diff --git a/hosts/elisabeth/default.nix b/hosts/elisabeth/default.nix
index 8989a61..7af29ee 100644
--- a/hosts/elisabeth/default.nix
+++ b/hosts/elisabeth/default.nix
@@ -19,8 +19,6 @@
       ../../modules/hardware/physical.nix
       ../../modules/hardware/zfs.nix
 
-      ../../modules/services/acme.nix
-
       ./net.nix
       ./fs.nix
     ]
diff --git a/hosts/elisabeth/net.nix b/hosts/elisabeth/net.nix
index 29717c9..d6134d4 100644
--- a/hosts/elisabeth/net.nix
+++ b/hosts/elisabeth/net.nix
@@ -39,4 +39,36 @@
     interface = "lan01";
     mode = "bridge";
   };
+
+  age.secrets.cloudflare_token_acme = {
+    rekeyFile = ./secrets/cloudflare_api_token.age;
+    mode = "440";
+    group = "acme";
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = config.secrets.secrets.global.devEmail;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+      credentialFiles = {
+        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+      };
+    };
+  };
+  security.acme.certs.web = {
+    domain = config.secrets.secrets.global.domains.web;
+    extraDomainNames = ["*.${config.secrets.secrets.global.domains.web}"];
+  };
+  users.groups.acme.members = ["nginx"];
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/acme";
+      user = "acme";
+      group = "acme";
+      mode = "0755";
+    }
+  ];
 }
diff --git a/secrets/cloudflare/api_token.age b/hosts/elisabeth/secrets/cloudflare_api_token.age
similarity index 100%
rename from secrets/cloudflare/api_token.age
rename to hosts/elisabeth/secrets/cloudflare_api_token.age
diff --git a/hosts/elisabeth/secrets/ddclient/cloudflare_api_token.age b/hosts/elisabeth/secrets/ddclient/cloudflare_api_token.age
new file mode 100644
index 0000000..88ecbfb
--- /dev/null
+++ b/hosts/elisabeth/secrets/ddclient/cloudflare_api_token.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 j1vdwUZ+o5coMFAaOCyiS42rLq7FPX6xwuWmoHcN61U
+m1QEYj4NW5IdNsFh26Uhwe2Sg1ggkvTYB92S4B2lC8M
+-> piv-p256 XTQkUA AhjsxoVBz3h/1Sj+cwnT7gpcE6SDMhNOBMU9nP+gfC5G
+a7E3dolF4QaxTVpJBOKA314INK32eTdDykDyRT+/8XQ
+-> piv-p256 ZFgiIw Ah49xwjTzvroi4R90URbbE0yY15w+OvUsWZ2cQdYHs/w
+4i6XZ8lwOeWinlU1IiCgUBTSWMzxuPyvYKRbz6GqNUk
+-> piv-p256 ZFgiIw A49Cv751h0WJYL6qPceFVwjbGVpF668SGKVjHq/lQ4Rs
+AAGD0jOCHIOAIBk872SJwe2mCx69xn/1ZjiswebgU0w
+-> K("0$@8-grease z`/W }"_xiVH <~Bj._
+
+--- /NUrs98fD72LqCIYVOzrUhFNhxGivAEOZ9pob65I2fI
+8î:(#­–¥aô[8@BÊ4èÝ|ÍC7!³>Ù?¬Œ›`5á‰o‡ÞrõB´ˆ°y`óAIJ;)÷Å&“)@ÝÎB²¹Ï¡ñ´¾Q
\ No newline at end of file
diff --git a/hosts/elisabeth/secrets/gitea/generated/forgejoHetznerSsh.age b/hosts/elisabeth/secrets/gitea/generated/forgejoHetznerSsh.age
new file mode 100644
index 0000000..92ff4ae
Binary files /dev/null and b/hosts/elisabeth/secrets/gitea/generated/forgejoHetznerSsh.age differ
diff --git a/hosts/elisabeth/secrets/gitea/generated/resticpasswd.age b/hosts/elisabeth/secrets/gitea/generated/resticpasswd.age
new file mode 100644
index 0000000..bae6ae4
Binary files /dev/null and b/hosts/elisabeth/secrets/gitea/generated/resticpasswd.age differ
diff --git a/hosts/maddy/default.nix b/hosts/maddy/default.nix
index 25381d0..711c119 100644
--- a/hosts/maddy/default.nix
