diff --git a/flake.lock b/flake.lock
index 5370373..0729d81 100644
--- a/flake.lock
+++ b/flake.lock
@@ -37,11 +37,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1696078264,
-        "narHash": "sha256-NF5G9CHaVWDD6DY0TP8z0cx30dAL1ciFYcVidVvb+NA=",
+        "lastModified": 1705278709,
+        "narHash": "sha256-CNJSc6tp12UZKAprviztJ509yAblteK4GiWwKewWEPQ=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "e529da8197f024c0069c4fde6237505e305b8d0a",
+        "rev": "e02a57e08224422934974f19853d4d70ed7eaaaa",
         "type": "github"
       },
       "original": {
@@ -1056,11 +1056,11 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "lastModified": 1704999567,
-        "narHash": "sha256-Whj1PFPomS/f97OD30CRrETTH/dmnUJdjEevDLJG4MM=",
+        "lastModified": 1705280248,
+        "narHash": "sha256-lMuky4SlMGcc7Ok33Cp7mwx+k5WRxXCCP1Rit8vtfEA=",
         "owner": "oddlama",
         "repo": "nixos-extra-modules",
-        "rev": "4744a2844cd74ca9b122fbaaae5ae97159c0d30e",
+        "rev": "3057e049e731190def8e9c5bea5467b3edcdd93e",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index a5fe818..e8a7ab4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -144,6 +144,11 @@
         ;
     }
     // flake-utils.lib.eachDefaultSystem (system: rec {
+      apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
+        inherit pkgs;
+        nixosConfigurations = self.nodes;
+        decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
+      };
       pkgs = import nixpkgs {
         overlays =
           import ./lib inputs
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index c03f2f9..bd83185 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -95,6 +95,7 @@ in {
     mkGuest = guestName: {
       enablePanzer ? false,
       enableRenaultFT ? false,
+      enableBunker ? false,
       ...
     }: {
       autostart = true;
@@ -114,6 +115,10 @@ in {
         pool = "renaultft";
         dataset = "safe/guests/${guestName}";
       };
+      zfs."/bunker" = lib.mkIf enableBunker {
+        pool = "panzer";
+        dataset = "bunker/guests/${guestName}";
+      };
       modules = [
         ../../modules/config
         ../../modules/services/${guestName}.nix
diff --git a/hosts/elisabeth/secrets/samba/generated/resticHetznerSsh.age b/hosts/elisabeth/secrets/samba/generated/resticHetznerSsh.age
new file mode 100644
index 0000000..b04e8b6
Binary files /dev/null and b/hosts/elisabeth/secrets/samba/generated/resticHetznerSsh.age differ
diff --git a/hosts/elisabeth/secrets/samba/generated/resticpasswd.age b/hosts/elisabeth/secrets/samba/generated/resticpasswd.age
new file mode 100644
index 0000000..4de92b8
Binary files /dev/null and b/hosts/elisabeth/secrets/samba/generated/resticpasswd.age differ
diff --git a/hosts/elisabeth/secrets/vaultwarden/generated/resticpasswd.age b/hosts/elisabeth/secrets/vaultwarden/generated/resticpasswd.age
new file mode 100644
index 0000000..63be4a6
