diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix
index e260728..15d723e 100644
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@@ -3,6 +3,7 @@
 lib.extra.mkConfig {
   enabledModules = [
     # List of modules to enable
+    "dgn-backups"
     "dgn-fail2ban"
     "dgn-web"
   ];
diff --git a/machines/compute01/hedgedoc.nix b/machines/compute01/hedgedoc.nix
index abd466b..4bd0d5c 100644
--- a/machines/compute01/hedgedoc.nix
+++ b/machines/compute01/hedgedoc.nix
@@ -57,4 +57,6 @@ in
     "hedgedoc"
     "hedgedoc/uploads"
   ];
+
+  dgn-backups.jobs.hedgedoc.settings.paths = [ "/var/lib/hedgedoc" ];
 }
diff --git a/machines/compute01/secrets/bupstash-put_key b/machines/compute01/secrets/bupstash-put_key
new file mode 100644
index 0000000..3ea9515
Binary files /dev/null and b/machines/compute01/secrets/bupstash-put_key differ
diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix
index 3264fab..2b057cc 100644
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@@ -4,6 +4,7 @@ let
 in
 
 lib.setDefault { inherit publicKeys; } [
+  "bupstash-put_key"
   "ds-fr-secret_file"
   "grafana-smtp_password_file"
   "grafana-oauth_client_secret_file"
diff --git a/machines/compute01/vaultwarden.nix b/machines/compute01/vaultwarden.nix
index 0f9c25b..abc2f47 100644
--- a/machines/compute01/vaultwarden.nix
+++ b/machines/compute01/vaultwarden.nix
@@ -71,4 +71,6 @@ in
       ];
     };
   };
+
+  dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
 }
diff --git a/machines/geo01/_configuration.nix b/machines/geo01/_configuration.nix
index 8f2a118..92482e7 100644
--- a/machines/geo01/_configuration.nix
+++ b/machines/geo01/_configuration.nix
@@ -3,6 +3,7 @@
 lib.extra.mkConfig {
   enabledModules = [
     # List of modules to enable
+    "dgn-backups"
   ];
 
   enabledServices = [
diff --git a/machines/geo02/_configuration.nix b/machines/geo02/_configuration.nix
index 8f2a118..92482e7 100644
--- a/machines/geo02/_configuration.nix
+++ b/machines/geo02/_configuration.nix
@@ -3,6 +3,7 @@
 lib.extra.mkConfig {
   enabledModules = [
     # List of modules to enable
+    "dgn-backups"
   ];
 
   enabledServices = [
diff --git a/machines/storage01/_configuration.nix b/machines/storage01/_configuration.nix
index 241238b..a3d257f 100644
--- a/machines/storage01/_configuration.nix
+++ b/machines/storage01/_configuration.nix
@@ -3,6 +3,7 @@
 lib.extra.mkConfig {
   enabledModules = [
     # List of modules to enable
+    "dgn-backups"
     "dgn-fail2ban"
     "dgn-web"
   ];
diff --git a/modules/default.nix b/modules/default.nix
index cb364e1..df7b033 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -39,6 +39,7 @@
     (lib.extra.mkImports ./. [
       "dgn-access-control"
       "dgn-acme"
+      "dgn-backups"
       "dgn-console"
       "dgn-fail2ban"
       "dgn-hardware"
@@ -55,5 +56,6 @@
       "age-secrets"
       "services/crabfit"
       "services/forgejo-nix-runners"
+      "services/bupstash"
     ]);
 }
diff --git a/modules/dgn-backups/default.nix b/modules/dgn-backups/default.nix
new file mode 100644
index 0000000..b306bf8
--- /dev/null
+++ b/modules/dgn-backups/default.nix
@@ -0,0 +1,125 @@
+{
+  config,
+  lib,
+  name,
+  ...
+}:
+
+let
+  inherit (lib) mkEnableOption mkOption remove;
+
+  inherit (lib.types)
+    attrs
+    attrsOf
+    listOf
+    str
+    submodule
+    ;
+
+  cfg = config.dgn-backups;
+
+  homes = {
+    compute01 = "/data/slow/bupstash";
+    geo01 = "/data/bupstash";
+    geo02 = "/data/bupstash";
+    storage01 = "/data/slow/bupstash";
+  };
+
+  starts = {
+    compute01 = "*-*-* *:28:00";
+  };
+
+  mkJobs = builtins.mapAttrs (
+    _:
+    { to, settings }:
+    {
+      startAt = starts.${name};
+      key = config.age.secrets."bupstash-put_key".path;
+      repositoryCommands =
+        lib.extra.mapSingleFuse (host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum")
+          to;
+    }
+    // settings
+  );
+
+  mkPgJobs = lib.extra.mapFuse (db: { "pg-${db}" = { }; });
+in
+
+{
+  options.dgn-backups = {
+    enable = mkEnableOption "DGNum backup service.";
+
+    pgDumps = mkOption {
+      type = listOf str;
+      default = [ ];
+      description = ''
+        List of postgres databases to dump into bupstash.
+      '';
+    };
+
+    jobs = mkOption {
+      type = attrsOf (
+        submodule {
+          options = {
+            to = mkOption {
+              type = listOf str;
+              default = remove name [
+                "compute01"
+                "geo01"
+                "geo02"
+                "storage01"
+              ];
+              description = "Hosts to send the backups to.";
+            };
+
+            settings = mkOption {
+              type = attrs;
+              default = { };
+              description = "Base bupstash job config.";
+            };
+          };
+        }
+      );
+      default = { };
+      description = "List of bupstash jobs.";
+    };
+  };
+
+  config = {
+    services.bupstash = {
+      repositories = {
+        inherit (cfg) enable;
+
+        home = homes.${name};
+
+        access = [
+          {
+            repo = "default";
+            keys = lib.extra.getAllKeys (
+              # Nodes allowed to create backups
+              builtins.map (host: "machines/${host}") [
+                "compute01"
+                "storage01"
+                "vault01"
+                "web01"
+              ]
+            );
+            allowed = [ "put" ];
+          }
+        ];
+      };
+
+      jobs = (mkPgJobs cfg.pgDumps) // (mkJobs cfg.jobs);
+    };
+
+    programs.ssh.knownHosts =
+      lib.extra.mapFuse
+        (host: { "${host}.dgnum".publicKey = builtins.head (lib.extra.getKeys "machines/${host}"); })
+        [
+          "compute01"
+          "geo01"
+          "geo02"
+          "storage01"
+        ];
+  };
+}