diff --git a/borgbackup.nix b/borgbackup.nix
new file mode 100644
index 0000000..0be617d
--- /dev/null
+++ b/borgbackup.nix
@@ -0,0 +1,41 @@
+{ pkgs, stdenv, ... }:
+
+let
+  borgPassCommand = pkgs.writeScript "borgPassCommand" ''
+    #!${stdenv.shell}
+    set -euo pipefail
+    # Make sure everything but the password ends up on stderr
+    exec 3>&1 >&2
+    mkdir -p /var/lib/borgbackup
+    chown root:root /var/lib/borgbackup
+    chmod 700 /var/lib/borgbackup
+    if [ ! -s /var/lib/borgbackup/sshkey ]; then
+      ${pkgs.openssh}/bin/ssh-keygen -t rsa -b 4096 -N "" -f /var/lib/borgbackup/sshkey
+    fi
+    if [ ! -s /var/lib/borgbackup/repokey ]; then
+      head -c 1024 /dev/urandom | base64 > /var/lib/borgbackup/repokey
+      chmod 400 /var/lib/borgbackup/repokey
+    fi
+    # Password needs to go into fd 3 as that is the real stdout
+    cat /var/lib/borgbackup/repokey >&3
+    '';
+in
+{
+  services.borgbackup.jobs.postfixadmin = {
+    readWritePaths = [ "/var/lib/borgbackup" ];
+    paths = "/var/lib/postfixadmin";
+    exclude = [  ];
+    repo = "mail2@host01.hamburg.freifunk.net:backup/postfixadmin";
+    prune.keep = {
+      within = "2d";
+      daily = 7;
+      weekly = 2;
+    };
+    encryption = {
+      mode = "repokey";
+      passCommand = borgPassCommand;
+    };
+    compression = "auto,lz4";
+    startAt = "hourly";
+    };
+}
diff --git a/configuration.nix b/configuration.nix
index d337b0d..9a19bf6 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -11,6 +11,7 @@
       ./sshusers.nix
       ./variables.nix
       ./mailserver.nix
+      ./borgbackup.nix
     ];
 
   # Configuration options for the mailserver