diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix
index bad4bf33..dc9fae0e 100644
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@@ -269,6 +269,8 @@ in
         owner = config.users.users.hydra-queue-runner.name;
         inherit (config.users.users.hydra-queue-runner) group;
       };
+      "restic/hydra/password".owner = "root";
+      "restic/hydra/repository".owner = "root";
       "ssh-keys/hydra/private" = {
         owner = "hydra";
         mode = "400";
diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml
index 4fa57aa9..eda0098f 100644
--- a/hosts/hydra/secrets.yaml
+++ b/hosts/hydra/secrets.yaml
@@ -16,6 +16,10 @@ ssh-keys:
     updater:
         private: ENC[AES256_GCM,data:D9IHwI/gOc3LFDdiRpMYdldPwfZpvF03ThJvqVMESqHWRoKXrb0raUkLDfy0kvJZF2glWwXME3SDToiyi+4/iaxCEkO40qxxW4mqzrNfVNq1OjcyganYML3f7sDtQ6UzsBQK3CWlb6YvdQlvAwaUvhPuCu9bi8IBfSTDZtV8NcAyVkir8sOYALAPUxoiHXAk01I3htcL9EMpK9MExQhpkwL4ESlXQ5cB+qzUnOW1jGyN7FvKIlkLpIPxtKKiUV86cNkxYe84H9/1Jy3VjmTf03xhnWlp3d4/pbUhgFnT2wVZH0A4tu6Ewhkx8I5v9fqEunOTvZE2+6a5lfHpdva+mK+wDItwF2fwt0PHXUBVoIvqRI3LZzlqI9FNv3xRW7Sa0q8tHiQjrtTLxw9MtuwDlisBpLEWKkhVEUGuSznGRH1PxyL2kNjavWTgRsRY5dPDWAWAQ37AJBCfqGyRg+NE5cqZBzYBheMHKrGqp7ePmKaIBw6F5qFZ1II7ucNUeimu9A/3qMMU41B/++opDKq3,iv:DMD11AUuWPHutmZOVBeL1megyvQxbJ9Tw5ApH3RWrCw=,tag:yyWpFuJua79+QCMIOOCpwQ==,type:str]
         public: ENC[AES256_GCM,data:sphILo6Xz3eCsIC0Y8fr4+CllH2nK42aijMDp5Psc5vhnxCuBxL+Zh4yT3NkPjAHMYZyAxp35uOGOjpOUNS+ii14C86WVTpWtiX3d52/1W5MK9SUGIBQrw8oGoqJeg==,iv:SlinQ+S0QEI6pMzUm8oJqJmlW11ULne2e73974RHiYw=,tag:QkFP9D3MsXM6OSPDqnKKOw==,type:str]
+restic:
+    hydra:
+        password: ENC[AES256_GCM,data:TVQ12PZpREWiOosAd6bLF6ksOcrIJyxn6SUyYTEimT0=,iv:76iy8wX89CxeRJLjH+xN38HuU2if9UmslFQSskQQGPc=,tag:Ov1Kk2jGwqberFPNldW3Sg==,type:str]
+        repository: ENC[AES256_GCM,data:enrY2E+ckmqh4ZPx87/JPZVdumAq4LltVyyOMJu8VfFTobE/KbvZZ8APJofMRdGFy74DVUDfbTearHBLjryZG/s8JSBEkFA+qN4FoeUTYRjriNaWzGLQFI3QVnlETNeQ,iv:61RIcOEnYzcwVcw9+Tzq1uyqPEGm3MDOzaYfPaBQm4k=,tag:xImYRWaeWytMhvVNQkJYaA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -40,8 +44,8 @@ sops:
             WkRmWkpEYVMrZ0tKQVgrRk5YU0grTFEK3cX9v11MK9LIw4w51hr2zyLP3biGxkdf
             dl77D0IS9m2u0HipmzUs95m+z5j47hiX4Qo1Uza/sshwDBYyia4upg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-03T18:30:22Z"
-    mac: ENC[AES256_GCM,data:dy18dqKru8/ytsg44j2W+dAkW1yRcAHdvQIkVlPid5Kg/yu4c4Ba47p3idEhySmN7JQaqZmVKhrsU3VyJ/vURXyaP+vlkXdIfed2dTd97I07pTpI7+NA2ekN3teDvh/hmuxnUZwNjIY3WbaR1Yyu4zMJ4qPJMKDR59BORy2iigk=,iv:K1X8yjJJI0l6VJnBBUZs8onomILB9QfNtuVk3ToONtw=,tag:ORMFr4XRojlaro2aP9apNQ==,type:str]
+    lastmodified: "2023-05-15T21:34:01Z"
