diff --git a/modules/nixos/my_btrbk/default.nix b/modules/nixos/my_btrbk/default.nix
new file mode 100644
index 0000000..82cdec4
--- /dev/null
+++ b/modules/nixos/my_btrbk/default.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my_btrbk;
+  inherit (lib) mkEnableOption mkIf mkOption;
+  types = lib.types;
+in
+{
+  options.my_btrbk = {
+    enable = mkEnableOption "Btrbk backups";
+    sshKeyFile = mkOption {
+      type = types.nonEmptyStr;
+    };
+    sshUser = mkOption {
+      type = types.nonEmptyStr;
+      default = "btrbk";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.btrbk.instances."remote_falcon" = {
+      onCalendar = "daily";
+      settings = {
+        ssh_identity = cfg.sshKeyFile;
+        ssh_user = cfg.sshUser;
+
+        incremental = "yes";
+        stream_compress = "zstd";
+        stream_compress_level = "3";
+        target_preserve_min = "no";
+        target_preserve = "5d 4w 6m";
+
+        subvolume = {
+          "/" = {
+            snapshot_name = "root";
+          };
+          "/home" = {
+            snapshot_name = "home";
+          };
+          "/nix" = {
+            snapshot_name = "nix";
+          };
+        };
+        snapshot_dir = "/.btrbk_snapshots";
+        target = "send-receive ssh://10.0.0.5/zpool-backup/backups/${config.networking.hostName}";
+      };
+    };
+  };
+}
diff --git a/secrets/btrbk-keyfile.age b/secrets/btrbk-keyfile.age
new file mode 100644
index 0000000..079bb9d
--- /dev/null
+++ b/secrets/btrbk-keyfile.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 Gc/MTQ kKd7HFgJtplJohdcYXwFM+UXZBwBoQ9KJwfQ2jxS2g4
+yrNEIKJYffcf/NG5XnWl1Icic/gUWVsDK1ddqC+QWI0
+-> ssh-ed25519 mOIk4w /3/0Mb4pFu7a/480skeucHFoAddr08h89qqL7Ojt/gA
+SaXfyGJFDBTzU+zkDxVLe4SK6UNd9/6g3qtXYOQ/Wwo
+-> ssh-ed25519 l9wOAw 8wgspVkjHpxD2tzpVD0yZvipthOVWA6mUWVaWY3Ls20
+iSFw5EEGiv4uYw2JSv8T0fWajLBCajWKQYAHzvjOEwk
+--- +3nHDKkQ7xsKKk8wLBe6/Y5aSm8E25+7XlxrfB6V72g
+³>ˆ§ÜFËã¿«Œsî,Fä)¥›øX§Éý>£~_³Š;Wð0ùjÿ>ëˆßÎÆg*ˆµ×Ôƒ¦!%Ý%`wò;³øçRÈãw¸×ðJ1KÍµÌ¨R|sAB`Å([
+¾~d†ê”îXM®»Ò\³Þlo„‘>F­Ä·íHÒú¸ŠF¬?¯À”²F§‡ö™®(ß1PØ_Ý××#ù|ŸüÃøÿ2
+Oqpp}®jÆ¦€§rwé[D	Á›ÍüëµGce¨gH¢L^XüT¤Šf±Õµ	úè‹*2FoÕ¶kWïÈKÂ´œáV¯¦:Â«&E/ä¸mDz9=‹e)Ý™LÈ†cÝÀÊ#BG«äÔN.æ#ä} ]©vù^Žkž¢åa}Ú–Yz–“D´Ü¸EÔã†l:5Ù)$­]Gþ³ð~à¼‹&O–æCNª±ý"ôÁGJ¶EöQjè4€¡³I“0·’ø®—g¢ô*6æ'Ð«JöÂ<¶¸ÿhÅ‡SÂ©¶ŠJmáÿ±dP3ËÎ=æûs"þ¤÷[«wPÆ¸°k±E;ûd
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index aa656b7..cab9b0b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,5 @@ let
 in
 {
   "k3s.age".publicKeys = keys;
+  "btrbk-keyfile.age".publicKeys = keys;
 }
diff --git a/systems/x86_64-linux/penguin/default.nix b/systems/x86_64-linux/penguin/default.nix
index 2446c8a..5dcdcad 100644
--- a/systems/x86_64-linux/penguin/default.nix
+++ b/systems/x86_64-linux/penguin/default.nix
@@ -16,11 +16,21 @@ in
     ./hardware-configuration.nix
   ];
   config = {
+    age.secrets.k3s.file = ../../../secrets/k3s.age;
+    age.secrets.btrbk-keyfile = {
+      file = ../../../secrets/btrbk-keyfile.age;
+      owner = "btrbk";
+      group = "btrbk";
+    };
 
     my_users.enable = true;
     my_nix.enable = true;
 
-    age.secrets.k3s.file = ../../../secrets/k3s.age;
+    my_btrbk = {
+      enable = true;
+      sshKeyFile = config.age.secrets.btrbk-keyfile.path;
+    };
+
 
     my_k3s = {
       enable = true;