Binary files /dev/null and b/hosts/elisabeth/secrets/vaultwarden/generated/resticpasswd.age differ
diff --git a/hosts/elisabeth/secrets/vaultwarden/generated/vaultwardenHetznerSsh.age b/hosts/elisabeth/secrets/vaultwarden/generated/vaultwardenHetznerSsh.age
new file mode 100644
index 0000000..bb3c365
--- /dev/null
+++ b/hosts/elisabeth/secrets/vaultwarden/generated/vaultwardenHetznerSsh.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> X25519 Kj9OeDgNf3hqRLsActF53ggNumpHdHKXG6zekapeWQc
+JFdTjwN1jG6b9oQ7t5fuRvvc2Dd5YYCC8Q8M39xfAE4
+-> piv-p256 XTQkUA AxuWd+20Js2drUmquQtQP3nH/vRh+OkGnSO3J3JuRlVp
+4SlZgvBzLZWn2qTgGWnUaML6jP+20+SIl06DYw8QbCo
+-> piv-p256 ZFgiIw AgZ1QA5jqCIoxb4agWfPt527GXRfmc3BI7W2M4A4kuQn
+UAbYRlVWqLanbg60XdDRtJRI6I9/PfMUYnVlM37jgNk
+-> piv-p256 5vmPtQ AhAJtn26POTXs9lTBSVxv7MwQL4fg9T6RmhDtBGS/ne2
+KrOM4MrP9Z6NAmcqH/3sOg+TB7IzCR+XQsC9TGAcnG4
+-> piv-p256 ZFgiIw A12qAbjNfpKC7Ypv0H0svdaMQu0hx9HIvWq4yli7+hTw
+jquQsKgclpq+174JFrxoJ+8qQuRtmii5h23JT1t4/6M
+-> 4<;V-grease
+MRprreszTkfpnjip/rJScLgENpRVXSlk412CATnMx7h1cTn5LyafKZAdPT1DHr5K
+XyPouZRvPLzGHg21hj1gi3DgNA5nKULBWUYg4JmDeWQYVukI8JON7LUk6yGqPLdN
+UQ
+--- iiRlePkOnW1pge/OFv/nzavme3ERGqynw6ObeMW8jLs
+V˜X²×q-býP<ßxô&Âþ¨`þ+Ám—C\oRiB™•E'k¶o4ö‰`¿²$§hRÍ£J¶¢‚…è(+XLÙCR~P§˜)Þs.(&{,Ïé”ÍXÕpæPÁ'7¼öˆr‚ïˆ™'[’2_qãúþ†íÅDÈ1:)Üë*ÂžØ¥újƒÂ(@YNQÇ´`g‰7¾iË¶;Qd×@Ô™^P£òö/Žð§ñcóº	Î›-ëòp•ÏëS_*ÿõÖ?ÉZáÛaã¦ÿu×;ŽWóE1Åå—¢ùœÂ„ÃQKˆe55Uuó/¾ÕÖ®¾±\.'½Et'âÑœFeÏŠ…VÀSôãžFZàÉÛ£t
+ªºtÏÀ{Mu´P4óE…£ŒàR|oŸ¼zfNåÎšÀ%nËø+c7ÊÂ sÖê›þM<äeI6`’¢—Ð­'ë‡uöÇ::ýF@ô´I2=ßécûü`Ä£	GsÞ.ø·±÷.FÅÚ²öafçdHGbšQÖ'Ÿ%jc‘Ä÷‘Šãžõí¡B‡½Øè
+Ïr¾\Q`™>¬Ë‘k¤kèîz@«êÏ­Cˆ¸zˆú{G¹ìŽÆÉŸÙE>gcC
\ No newline at end of file
diff --git a/hosts/testienix/secrets/generated/resticHetznerSsh.age b/hosts/testienix/secrets/generated/resticHetznerSsh.age
new file mode 100644
index 0000000..b16b3a4
Binary files /dev/null and b/hosts/testienix/secrets/generated/resticHetznerSsh.age differ
diff --git a/hosts/testienix/secrets/generated/resticpasswd.age b/hosts/testienix/secrets/generated/resticpasswd.age
new file mode 100644
index 0000000..7724c7a
--- /dev/null
+++ b/hosts/testienix/secrets/generated/resticpasswd.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 z96I+Nn8qe6tg/RKh3BKQ9/TPL336LMzJmalGjNDjzo
+uDSblTLmTEMUO1Y6ZTJvA/62wT/HHueBmdL/XH2g+oc
+-> piv-p256 XTQkUA AvRAFEutxbIbL2FUe1V8A2QNzLGeGonzh1a6Gc/YOxpB
+a2CURyCBGqFqSXi1023fxCCDdiRgJtWN0XfWesqMB2M
+-> piv-p256 ZFgiIw AysOIfBv8DcAL2kYkJd+hhlDL4wvfz1ffp1H8o8Q0oq+
+ecKdYFlK7o1VKeBRT98Luve3LPsPPjXYHVz6uRmx0vw
+-> piv-p256 5vmPtQ AgTg1s5F1ZO2BiYekocUdtmDAOHVNEZa1Fb70sF54jEb
+QdhiumwEn949jOeP5x/g/BpOcOnJ7KoAzc7desZO2rU
+-> piv-p256 ZFgiIw A+SlvzmK+ypk9oZfAf4wTxua0gxPXuJuy8J26pAvWnfh
+VeMmI6yqh8spCYXwUpdKKRt6Q/Bv8ZMSATrubCwslII
+-> 2{jZco:7-grease 9N19Ay)
+LFLWPMPWN6sYwi5+fL792xvjztCKIahMyA
+--- jDQZaA9hMtVeAmiFfAVQWS55di3rJ79zQJTuJAaEPuM
+œß—’<tcWw«i#¶ÑÁ[
+±vhF_‡“¬”W÷òˆ©dÄ(û˜ôàù•†›¥‹&¼ß†k;k]¶‡æ¬¶G%|{žW.¨“+
\ No newline at end of file
diff --git a/hosts/testienix/secrets/generated/resticssh.age b/hosts/testienix/secrets/generated/resticssh.age