+++ b/hosts/maddy/default.nix
@@ -7,6 +7,7 @@
     [
       ../../modules/config
       ../../modules/optional/initrd-ssh.nix
+      ../../modules/services/maddy.nix
 
       ../../modules/hardware/zfs.nix
 
diff --git a/hosts/maddy/fs.nix b/hosts/maddy/fs.nix
index 0951732..dc67797 100644
--- a/hosts/maddy/fs.nix
+++ b/hosts/maddy/fs.nix
@@ -28,7 +28,6 @@
 
   fileSystems."/state".neededForBoot = true;
   fileSystems."/persist".neededForBoot = true;
-  boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
   boot.loader.grub.devices = [
     "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}"
   ];
diff --git a/hosts/maddy/net.nix b/hosts/maddy/net.nix
index f4750fc..843738b 100644
--- a/hosts/maddy/net.nix
+++ b/hosts/maddy/net.nix
@@ -30,4 +30,35 @@
       linkConfig.RequiredForOnline = "routable";
     };
   };
+  age.secrets.cloudflare_token_acme = {
+    rekeyFile = ./secrets/cloudflare_api_token.age;
+    mode = "440";
+    group = "acme";
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = config.secrets.secrets.global.devEmail;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+      credentialFiles = {
+        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+      };
+    };
+  };
+  security.acme.certs.mail = {
+    domain = config.secrets.secrets.global.domains.mail;
+    extraDomainNames = ["*.${config.secrets.secrets.global.domains.mail}"];
+  };
+  users.groups.acme.members = ["maddy"];
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/acme";
+      user = "acme";
+      group = "acme";
+      mode = "0755";
+    }
+  ];
 }
diff --git a/hosts/maddy/secrets/cloudflare_api_token.age b/hosts/maddy/secrets/cloudflare_api_token.age
new file mode 100644
index 0000000..5306a75
--- /dev/null
+++ b/hosts/maddy/secrets/cloudflare_api_token.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 uhnRibm92XSz2UcJWT43CrsZfOrSzUyqVFU8nWiYEXs
+QNxh6YGDCgSSoCWLthZlou7F7i9OJpunB+/6J4ogk2k
+-> piv-p256 XTQkUA AzTDTMXLU5jTp54ysvnVIDo5lIb5ED1zkP8659tTH2JJ
+VLO6rtfY5poFGVH/eeD+T/xrlNdPGnlLQ6mK1HytT8A
+-> piv-p256 ZFgiIw AnwL/t0GNZI3/y7KlatHLebToW1pJLfOasODGQ7ogriz
+Wl7xm6+a1qmqLeTZszpO0XG96BcDRO5l8wvpc0atW0Y
+-> piv-p256 5vmPtQ AzC3t9sPdKF/IPkJSqhldnx3Mnkc84DCD13l8tYqZIWd
+GaNzRxPoSOy/kEuLzbXpiRDo5F2hZT8KriXpgqZkQ5Y
+-> piv-p256 ZFgiIw ApFdJVoW4zoWq38fE27TR/OFEDs4Wub1g3q6RiF+fDTR
+IypnQqeluntk31gez5I6eYtlKiY/8sy+dXNkpWhdwPs
+-> wX-grease
+neAQttCOcpQWsfSpI38jdOjODJYK8uOhqjWsZOLWlHZaRUQtoyXI
+--- r44AgWizs6H92oY6hKMs67ARXqr8Je0Z0cIJr9xidBg
+°ß¦Ñ¨âŸîÌªøÙ¤Ph\œdv_µúí¥]’ÀÓšÆÜŠÚ˜ùÄEÊƒ´¯‹æewI’é‡t.¬²WÃÂ6ZFi
\ No newline at end of file
diff --git a/modules/config/users.nix b/modules/config/users.nix
index aa27fa0..e803184 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -25,6 +25,7 @@
     vaultwarden = uidGid 215;
     redis-paperless = uidGid 216;
     microvm = uidGid 217;
+    maddy = uidGid 218;
     paperless = uidGid 315;
     systemd-oom = uidGid 300;
     systemd-coredump = uidGid 301;
diff --git a/modules/services/acme.nix b/modules/services/acme.nix
deleted file mode 100644
index 47b78ef..0000000
--- a/modules/services/acme.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: {
