diff --git a/hosts/elisabeth/secrets/immich/generated/immichHetznerSsh.age b/hosts/elisabeth/secrets/immich/generated/immichHetznerSsh.age
new file mode 100644
index 0000000..a35f1f8
--- /dev/null
+++ b/hosts/elisabeth/secrets/immich/generated/immichHetznerSsh.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 WB1xLsDy77zdrPl9eUQ0p3SB1GyhaLb5RVHC2xLeh2U
+CLCt7Ft9zw0sVN5xmnz5IdGJYj2n60u9G0Mw7yhlp1Y
+-> piv-p256 XTQkUA ArpAo5Lw+iL+JGsI1YhkRyV/Mf5aNbFzw4vbzKDRRKhP
++7OPvZxHU8JmdyfR8DVrhPpmp1WqkqhGuI+zNUwURzc
+-> piv-p256 ZFgiIw AwihFvG6Qtg+GdQH1diMas21FrrnLdcLVFFIWrg9LoHv
+pnqnXdeiazBwe/WLIRCjzB6sInrH1PF8yFdz7omqS70
+-> piv-p256 5vmPtQ A6eL3RiHO5GPIHYkc8FLap+wJMr6RWKFCUiLfvTbmJRd
+d6Mfa5eJa76cLocePgTzp26b/w5B/S7EAqPniKMnxZ8
+-> piv-p256 ZFgiIw AgXMXffPLAIrCJeTYA4kknA84KJfEYZOSjI4tPoMRsfo
+LdYKnUoQdY7JCpuq20S1e9xWS6X9IyMZvEQqfc6HJdc
+-> @ao.u7t]-grease
+sXjdduaavhXpG1XbPlM28CVJyDyVlT0SWY4xi2qgNK9L2W4aAeQ192bzhMAR2iY3
+jWHPGApnULPsA8vjoskwrC8
+--- me+7MliHVc3ogEKqFM7z0MUl/PyOJ+NiAjxrAVFHH5Q
+SŸb27z‡ù¨¶þÅKÄ§
+ÍÀj	GcÙÚŸƒC"P½ºve"R½™U¡r/Çô³I½Júéí#“äã­š|“8iúõ˜ ?M½Tìsì‰O¯¨¿0â‚êÕc£ûMßCªn”þñ|cŽÓšGÖwå³ÙÖ®G¨ƒ¯ÝŽ…ˆ¿9â/ÀO}Vr‘DšQì¿Knx;ª2dŒ`^ôa¢â«²ºaÄZ!*'©®baG6vLíW˜>€‚¯`6“­cUB:'øŸQÏ2—<“õuHRQÖÔÇ&Jä~°^}îÛ-ü¸©(¾s¶w«|Î”.0%vµ‘|N‚*BŸ,KAòn»¦ó,Š½¯L¶ºHÓbiã7i¾íê÷ü¼OMÇàX¢ƒUk4YˆÜH“ºÝv†\x^ægÃÒ–,A¸˜{IpnÒ”ŒûcEW–ë€[y:ëäæSW×ë¨'­xär÷‚éLE°9¦üi=oP¯Oá23
+¦»S™9[jr]á'|‚)Ú‡àwúë	 àEVÎ1¾L[ßâ›Àð¬7R¯½­©æò:NÞ¡ÂÆ-Ô/î'|c›t»¯ärXB(¿f3Œ$g·
\ No newline at end of file
diff --git a/hosts/elisabeth/secrets/immich/generated/resticpasswd.age b/hosts/elisabeth/secrets/immich/generated/resticpasswd.age
new file mode 100644
index 0000000..3325324
--- /dev/null
+++ b/hosts/elisabeth/secrets/immich/generated/resticpasswd.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 4tPfPyE54oSMuhqmfrTTCJQdCJAzryGgdmjBr04yzkA
+wsvnurkIbkDSIE6ZQdP0jtPn8hYxvNm/p1Jettzcf3Q
+-> piv-p256 XTQkUA AsBlQ0gJ2gKWhMEbxRLXPJ9RmaK6ufETgfrq3fnJxbGT
+L7gXAPRHn5GG94JXZCPhr6MH2tZMDLTs+ac+Zzm7ZRI
+-> piv-p256 ZFgiIw A60jY/C+OJzW2wD343YUMiONDhUhIs1rBAutn8ai0xmx
+od/edlvok9J0IjzeTkRanm6udkzvN9v2SGSU3d+uk6c
+-> piv-p256 5vmPtQ AwUMrlxQ5uKe/YwIcBaypG+DnyrGZVmkaafRGqwAKBbS
+KvrODcNRDmvZhk0KUh0WwyP4XUoCq/rWPwemBrKkKog
+-> piv-p256 ZFgiIw AwN8CB3pEUeOcPPJIArgo3y0K7SZTiOlaK69257RSaph
+GDIXUvPrBDG2hQ9uvPYj9Lb4eDW30lTI9PNBCVLbmkQ
+-> \v~O9~-grease
+xw
+--- cTlXPGvRSzDL4DQlGTkX5VQZ/84vqMvIW3cEh0TIOdM
+Xû"¶åÖ÷†&ëbmÇ&Je’2§ßOº@ûYÌky‡L”â‹˜Q6@ÕÙoé&h™qhØ–±ø%u¦}Yeï‰êT5yü§çõ5þá
\ No newline at end of file
diff --git a/modules/services/immich.nix b/modules/services/immich.nix
index 1e3df4c..aeddfb3 100644
--- a/modules/services/immich.nix
+++ b/modules/services/immich.nix
@@ -46,6 +46,45 @@
     ];
   };
 in {
+  age.secrets.resticpasswd = {
+    generator.script = "alnum";
+  };
+  age.secrets.immichHetznerSsh = {
+    generator.script = "ssh-ed25519";
+  };
+  services.restic.backups = {
+    main = {
+      user = "root";
+      timerConfig = {
+        OnCalendar = "06:00";
+        Persistent = true;
+        RandomizedDelaySec = "3h";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets.resticpasswd.path;
+      hetznerStorageBox = {
+        enable = true;
+        inherit (config.secrets.secrets.global.hetzner) mainUser;
+        inherit (config.secrets.secrets.global.hetzner.users.immich) subUid path;
+        sshAgeSecret = "immichHetznerSsh";
+      };
+      backupPrepareCommand = ''
+        ${pkgs.podman}/bin/podman exec -t immich_postgres pg_dumpall -c -U postgres > /run/immich_dump.sql
+      '';
+      paths = [
+        "${upload_folder}/library"
+        "${upload_folder}/upload"
+        "${upload_folder}/profile"
+        "/run/immich_dump.sql"
+      ];
+      pruneOpts = [
+        "--keep-daily 10"
+        "--keep-weekly 7"
+        "--keep-monthly 12"
+        "--keep-yearly 75"
+      ];
+    };
+  };
   microvm = {
     mem = 1024 * 8;
     vcpu = 12;
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index d4e15b2..96f06fd 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