @@ in
   options.custom.services.actualbudget.backups.enable = lib.mkEnableOption "";
 
   config = lib.mkIf config.custom.services.actualbudget.backups.enable {
-    security.polkit = {
-      enable = true;
-      extraConfig =
-        let
-          service = "actual.service";
-        in
-        ''
-          polkit.addRule(function(action, subject) {
-            if (action.id == "org.freedesktop.systemd1.manage-units" &&
-              action.lookup("unit") == "${service}" &&
-              subject.user == "${user}") {
-              return polkit.Result.YES;
-            }
-          });
-        '';
-    };
-
     custom.services.resticBackups.actual = {
       inherit user;
-      extraConfig = {
-        backupPrepareCommand = "${lib.getExe' pkgs.systemd "systemctl"} stop actual.service";
-        backupCleanupCommand = "${lib.getExe' pkgs.systemd "systemctl"} start actual.service";
-        paths = [ config.services.actual.settings.dataDir ];
-      };
+      suspendService = "actual.service";
+      extraConfig.paths = [ config.services.actual.settings.dataDir ];
     };
 
     environment.systemPackages = [
diff --git a/modules/system/services/forgejo/backups.nix b/modules/system/services/forgejo/backups.nix
index e4a22bf..2f2e3d0 100644
--- a/modules/system/services/forgejo/backups.nix
+++ b/modules/system/services/forgejo/backups.nix
@@ -11,30 +11,10 @@ in
   options.custom.services.forgejo.backups.enable = lib.mkEnableOption "";
 
   config = lib.mkIf config.custom.services.forgejo.backups.enable {
-    security.polkit = {
-      enable = true;
-      extraConfig =
-        let
-          service = "forgejo.service";
-        in
-        ''
-          polkit.addRule(function(action, subject) {
-            if (action.id == "org.freedesktop.systemd1.manage-units" &&
-              action.lookup("unit") == "${service}" &&
-              subject.user == "${user}") {
-              return polkit.Result.YES;
-            }
-          });
-        '';
-    };
-
     custom.services.resticBackups.forgejo = {
       inherit user;
-      extraConfig = {
-        backupPrepareCommand = "${lib.getExe' pkgs.systemd "systemctl"} stop forgejo.service";
-        backupCleanupCommand = "${lib.getExe' pkgs.systemd "systemctl"} start forgejo.service";
-        paths = [ config.services.forgejo.stateDir ];
-      };
+      suspendService = "forgejo.service";
+      extraConfig.paths = [ config.services.forgejo.stateDir ];
     };
 
     environment.systemPackages = [
diff --git a/modules/system/services/hedgedoc/backups.nix b/modules/system/services/hedgedoc/backups.nix
index ae7bdca..22f1e6b 100644
--- a/modules/system/services/hedgedoc/backups.nix
+++ b/modules/system/services/hedgedoc/backups.nix
@@ -11,33 +11,13 @@ in
   options.custom.services.hedgedoc.backups.enable = lib.mkEnableOption "";
 
   config = lib.mkIf config.custom.services.hedgedoc.backups.enable {
-    security.polkit = {
-      enable = true;
-      extraConfig =
-        let
-          service = "hedgedoc.service";
-        in
-        ''
-          polkit.addRule(function(action, subject) {
-            if (action.id == "org.freedesktop.systemd1.manage-units" &&
-              action.lookup("unit") == "${service}" &&
-              subject.user == "${user}") {
-              return polkit.Result.YES;
-            }
-          });
-        '';
-    };
-
     custom.services.resticBackups.hedgedoc = {
       inherit user;
-      extraConfig = {
-        backupPrepareCommand = "${lib.getExe' pkgs.systemd "systemctl"} stop hedgedoc.service";
-        backupCleanupCommand = "${lib.getExe' pkgs.systemd "systemctl"} start hedgedoc.service";
-        paths = with config.services.hedgedoc.settings; [
-          uploadsPath
-          db.storage
-        ];
-      };
+      suspendService = "hedgedoc.service";
+      extraConfig.paths = with config.services.hedgedoc.settings; [
+        uploadsPath
+        db.storage
+      ];
     };
 
