diff --git a/machines/lebesgue/config/backups.nix b/machines/lebesgue/config/backups.nix
deleted file mode 100644
index 3a16bf9..0000000
--- a/machines/lebesgue/config/backups.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}: let
-  paths = ["/var/lib/vaultwarden"];
-  exclude = [];
-
-  secrets = config.sops.secrets;
-in {
-  users.groups.restic = {};
-  users.users.restic = {
-    isSystemUser = true;
-    group = "restic";
-  };
-
-  security.wrappers.restic = {
-    source = "${pkgs.restic.out}/bin/restic";
-    owner = "restic";
-    group = "restic";
-    permissions = "u=rwx,g=,o=";
-    capabilities = "cap_dac_read_search=+ep";
-  };
-
-  services.restic.backups = {
-    s3 = {
-      inherit paths exclude;
-      user = "restic";
-
-      repositoryFile = secrets.restic-repository.path;
-      environmentFile = secrets.restic-env.path;
-      passwordFile = secrets.restic-password.path;
-
-      pruneOpts = [
-        "--keep-daily 7"
-        "--keep-weekly 4"
-      ];
-    };
-  };
-}
diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix
index 4b06b9b..693aa4b 100644
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@@ -16,12 +16,21 @@
       signups = false;
       envPath = config.sops.secrets.vaultwarden-env.path;
     };
-  };
 
-  services.tailscale = {
-    enable = true;
-    authKeyFile = config.sops.secrets.tskey.path;
-    openFirewall = true;
+    backups.restic = {
+      enable = true;
+
+      repositoryFile = config.sops.secrets.restic-repository.path;
+      environmentFile = config.sops.secrets.restic-env.path;
+      passwordFile = config.sops.secrets.restic-password.path;
+
+      paths = ["/var/lib/vaultwarden"];
+    };
+
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets.tskey.path;
+    };
   };
 
   boot.loader.systemd-boot.enable = true;
@@ -30,7 +39,6 @@
   i18n.defaultLocale = "en_US.UTF-8";
 
   networking.firewall.allowedTCPPorts = [22];
-  networking.firewall.trustedInterfaces = ["tailscale0"];
 
   system.stateVersion = "24.11";
 }
diff --git a/machines/lebesgue/flake.lock b/machines/lebesgue/flake.lock
index 40f6175..68ca3da 100644
--- a/machines/lebesgue/flake.lock
+++ b/machines/lebesgue/flake.lock
@@ -7,7 +7,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-4RJQyq1PJVInDYTv3WfTig9BDilHndsygEHgIM4DJdY=",
+        "narHash": "sha256-fX+L0Z4YfKPZJdpaosa7INNGnEaVpAswpyqz9mf+oHA=",
         "path": "../../nixos",
         "type": "path"
       },
diff --git a/nixos/common/backups/restic.nix b/nixos/common/backups/restic.nix
new file mode 100644
index 0000000..964e779
--- /dev/null
+++ b/nixos/common/backups/restic.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+  cfg = config.foehammer.backups.restic;
+in {
+  options.foehammer.backups.restic = {
+    enable = mkEnableOption "Enable restic backups";
+
+    repositoryFile = mkOption {
+      type = types.nullOr types.path;
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.str;
+    };
+
+    passwordFile = mkOption {
+      type = types.str;
+    };
+
+    paths = mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = [];
+    };
+
+    exclude = mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = [];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.restic = {};
+    users.users.restic = {
+      isSystemUser = true;
+      group = "restic";
+    };
+
+    security.wrappers.restic = {
+      source = "${pkgs.restic.out}/bin/restic";
+      owner = "restic";
+      group = "restic";
+      permissions = "u=rwx,g=,o=";
+      capabilities = "cap_dac_read_search=+ep";
+    };
+
+    services.restic.backups = {
+      remote = {
+        paths = cfg.paths;
+        exclude = cfg.exclude;
+        user = "restic";
+
+        initialize = true;
+
+        repositoryFile = cfg.repositoryFile;
+        environmentFile = cfg.environmentFile;
+        passwordFile = cfg.passwordFile;
+
+        pruneOpts = [
+          "--keep-daily 7"
+          "--keep-weekly 4"
+        ];
+      };
+    };
+  };
+}
diff --git a/nixos/common/tailscale.nix b/nixos/common/tailscale.nix
new file mode 100644
index 0000000..0cb3ff1
--- /dev/null
+++ b/nixos/common/tailscale.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.foehammer.tailscale;
+in {
+  options.foehammer.tailscale = {
+    enable = mkEnableOption "Enable tailscale";
+    authKeyFile = mkOption {
+      type = types.nullOr types.path;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      authKeyFile = cfg.authKeyFile;
+      openFirewall = true;
+    };
+
+    networking.firewall.trustedInterfaces = ["tailscale0"];
+  };
+}