new file mode 100644
index 0000000..833e081
Binary files /dev/null and b/hosts/testienix/secrets/generated/resticssh.age differ
diff --git a/modules/services/ddclient.nix b/modules/services/ddclient.nix
index db59b05..46e84ba 100644
--- a/modules/services/ddclient.nix
+++ b/modules/services/ddclient.nix
@@ -3,6 +3,8 @@
     rekeyFile = ../../secrets/cloudflare/api_token.age;
     mode = "440";
   };
+  # So we only update the A record
+  networking.enableIPv6 = false;
   services.ddclient = {
     enable = true;
     zone = config.secrets.secrets.global.domains.web;
diff --git a/modules/services/samba.nix b/modules/services/samba.nix
index 661f58b..0406375 100644
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -7,6 +7,37 @@
     enable = true; # make shares visible for windows 10 clients
     openFirewall = true;
   };
+  age.secrets.resticpasswd = {
+    generator.script = "alnum";
+  };
+  age.secrets.resticHetznerSsh = {
+    generator.script = "ssh-ed25519";
+  };
+  services.restic.backups = {
+    main = {
+      user = "root";
+      timerConfig = {
+        OnCalendar = "06:00";
+        Persistent = true;
+        RandomizedDelaySec = "3h";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets.resticpasswd.path;
+      hetznerStorageBox = {
+        enable = true;
+        inherit (config.secrets.secrets.global.hetzner) mainUser;
+        inherit (config.secrets.secrets.global.hetzner.users.smb) subUid path;
+        sshAgeSecret = "resticHetznerSsh";
+      };
+      paths = ["/bunker"];
+      pruneOpts = [
+        "--keep-daily 10"
+        "--keep-weekly 7"
+        "--keep-monthly 12"
+        "--keep-yearly 75"
+      ];
+    };
+  };
   services.samba = {
     enable = true;
     securityType = "user";
@@ -55,11 +86,15 @@
         name,
         user ? "smb",
         group ? "smb",
-        persistRoot ? "/panzer",
-      }: cfg: {
-        "${name}" =
+        hasBunker ? false,
+        persistRoot ? (
+          if hasBunker
+          then "/bunker"
+          else "/panzer"
+        ),
+      }: cfg: let
+        config =
           {
-            "path" = "/media/smb/${name}";
             "#persistRoot" = persistRoot;
             "read only" = "no";
             "guest ok" = "no";
@@ -74,28 +109,43 @@
             "acl allow execute always" = "no";
           }
           // cfg;
-      };
+      in
+        {
+          "${name}" =
+            {"path" = "/media/smb/${name}";}
+            // config;
+        }
+        // lib.optionalAttrs hasBunker
+        {
+          "${name}-important" =
+            {"path" = "/media/smb/${name}-important";}
+            // config;
+        };
     in
       lib.mkMerge [
         (mkShare {
           name = "ggr-data";
           user = "ggr";
           group = "ggr";
+          hasBunker = true;
         } {})
         (mkShare {
           name = "patri-data";
           user = "patrick";
           group = "patrick";
+          hasBunker = true;
