diff --git a/.gitignore b/.gitignore
index e6b9525..e6e1675 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,9 @@ app
 
 apps.config
 
+restic-env
+restic-password
+
 # generated files
 all-apps/lb/Caddyfile
 all-apps/nextcloud/nextcloud.env
diff --git a/Makefile b/Makefile
index a62ebf3..d9a9775 100644
--- a/Makefile
+++ b/Makefile
@@ -40,7 +40,7 @@ all-apps/nextcloud/postgres_user \
 all-apps/nextcloud/postgres_password \
 all-apps/nextcloud/redis_password \
 all-apps/nextcloud/nextcloud.env
-	cat cl.yaml | sudo docker run --rm --volume /home/tjhintz/.ssh/id_rsa.pub:/pwd/ssh-keys --volume ${PWD}:/pwd --workdir /pwd -i quay.io/coreos/butane:latest -d /pwd > ignition.json
+	cat cl.yaml | docker run --rm --volume /home/tjhintz/.ssh/id_rsa.pub:/pwd/ssh-keys --volume ${PWD}:/pwd --workdir /pwd -i quay.io/coreos/butane:latest -d /pwd > ignition.json
 
 generated.tfvars: apps.config make-generated.sh
 	./make-generated.sh > generated.tfvars
@@ -63,3 +63,4 @@ flatcarbuild: ignition.json
 
 flatcarrun:
 	./flatcar/flatcar_production_qemu.sh -i ignition.json
+
diff --git a/cl.yaml b/cl.yaml
index 6475b1e..d065e44 100644
--- a/cl.yaml
+++ b/cl.yaml
@@ -22,6 +22,29 @@ systemd:
     - name: app.service
       enabled: true
       contents_local: app/app.service
+    - name: restic-backup.service
+      contents: |
+        [Unit]
+        Description=Backs up application data
+        Conflicts=app.service
+
+        [Service]
+        Type=oneshot
+        EnvironmentFile=/restic-env
+        ExecStart=/usr/bin/bash -c "docker run --rm --volume /nassella:/nassella --volume /restic-password:/restic-password -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} -i restic/restic:0.18.0 backup --verbose --repo s3:s3.us-west-004.backblazeb2.com/nassella-test-bucket --password-file /restic-password /nassella"
+        ExecStopPost=systemctl start app.service
+
+    - name: restic-backup.timer
+      contents: |
+        [Unit]
+        Description=Run restic-backup.service at 3am PT
+
+        [Timer]
+        OnCalendar=*-*-* 10:00:00
+
+        [Install]
+        WantedBy=multi-user.target
+
     ### docker-compose sysext
     ### https://flatcar.github.io/sysext-bakery/docker_compose/
     - name: systemd-sysupdate.timer
@@ -63,6 +86,12 @@ storage:
     - path: /app
       local: app
   files:
+    - path: /restic-password
+      contents:
+        local: restic-password
+    - path: /restic-env
+      contents:
+        local: restic-env
     ### docker-compose sysext
     ### https://flatcar.github.io/sysext-bakery/docker_compose/
     - path: /opt/extensions/docker-compose/docker-compose-2.34.0-x86-64.raw
diff --git a/restic-env.tmpl b/restic-env.tmpl
new file mode 100644
index 0000000..36bc184
--- /dev/null
+++ b/restic-env.tmpl
@@ -0,0 +1,2 @@
+AWS_ACCESS_KEY_ID=""
+AWS_SECRET_ACCESS_KEY=""
\ No newline at end of file