diff --git a/bigbird/backups.nix b/bigbird/backups.nix
new file mode 100644
index 0000000..c6735e8
--- /dev/null
+++ b/bigbird/backups.nix
@@ -0,0 +1,28 @@
+{pkgs, ...}: {
+  services.restic.server = {
+    enable = true;
+    prometheus = true;
+    privateRepos = true;
+    dataDir = "/nas/chandler/backups/restic";
+    appendOnly = true;
+    extraFlags = [
+      "--prometheus-no-auth"
+    ];
+  };
+  services.restic.backups = {
+    remotebackup = {
+      initialize = true;
+      environmentFile = "/etc/secrets/restic_env";
+      passwordFile = "/etc/secrets/restic_pass";
+      paths = [
+        "/"
+      ];
+      repository = "rest:http://bigbird:8000/bert/"; #"b2:chandlerswift-bert-backup/";
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+      ];
+    };
+  };
+}
diff --git a/bigbird/configuration.nix b/bigbird/configuration.nix
index 0bac923..ad025c7 100644
--- a/bigbird/configuration.nix
+++ b/bigbird/configuration.nix
@@ -4,6 +4,7 @@
     [ # Include the results of the hardware scan.
       # <nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64.nix>
       ./hardware-configuration.nix
+      ./backups.nix
       ./kathe.nix
       ./smb.nix
     ];
@@ -49,7 +50,7 @@
   };
 
   # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [ 8000 ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;