         } {})
         (mkShare {
           name = "helen-data";
           user = "helen";
           group = "helen";
+          hasBunker = true;
         } {})
         (mkShare {
           name = "david-data";
           user = "david";
           group = "david";
+          hasBunker = true;
         } {})
         (mkShare {
           name = "family-data";
@@ -104,6 +154,8 @@
         } {})
         (mkShare {
             name = "media";
+            user = "family";
+            group = "family";
             persistRoot = "/renaultft";
           }
           {
@@ -122,35 +174,20 @@
     groups = lib.unique (users ++ (lib.mapAttrsToList (_: val: val."force group") config.services.samba.shares));
   in {
     users = lib.mkMerge (lib.flip map users (user: {
-        ${user} = {
-          isNormalUser = true;
-          home = "/var/empty";
-          createHome = false;
-          useDefaultShell = false;
-          autoSubUidGidRange = false;
-          group = "${user}";
-        };
-      })
-      ++ [
-        {
-          patrick.extraGroups = [
-            "family"
-          ];
-          ggr.extraGroups = [
-            "family"
-          ];
-          david.extraGroups = [
-            "family"
-          ];
-          helen.extraGroups = [
-            "family"
-          ];
-        }
-      ]);
-    groups = lib.mkMerge (lib.flip map groups (group: {
-      ${group} = {
+      ${user} = {
+        isNormalUser = true;
+        home = "/var/empty";
+        createHome = false;
+        useDefaultShell = false;
+        autoSubUidGidRange = false;
+        group = "${user}";
       };
     }));
+    groups = lib.mkMerge ((lib.flip map groups (group: {
+        ${group} = {
+        };
+      }))
+      ++ [{family.members = ["patrick" "david" "helen" "ggr"];}]);
   };
 
   environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v: {
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index e092413..a7a4600 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -20,9 +20,42 @@ in {
     }
   ];
 
+  age.secrets.resticpasswd = {
+    generator.script = "alnum";
+  };
+  age.secrets.vaultwardenHetznerSsh = {
+    generator.script = "ssh-ed25519";
+  };
+  services.restic.backups = {
+    main = {
+      user = "root";
+      timerConfig = {
+        OnCalendar = "06:00";
+        Persistent = true;
+        RandomizedDelaySec = "3h";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets.resticpasswd.path;
+      hetznerStorageBox = {
+        enable = true;
+        inherit (config.secrets.secrets.global.hetzner) mainUser;
+        inherit (config.secrets.secrets.global.hetzner.users.vaultwarden) subUid path;
+        sshAgeSecret = "vaultwardenHetznerSsh";
+      };
+      paths = [config.services.vaultwarden.backupDir];
+      pruneOpts = [
+        "--keep-daily 10"
+        "--keep-weekly 7"
+        "--keep-monthly 12"
+        "--keep-yearly 75"
+      ];
+    };
+  };
+