     environment.systemPackages = [
diff --git a/modules/system/services/restic-backups/default.nix b/modules/system/services/restic-backups/default.nix
index 80da57a..a3fd4d4 100644
--- a/modules/system/services/restic-backups/default.nix
+++ b/modules/system/services/restic-backups/default.nix
@@ -1,5 +1,6 @@
 {
   config,
+  pkgs,
   lib,
   ...
 }:
@@ -20,6 +21,10 @@ in
             type = lib.types.str;
             default = config.users.users.root.name;
           };
+          suspendService = lib.mkOption {
+            type = lib.types.nullOr lib.types.nonEmptyStr;
+            default = null;
+          };
           extraConfig = lib.mkOption {
             type = lib.types.attrsOf lib.types.anything;
             default = { };
@@ -52,6 +57,27 @@ in
         "restic/password" = resticPermissions;
       };
 
+    security.polkit = {
+      enable = resticBackups |> lib.attrValues |> lib.any (value: value.suspendService != null);
+      extraConfig =
+        let
+          mkAllowRule = service: user: ''
+            polkit.addRule(function(action, subject) {
+              if (action.id == "org.freedesktop.systemd1.manage-units" &&
+                action.lookup("unit") == "${service}" &&
+                subject.user == "${user}") {
+                return polkit.Result.YES;
+              }
+            });
+          '';
+        in
+        resticBackups
+        |> lib.attrValues
+        |> lib.filter (value: value.suspendService != null)
+        |> lib.map (value: mkAllowRule value.suspendService value.user)
+        |> lib.concatLines;
+    };
+
     services.restic.backups =
       resticBackups
       |> lib.mapAttrs (
@@ -63,6 +89,12 @@ in
             repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}";
             environmentFile = config.sops.secrets."restic/environment".path;
             passwordFile = config.sops.secrets."restic/password".path;
+            backupPrepareCommand = lib.mkIf (value.suspendService != null) (
+              lib.mkBefore "${lib.getExe' pkgs.systemd "systemctl"} stop ${value.suspendService}"
+            );
+            backupCleanupCommand = lib.mkIf (value.suspendService != null) (
+              lib.mkAfter "${lib.getExe' pkgs.systemd "systemctl"} start ${value.suspendService}"
+            );
             pruneOpts = [
               "--keep-daily 7"
               "--keep-weekly 5"
diff --git a/modules/system/services/syncthing/backups.nix b/modules/system/services/syncthing/backups.nix
index 8c22535..5a10884 100644
--- a/modules/system/services/syncthing/backups.nix
+++ b/modules/system/services/syncthing/backups.nix
@@ -20,30 +20,10 @@ in
       }
     ];
 
-    security.polkit = {
-      enable = true;
-      extraConfig =
-        let
-          service = "syncthing.service";
-        in
-        ''
-          polkit.addRule(function(action, subject) {
-            if (action.id == "org.freedesktop.systemd1.manage-units" &&
-              action.lookup("unit") == "${service}" &&
-              subject.user == "${user}") {
-              return polkit.Result.YES;
-            }
-          });
-        '';
-    };
-
     custom.services.resticBackups.syncthing = {
       inherit user;
-      extraConfig = {
-        backupPrepareCommand = "${lib.getExe' pkgs.systemd "systemctl"} stop syncthing.service";
-        backupCleanupCommand = "${lib.getExe' pkgs.systemd "systemctl"} start syncthing.service";
-        paths = [ config.services.syncthing.dataDir ];
-      };
+      suspendService = "syncthing.service";
+      extraConfig.paths = [ config.services.syncthing.dataDir ];
     };
 
     environment.systemPackages = [