diff --git a/backup/restic.nix b/backup/restic.nix
deleted file mode 100644
index 71b9534..0000000
--- a/backup/restic.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.selfprivacy;
-in
-{
-  services.restic.backups = {
-    options = {
-      passwordFile = "/etc/restic/resticPasswd";
-      repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
-      initialize = true;
-      paths = [
-        "/var/dkim"
-        "/var/vmail"
-      ];
-      timerConfig = {
-        OnCalendar = [ "daily" ];
-      };
-      user = "restic";
-      pruneOpts = [
-        "--keep-daily 5"
-      ];
-    };
-  };
-  users.users.restic = {
-    isNormalUser = false;
-    isSystemUser = true;
-    group = "restic";
-  };
-}
diff --git a/configuration.nix b/configuration.nix
index cfc35c1..e1db06f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -7,7 +7,6 @@
     ./users.nix
     ./letsencrypt/acme.nix
     ./letsencrypt/resolve.nix
-    ./backup/restic.nix
     ./passmgr/bitwarden.nix
     ./webserver/nginx.nix
     ./webserver/memcached.nix
diff --git a/files.nix b/files.nix
index afcc715..4f3f0a8 100644
--- a/files.nix
+++ b/files.nix
@@ -20,7 +20,6 @@ in
     [
       (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
       (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
-      "d /var/lib/restic 0600 restic - - -"
       "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
       (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
     ];
@@ -42,25 +41,6 @@ in
         chmod 0440 /var/lib/cloudflare/Credentials.ini
         chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
       '';
-      resticCredentials = ''
-        mkdir -p /root/.config/rclone
-        chmod 0400 /root/.config/rclone
-        chown root:root /root/.config/rclone
-        echo '[backblaze]' > /root/.config/rclone/rclone.conf
-        echo 'type = b2' >> /root/.config/rclone/rclone.conf
-        echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
-        echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
-
-        ${sed} -i "s/REPLACEME1/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
-        ${sed} -i "s/REPLACEME2/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
-
-        chmod 0400 /root/.config/rclone/rclone.conf
-        chown root:root /root/.config/rclone/rclone.conf
-
-        cat /etc/selfprivacy/secrets.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
-        chmod 0400 /var/lib/restic/pass
-        chown restic /var/lib/restic/pass
-      '';
       bitwardenCredentials =
         if cfg.bitwarden.enable then ''
           mkdir -p /var/lib/bitwarden
diff --git a/sp-modules/restic/config-paths-needed.json b/sp-modules/restic/config-paths-needed.json
new file mode 100644
index 0000000..b361a08
--- /dev/null
+++ b/sp-modules/restic/config-paths-needed.json
@@ -0,0 +1,3 @@
+[
+  [ "selfprivacy", "modules", "restic" ]
+]
diff --git a/sp-modules/restic/flake.nix b/sp-modules/restic/flake.nix
new file mode 100644
index 0000000..069869e
--- /dev/null
+++ b/sp-modules/restic/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "PoC SP module for Restic backup service";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/restic/module.nix b/sp-modules/restic/module.nix
new file mode 100644
index 0000000..64400cc
--- /dev/null
+++ b/sp-modules/restic/module.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+let
+  sp = config.selfprivacy;
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  rclone-conf-filepath = "/root/.config/rclone/rclone.conf";
+in
+{
+  options.selfprivacy.modules.restic = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib.types; nullOr bool;
+    };
+    # TODO AWS region should be configurable too?
+    s3BucketName = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+  config = lib.mkIf config.selfprivacy.modules.restic.enable {
+    services.restic.backups = {
+      options = {
+        # TODO is it the right location?
+        passwordFile = "/etc/restic/resticPasswd";
+        repository = "s3:s3.anazonaws.com/${sp.modules.restic.s3BucketName}";
+        initialize = true;
+        paths = [
+          "/var/dkim"
+          "/var/vmail"
+        ];
+        timerConfig = {
+          OnCalendar = [ "daily" ];
+        };
+        user = "restic";
+        pruneOpts = [
+          "--keep-daily 5"
+        ];
+      };
+    };
+    users.groups.restic.members = [ "restic" ];
+    users.users.restic = {
+      isNormalUser = false;
+      isSystemUser = true;
+      group = "restic";
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/restic 0600 restic - - -"
+    ];
+    systemd.services.restic-secrets = {
+      before = [ "restic-backups-options.service" ];
+      requiredBy = [ "restic-backups-options.service" ];
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [ coreutils gnused jq ];
+      script = ''
+        set -o nounset
+
+        account="$(jq -r '.modules.restic.accountId' ${secrets-filepath})"
+        key="$(jq -r '.modules.restic.accountKey' ${secrets-filepath})"
+        rclone_conf=$(cat <<- EOF
+        [backblaze]
+        account = $account
+        key = $key
+        EOF
+        )
+        install -m 0400 -o root -g root -DT \
+        <(printf "%s" "$rclone_conf") ${rclone-conf-filepath}
+
+        install -m 0400 -o restic -g restic -DT \
+        <(jq -r '.resticPassword' ${secrets-filepath}) /var/lib/restic/pass
+      '';
+    };
+  };
+}