diff --git a/hosts/droppie/droppie.nix b/hosts/droppie/droppie.nix
index 4e03b6c2..c65e361e 100644
--- a/hosts/droppie/droppie.nix
+++ b/hosts/droppie/droppie.nix
@@ -7,6 +7,8 @@ in
 {
   imports = [
     ./configuration.nix
+    ./nextcloud-web-tunnel.nix
+    ./restic-backup.nix
   ];
 
   config = {
@@ -27,26 +29,6 @@ in
       }
     ];
 
-    services.openssh.knownHosts = {
-      "cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
-    };
-
-    systemd.services.ssh-tunnel-cloud-pub-solar = {
-      unitConfig = {
-        Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
-        After = [ "network.target" ];
-      };
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o 'ServerAliveInterval 10' -o 'ExitOnForwardFailure yes' -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
-        User = psCfg.user.name;
-        Group = "users";
-        Restart = "always";
-        RestartSec = "5s";
-      };
-      wantedBy = [ "default.target" ];
-    };
-
     services.ddclient = {
       enable = true;
       ipv6 = true;
diff --git a/hosts/droppie/nextcloud-web-tunnel.nix b/hosts/droppie/nextcloud-web-tunnel.nix
new file mode 100644
index 00000000..0b2dbfe6
--- /dev/null
+++ b/hosts/droppie/nextcloud-web-tunnel.nix
@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+
+{
+  config = {
+    services.openssh.knownHosts = {
+      "cloud.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABPJSwr9DfnqV0KoL23BcxlWtRxuOqQpnFnCv4SG/LW";
+    };
+
+    systemd.services.ssh-tunnel-cloud-pub-solar = {
+      unitConfig = {
+        Description = "Reverse SSH connection to enable backups from IPv4-only to IPv6-only host";
+        After = [ "network.target" ];
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o 'ServerAliveInterval 10' -o 'ExitOnForwardFailure yes' -R 127.0.0.1:22022:localhost:22 root@cloud.pub.solar";
+        User = psCfg.user.name;
+        Group = "users";
+        Restart = "always";
+        RestartSec = "5s";
+      };
+      wantedBy = [ "default.target" ];
+    };
+  };
+}
diff --git a/hosts/droppie/restic-backup.nix b/hosts/droppie/restic-backup.nix
new file mode 100644
index 00000000..6a4a282c
--- /dev/null
+++ b/hosts/droppie/restic-backup.nix
@@ -0,0 +1,50 @@
+{ pkgs, ... }:
+
+let
+  shutdownWaitMinutes = 15;
+  shutdownScript = pkgs.writeScript "shutdown" ''
+STATUS_FILES="/media/internal/backups-pub-solar/status"
+
+running=""
+
+for f in $STATUS_FILES; do
+  declare started
+  declare finished
+
+  started=$(source $f ; echo ''${BACKUP_STARTED})
+  finished=$(source $f ; echo ''${BACKUP_FINISHED})
+
+  if [ -z "''${finished}" ]; then
+    echo "backup $(dirname $f) still running"
+    running="yes"
+    break
+  fi
+done
+
+if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then
+  echo "backups are still running"
+  exit 1
+fi
+
+echo "WARNING: System will be shut down within the next 15 minutes" | wall
+
+sleep 10
+
+shutdown -P +${builtins.toString shutdownWaitMinutes}
+  '';
+in
+{
+  systemd.services."shutdown-after-backup" = {
+    enable = true;
+    serviceConfig = {
+      ExecStart = shutdownScript;
+    };
+  };
+
+  systemd.timers."shutdown-after-backup" = {
+    enable = true;
+    serviceConfig = {
+      OnCalendar = "3..9:*";
+    };
+  };
+}