diff --git a/systems/zaatar/backup.nix b/systems/zaatar/backup.nix
index ccf5f09..2df1d0d 100644
--- a/systems/zaatar/backup.nix
+++ b/systems/zaatar/backup.nix
@@ -1,19 +1,26 @@
-{ lib, ... }:
+{ pkgs, lib, ... }:
 let
   niveumLib = import <niveum/lib>;
   inherit (niveumLib) retiolumAddresses restic;
   firewall = niveumLib.firewall lib;
+  dataDir = "/backup/restic";
 in
 {
   services.restic.server = {
     enable = true;
     appendOnly = true;
-    dataDir = "/backup/restic";
+    inherit dataDir;
     prometheus = true;
     extraFlags = [ "--no-auth" ]; # auth is done via firewall
     listenAddress = ":${toString restic.port}";
   };
 
+  environment.systemPackages = [
+    (pkgs.writers.writeDashBin "restic-niveum" ''
+      ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${<secrets/restic/password>} "$@"
+    '')
+  ];
+
   networking.firewall =
   let
     dport = restic.port;