   services.vaultwarden = {
     enable = true;
     dbBackend = "sqlite";
+    backupDir = "/tmp/vaultwardenBackup";
     config = {
       dataFolder = lib.mkForce "/var/lib/vaultwarden";
       extendedLogging = true;
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index c9151bb..ad1e141 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ
diff --git a/secrets/smb.cred.age b/secrets/smb.cred.age
index a0f9d84..f0347d8 100644
--- a/secrets/smb.cred.age
+++ b/secrets/smb.cred.age
@@ -1,14 +1,16 @@
 age-encryption.org/v1
--> X25519 g3YIxGyN1eZ+1EBvmDOidwML6GtFdSDZdqmgcoXStkU
-CX8+qiwK+8snDkwzQ4hjP1LvXFuSIGjzGzB8ZXoZFgY
--> piv-p256 XTQkUA A+v6zX1feVTgp7PcQVxdVb9f+swtpTREyjDfi00AgTEE
-MVwPR6qqPmNrhStXBN4JqzGLiKaQQkoQBUGzknUpLgs
--> piv-p256 ZFgiIw A37uVQyzvorE7+GOYcSNpGvwVfxqh1OJYz5lQ5+sIQ+m
-AJqdNjxgifzfmYTXn5XTPC4DHY3r982xmSQU/HirrrM
--> piv-p256 ZFgiIw Am/nyZaSfikZr+OdP9qhIjhRfUSRwlxUclus3Bahl1Ed
-+IWfzeNXvFO5Q/s8XJkGCJguMHiuTM5dnks9M9pRw/M
--> qPGW+-grease
-VsuA9wcfbxca5OGjj6gOm2z4sivSF2lzhHM5gOznobFeMZDAbv8i+G0KPepxwalM
-/CAzsYTmY5Qb6abKb2zAFNQ
---- eJn/i1/7jmP6oCQ6a3oRiAkSf6IKhVnLBIc2Dm1EmeQ
-Ž¸«ùÊ=¥zrs«r°ß·¯‚ø„p5ðÖŽ¥öÉÿ.+N­qŒÂÂ…þ¼þ)Nì@¾iQÍ _Þ™?Âÿ·13È—^Ø&Ú{ã°*,}ƒzBŠ
\ No newline at end of file
+-> X25519 oq2s1ILoU7/MPd89ZOQ1GheuM055xNZzeQAnc8tgRAI
+hvauZoXVK5aXDYobhbe2d0RBVM0MKOoqLikTN4Rxii8
+-> piv-p256 XTQkUA A1fUvvVMRV4NmSc52Tm3FAwN923gsyoKE72weUjjdOXC
+icTwWnRL/caHMTCqefnIWWpOIRU9G/HMAnWT7/tMKY0
+-> piv-p256 ZFgiIw At/IKx37ci7ZVhHeBWLJblyb41+vl34RdibSxoC6rGYU
+qt4mjQ+bPpqMgNu0258jVVSdJzuky/3M62OWB2bJSoo
+-> piv-p256 5vmPtQ A1OGQCBRY6jQnTAiaj6jTTJKF7LHSSBBSA/O9L7Ibhwk
+VsrWqFxavcbpjGMlEfmooPJGVTZMRvuAP+51g+oZfwk
+-> piv-p256 ZFgiIw AxHZKPT8E27iGO4XhYw8L3eUrUwQXimhFuF0Jww9V5wa
+aYyF8ucsNEqzUSD3tZnYz1tbi3VDF6Z3FvQOZCtfDSA
+-> Q;:-grease AH 5XB&'
+pDxtEnToRMpFg9cmOXWL10juYPfZ/pxYTygLqOWMXbRFXp2QsGIwSxS+BWY
+--- apoEKRQDY6ZWsJai5wPO86kcEaqh7au6UqlOjW0ZOfI
+/`S°FGY;m©ÿÜrÞ0w{„Tþ@Uþ	nàtqYUë–p:Â’HJ1KöS¿M÷KV×ù@GnÀsŒÆ*—À:€éå/¦ö*²v
+Ô9BÚ
\ No newline at end of file
diff --git a/secrets/smbpassdb.tdb.age b/secrets/smbpassdb.tdb.age
index af7afbe..6fea42c 100644
Binary files a/secrets/smbpassdb.tdb.age and b/secrets/smbpassdb.tdb.age differ
diff --git a/users/patrick/smb.nix b/users/patrick/smb.nix
index 03c2492..52112e6 100644
--- a/users/patrick/smb.nix
+++ b/users/patrick/smb.nix
@@ -1,6 +1,6 @@
 {nixosConfig, ...}: {
   home.smb = let
-    address = "192.168.178.2";
+    address = "192.168.178.12";
     credentials = nixosConfig.age.secrets.smb-creds.path;
   in [
     {
@@ -8,15 +8,11 @@
       remotePath = "patri-data";
       automatic = true;
     }
-    {
-      inherit address credentials;
-      remotePath = "ggr-data";
-    }
-    {
-      inherit address credentials;
-      remotePath = "patri-paperless";
-      automatic = true;
-    }
+    #{
+    #  inherit address credentials;
+    #  remotePath = "patri-paperless";
+    #  automatic = true;
+    #}
     {
       inherit address credentials;
       remotePath = "media";