+    mac: ENC[AES256_GCM,data:/Nf2F9WAt9FwdU+kfwomjCtu41r5LMezzQL/7AmOTDRw4geqL/AmlDo0UacJjAy9sa7pPl267lsv3CWCocVaCDCyemzjhW6/IbmGpx/2KlkX27pVIxd7S7Ai8lsqHQzhWcFaI3ASgFuisbZhl60CPeG/7p3lVXi2tOFUCT5sfvc=,iv:WZjQqU4EjN3IHlGTvy3VMWkF+DbGmUqyFpPovS7RZYo=,tag:afSJ5E/QkuL/KkHq9Fx1ag==,type:str]
     pgp:
         - created_at: "2022-12-26T19:10:03Z"
           enc: |
diff --git a/hosts/matemat/default.nix b/hosts/matemat/default.nix
index 054f6ce3..c031abd1 100644
--- a/hosts/matemat/default.nix
+++ b/hosts/matemat/default.nix
@@ -61,7 +61,11 @@
 
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets."nginx/basic-auth".owner = "nginx";
+    secrets = {
+      "nginx/basic-auth".owner = "nginx";
+      "restic/matemat/password".owner = "root";
+      "restic/matemat/repository".owner = "root";
+    };
   };
 
   system.stateVersion = "22.05";
diff --git a/hosts/matemat/secrets.yaml b/hosts/matemat/secrets.yaml
index 90f00d5c..8b9bcc17 100644
--- a/hosts/matemat/secrets.yaml
+++ b/hosts/matemat/secrets.yaml
@@ -1,5 +1,9 @@
 nginx:
     basic-auth: ENC[AES256_GCM,data:VIjP7lqSmGxKswz1XDLxKp4=,iv:meyfO0gUjfqS5bRjnBMzR34UL0uLInvodv+8DS5IRnI=,tag:GHIKdh14N1JGWbRedr9T7w==,type:str]
+restic:
+    matemat:
+        password: ENC[AES256_GCM,data:HTmFqGVJXx/jJsJa5wAQgVChxCxowcIPAtIIlcGrBZo=,iv:GQiU5QHJnltFDZIvCbNjxQ8G0q2Dx96iHMtVED0+WlU=,tag:A/DqiVDzdTkAsMQ91WlDvw==,type:str]
+        repository: ENC[AES256_GCM,data:T9vOnodT1tpu1S0Kg89/Pgm/vD3vjxj7oi0Ecn5xWfNhZNOZNrk7VAYSQMWYSPLECdVNVirAGSNpHFDViPppeT38uVkA1ErU9QVMuHnBnTKKFxF5sVzjlRLIWw9T2Yca5bKVlw==,iv:z/VGOwMAj8nY6Y2qGXWD/LL4ndh6p4obLmB4QgzoRhw=,tag:yAhL9dHecf8DtrRn5E4HnQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +28,8 @@ sops:
             QnpEYmxzdXVoM2lQaWJTRk5jUnY5ZTgKIiOCV2WB+R5LAgj6nyS/9dcqmN6FWIaN
             SlQTSOzYFop776o7A9r109XtKi00ay4wMssZapTuyGaDkTrdgltE6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-26T22:16:10Z"
-    mac: ENC[AES256_GCM,data:AysAVvYXKAIw7KMjVCilXmRYEP3+i5QOLc2krKpc+oonfYofTxCQSTpISJXytpLZHX1sP+ACCApFY1+nOgfvSL8meE/VWJb6ltRQGXxccoeLwZkqwyjjD8VW4OBED0CbpZb5a/bC4PyYW1biCrbgnwXzBtlGe5OBkL2s8jLblj4=,iv:GzIo9ca/W+6sLU1vVY3JuNpg+1pKeS0Zqj6GiEPGjVo=,tag:uaSZ/GwnjGcczqCs2dIzmg==,type:str]
+    lastmodified: "2023-05-15T21:24:22Z"
+    mac: ENC[AES256_GCM,data:V0HKPqkonpbJtxpUtCkz2pPIYWjtE5BhRgwbb/uGFTIlkA+VX75xhTWmKZBxHgcIhNvFI2uxnQgq7AOuegN3klAOq82qlWMHR2bIwj25ugc90gOJoZt8QnDTM/aH8G0xgO2KKEtQ8l31YMQjr8RWzGF9WbAxY5t5a/ULrxPESvY=,iv:0/qShbUIcdKrFnIx0CoUQzVAaueRoM38yGEYvUh79HQ=,tag:Iu/vRr2G93PU27W6k+0yDg==,type:str]
     pgp:
         - created_at: "2022-12-26T22:15:56Z"
           enc: |