diff --git a/hosts/fae/invoiceplane.nix b/hosts/fae/invoiceplane.nix
index 37ece074..9d2b0c64 100644
--- a/hosts/fae/invoiceplane.nix
+++ b/hosts/fae/invoiceplane.nix
@@ -58,21 +58,23 @@ in
 
   systemd.tmpfiles.rules = [ "d '${backupDir}' 0700 root root - -" ];
 
-  #services.restic.backups = {
-  #  invoiceplane = {
-  #    paths = [
-  #      backupDir
-  #      "/var/lib/invoiceplane/billing.faenix.eu"
-  #    ];
-  #    initialize = true;
-  #    passwordFile = config.age.secrets."restic-password".path;
-  #    # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
-  #    repository = "rclone:cloud.pub.solar:/backups/InvoicePlane";
-  #    backupPrepareCommand = ''
-  #      PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
-  #      ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/mariadb-dump.sql"
-  #    '';
-  #    rcloneConfigFile = config.age.secrets."rclone-fae.conf".path;
-  #  };
-  #};
+  services.restic.backups = {
+    invoiceplane = {
+      paths = [
+        backupDir
+        "/var/lib/invoiceplane/billing.faenix.eu"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* 00:00:00 Etc/UTC";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets."restic-password.age".path;
+      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
+      repository = "rclone:cloud.pub.solar:/Backups/InvoicePlane";
+      backupPrepareCommand = ''
+        ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --user=invoiceplane > "${backupDir}/invoiceplane-mariadb-dump.sql"
+      '';
+      rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
+    };
+  };
 }
diff --git a/hosts/fae/paperless.nix b/hosts/fae/paperless.nix
index 6057c686..a68dd670 100644
--- a/hosts/fae/paperless.nix
+++ b/hosts/fae/paperless.nix
@@ -79,26 +79,29 @@ in
     "d '${backupDir}' 0700 ${psCfg.user.name} users - -"
   ];
 
-  #age.secrets."rclone-fae.conf" = {
-  #  file = "${flake.self}/secrets/rclone-fae.conf.age";
-  #  path = "/root/.config/rclone/rclone.conf";
-  #  mode = "400";
-  #};
+  age.secrets."fae-rclone.conf.age" = {
+    file = "${flake.self}/secrets/fae-rclone.conf.age";
+    path = "/root/.config/rclone/rclone.conf";
+    mode = "400";
+  };
 
-  #age.secrets."restic-password" = {
-  #  file = "${flake.self}/secrets/restic-password.age";
-  #  mode = "400";
-  #};
+  age.secrets."restic-password.age" = {
+    file = "${flake.self}/secrets/restic-password.age";
+    mode = "400";
+  };
 
-  #services.restic.backups = {
-  #  paperless = {
-  #    paths = [ backupDir ];
-  #    initialize = true;
-  #    passwordFile = config.age.secrets."restic-password".path;
-  #    # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
-  #    repository = "rclone:cloud.pub.solar:/backups/Paperless";
-  #    backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
-  #    rcloneConfigFile = config.age.secrets."rclone-fae.conf".path;
-  #  };
-  #};
+  services.restic.backups = {
+    paperless = {
+      paths = [ backupDir ];
+      timerConfig = {
+        OnCalendar = "*-*-* 01:00:00 Etc/UTC";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets."restic-password.age".path;
+      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
+      repository = "rclone:cloud.pub.solar:/Backups/Paperless";
+      backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
+      rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
+    };
+  };
 }
diff --git a/secrets/fae-rclone.conf.age b/secrets/fae-rclone.conf.age
new file mode 100644
index 00000000..a1c6abfb
Binary files /dev/null and b/secrets/fae-rclone.conf.age differ
diff --git a/secrets/restic-password.age b/secrets/restic-password.age
new file mode 100644
index 00000000..0fb018cd
--- /dev/null
+++ b/secrets/restic-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 P2sgew RtTlKjDJLmZla6psMGCLCyGdC528wgKpAGRyjOSr0Xw
+z6mXQcJ3EJsm6xdye2RW1UywRzGsw+F7YuBJCu7u97U
+-> ssh-ed25519 BVsyTA MX32S4W/JPaZ0fHhvbrv9kfKFzsn0q1sSXCE0dP6GSc
+xY3y6IfT10qov1RG/jTqHsvGaVx7TWqhIuPwvCVjD/o
+-> piv-p256 xGzyzw A8UHNgwcama6GAq90f76XC1dXEnn4zFCnJnxZFZvLkTR
+eJUaZhD9I+IuRwe72xICMrL9KRY5DXoZJdq4RSAC8vw
+--- 13DAMF41oXunKtZwXnkW5b/8LOblg+6mq53H/rtm6d8
+ƒ^+™B£w‰ÐTßZÁ;ß0ÓVÕwf~:½âà^ ÿ~– ë¯’ùO[‰â<_FÑ…øê-{àÝ‚Ù²{|ZÕ�]ò™©ø…R—ÉÆ‘B-sJ{Š9ÞâçÚ›-^É&
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 78765814..4a263e54 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -31,4 +31,14 @@ in
     users.teutat3s
     users.teutat3s-5-nfc
   ];
+  "fae-rclone.conf.age".publicKeys = [
+    machines.fae
+    users.teutat3s
+    users.teutat3s-5-nfc
+  ];
+  "restic-password.age".publicKeys = [
+    machines.fae
+    users.teutat3s
+    users.teutat3s-5-nfc
+  ];
 }