diff --git a/modules/backup/default.nix b/modules/backup/default.nix
index 64d0e71..073c4a7 100644
--- a/modules/backup/default.nix
+++ b/modules/backup/default.nix
@@ -67,6 +67,31 @@ let
     }
   ) jobTargetPairs);
 
+  backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let
+      jobPasswordFile = if jobOptions.passwordFile == null then config.age.secrets."clerie-backup-job-${jobName}".path else jobOptions.passwordFile;
+      repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
+      targetPasswordFile = if targetOptions.passwordFile == null then config.age.secrets."clerie-backup-target-${targetName}".path else targetOptions.passwordFile;
+      targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
+    in pkgs.writeShellApplication {
+      name = "clerie-backup-${jobName}-${targetName}";
+
+      runtimeInputs = [ pkgs.restic ];
+
+      text = ''
+        set -euo pipefail
+
+        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
+        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
+        export RESTIC_PROGRESS_FPS=0.1
+        export RESTIC_CACHE_DIR=/var/cache/restic
+
+        restic "$@"
+      '';
+
+      checkPhase = "";
+    }
+  ) jobTargetPairs;
+
   targetOptions = { ... }: {
     options = {
       passwordFile = mkOption {
@@ -129,5 +154,6 @@ in
     systemd.tmpfiles.rules = [
       "d /var/cache/restic - - - - -"
     ];
+    environment.systemPackages = backupCommands;
   };
 }