diff --git a/hosts/backup-4/configuration.nix b/hosts/backup-4/configuration.nix
index 7efe930..fe06678 100644
--- a/hosts/backup-4/configuration.nix
+++ b/hosts/backup-4/configuration.nix
@@ -6,6 +6,7 @@
       ./hardware-configuration.nix
 
       ./backup.nix
+      ./replication.nix
       ./restic-server.nix
       ./wg-b-palladium.nix
     ];
diff --git a/hosts/backup-4/replication.nix b/hosts/backup-4/replication.nix
new file mode 100644
index 0000000..0b8a8b5
--- /dev/null
+++ b/hosts/backup-4/replication.nix
@@ -0,0 +1,20 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  clerie.backup = {
+    enable = true;
+    targets = mkForce {
+      palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
+    };
+    jobs.replication = {
+      paths = [
+        "/mnt/backup-4/magenta"
+      ];
+      exclude = [
+        "/mnt/backup-4/magenta/.htpasswd"
+      ];
+    };
+  };
+}
diff --git a/hosts/backup-4/secrets.json b/hosts/backup-4/secrets.json
index ecadada..44cbdaf 100644
--- a/hosts/backup-4/secrets.json
+++ b/hosts/backup-4/secrets.json
@@ -1,4 +1,6 @@
 {
+	"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
+	"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
 	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
 	"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
@@ -13,8 +15,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-04-15T18:44:05Z",
-		"mac": "ENC[AES256_GCM,data:re/vIg7xa9fEBZM3xa/jZzsAutHHNgDNnHiGjXkR5W0ORYPjlBuSV5NYZTbr7y1rqWbjmPsbo1KjJgt8OF8kn1XxXaUprWYOtHh7NtyhMFUL+mgftRvdLeacZfcnTnOm95GNLR7sG1/qsMHQf+JmUU0fNEX/a/EmDXY2GTYzJ6o=,iv:9RY4yMrGxuVdfWOCL/hlZznHrfeWPEc1V5neZgS4g+Q=,tag:mfVGmPvnJa+XqmBnfIu6DA==,type:str]",
+		"lastmodified": "2025-04-18T08:37:08Z",
+		"mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",
diff --git a/hosts/palladium/configuration.nix b/hosts/palladium/configuration.nix
index 1f0a22d..182e8a6 100644
--- a/hosts/palladium/configuration.nix
+++ b/hosts/palladium/configuration.nix
@@ -5,6 +5,7 @@
     [
       ./hardware-configuration.nix
 
+      ./restic-server.nix
       ./wg-b-palladium.nix
     ];
 
diff --git a/hosts/palladium/restic-server.nix b/hosts/palladium/restic-server.nix
new file mode 100644
index 0000000..44a58d3
--- /dev/null
+++ b/hosts/palladium/restic-server.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  services.restic.server = {
+    enable = true;
+    privateRepos = true;
+    dataDir = "/data/backup";
+    listenAddress = "[::]:43242";
+  };
+
+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  sops.secrets.restic-server-backup-htpasswd = {
+    path = "/data/backup/.htpasswd";
+    owner = "restic";
+    group = "restic";
+  };
+
+  networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
+}
diff --git a/hosts/palladium/secrets.json b/hosts/palladium/secrets.json
index 2fe2012..1ff48f8 100644
--- a/hosts/palladium/secrets.json
+++ b/hosts/palladium/secrets.json
@@ -1,4 +1,5 @@
 {
+	"restic-server-backup-htpasswd": "ENC[AES256_GCM,data:ouHDwNJ3UQID54qq+6tEc9Zmpa/i5jDMvzIw5baBV4oGy27JI+f40A6tqmQlbRRsX68XhMhfRcpczfTDmf2tFV7TcWB4yA==,iv:PkjCOHFQxbBvYdmOhARJUNUUsAbJiEDnLDM1UWZhHXA=,tag:3cGdkx0xNdtse9hHPa9mUQ==,type:str]",
 	"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
 	"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
@@ -13,8 +14,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-04-15T18:43:12Z",
-		"mac": "ENC[AES256_GCM,data:qcMFYqFrxzM8BNGuSeDZWJI/NVadvzIjGM2WF54cV5ty5O4iqb1Q0qOQBQMBVqYNO5BrQ2JeTXl2foLE1WncFY3JSg2v/Q8m1Kh1vFE2FbwYPh5bLGizI20JpBkqx0dMK8r4gvzaHwx2Cth7IWTGw/qGeO1wb4RWDh2E7xBlKRA=,iv:klutWxyHHhngjya93Sv3Tim69ozRuJdCsosMnn7pcYs=,tag:2w0okYEH8tzjJiODjxOHKw==,type:str]",
+		"lastmodified": "2025-04-18T08:56:54Z",
+		"mac": "ENC[AES256_GCM,data:QEEcjNqO+tXpl/4TWx+r8WT+ZsdoBw/CBiz6XpG8rsIl0prBWtQ8YW/DeYAxLPMOlb55HuDsneLEpR2DsBB1x6b0lSyjES/hgMRkweKczFLRxrhHh3qXff/wK9sDaEPLvEzvH99x63+1dAZh7z8CVESDTt8QLKK1qCxOf36QNdc=,iv:NbYc0qz0AUGKWpwKg/1QCuTnZ1+m+e6tQxWAuDogVrw=,tag:JEPtLP7V3N+Lx/quMGq/AQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-04-15T17:32:56Z",