-  age.secrets.cloudflare_token_acme = {
-    rekeyFile = ../../secrets/cloudflare/api_token.age;
-    mode = "440";
-    group = "acme";
-  };
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = config.secrets.secrets.global.devEmail;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-      credentialFiles = {
-        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
-        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
-      };
-    };
-  };
-  security.acme.certs = lib.flip lib.mapAttrs config.secrets.secrets.global.domains (_: value: {
-    domain = value;
-    extraDomainNames = ["*.${value}"];
-  });
-  users.groups.acme.members = ["nginx"];
-  environment.persistence."/state".directories = [
-    {
-      directory = "/var/lib/acme";
-      user = "acme";
-      group = "acme";
-      mode = "0755";
-    }
-  ];
-}
diff --git a/modules/services/ddclient.nix b/modules/services/ddclient.nix
index 46e84ba..ca7a78c 100644
--- a/modules/services/ddclient.nix
+++ b/modules/services/ddclient.nix
@@ -1,6 +1,6 @@
 {config, ...}: {
   age.secrets.cloudflare_token_dns = {
-    rekeyFile = ../../secrets/cloudflare/api_token.age;
+    rekeyFile = "${config.node.secretsDir}/cloudflare_api_token.age";
     mode = "440";
   };
   # So we only update the A record
diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix
index 8af0d89..95452d1 100644
--- a/modules/services/gitea.nix
+++ b/modules/services/gitea.nix
@@ -5,6 +5,38 @@
 }: let
   giteaDomain = "git.${config.secrets.secrets.global.domains.web}";
 in {
+  age.secrets.resticpasswd = {
+    generator.script = "alnum";
+  };
+  age.secrets.forgejoHetznerSsh = {
+    generator.script = "ssh-ed25519";
+  };
+  services.restic.backups = {
+    main = {
+      user = "root";
+      timerConfig = {
+        OnCalendar = "06:00";
+        Persistent = true;
+        RandomizedDelaySec = "3h";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets.resticpasswd.path;
+      hetznerStorageBox = {
+        enable = true;
+        inherit (config.secrets.secrets.global.hetzner) mainUser;
+        inherit (config.secrets.secrets.global.hetzner.users.forgejo) subUid path;
+        sshAgeSecret = "forgejoHetznerSsh";
+      };
+      paths = [config.services.gitea.stateDir];
+      pruneOpts = [
+        "--keep-daily 10"
+        "--keep-weekly 7"
+        "--keep-monthly 12"
+        "--keep-yearly 75"
+      ];
+    };
+  };
+
   # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
   services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
   networking.firewall.allowedTCPPorts = [3000 9922];
diff --git a/modules/services/maddy.nix b/modules/services/maddy.nix
new file mode 100644
index 0000000..9388200
--- /dev/null
+++ b/modules/services/maddy.nix
@@ -0,0 +1,7 @@
+{config, ...}: {
+  services.maddy = {
+    enable = true;
+    hostname = "mx1" + config.secrets.secrets.global.domains.mail;
+    primaryDomain = config.secrets.secrets.global.domains.mail;
+  };
+}
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 1d066a7..ac61579 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