diff --git a/roles/server/borg.nix b/roles/server/borg.nix
new file mode 100644
index 0000000..d69af2f
--- /dev/null
+++ b/roles/server/borg.nix
@@ -0,0 +1,19 @@
+{...}: {
+  services.borgbackup = {
+    repos = {
+      backups = {
+        allowSubRepos = true;
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMtbHUcYanH/guWaKNjGr/IGa8gvI/xRTcNAI9yXhnK BorgBackup backups key"
+        ];
+      };
+    };
+  };
+  services.openssh.settings = {
+    AllowUsers = [
+      "borg@*.tailscale"
+      "borg@192.168.1.0/24"
+      "borg@localhost"
+    ];
+  };
+}
diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix
index 6542295..14ef62a 100644
--- a/roles/server/caddy.nix
+++ b/roles/server/caddy.nix
@@ -11,6 +11,19 @@
     file_server browse
     root * /srv/dl/
   '';
+  script = pkgs.writeShellApplication {
+    name = "wait-for-tailscale-ip";
+    runtimeInputs = [pkgs.iproute2];
+    text = ''
+      # Based on https://github.com/tailscale/tailscale/issues/11504#issuecomment-2113331262
+      echo Waiting for tailscale0 to get an IP adress..
+      for i in {1..300}; do
+        if ip addr show dev tailscale0 | grep -q 'inet '; then break; fi
+        echo "Waiting $i/240 seconds"
+        sleep 1
+      done
+    '';
+  };
 in {
   services.caddy = {
     enable = true;
@@ -71,6 +84,7 @@ in {
     # in too little time
     services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
     services.caddy.unitConfig.StartLimitBurst = lib.mkForce "infinity";
+    services.caddy.preStart = "${script}/bin/wait-for-tailscale-ip";
   };
   programs.rust-motd.settings.service_status.Caddy = "caddy";
   networking.firewall.allowedTCPPorts = [443 80];
diff --git a/roles/server/default.nix b/roles/server/default.nix
index 6ffed7e..8bdf5dc 100755
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@@ -14,6 +14,7 @@
     ./headscale.nix
     ./caddy.nix
     ./rust_motd.nix
+    ./borg.nix
     ./adguard.nix
     ./grafana.nix
     ./prometheus.nix
diff --git a/roles/server/ssh.nix b/roles/server/ssh.nix
index 66e163d..33694c3 100755
--- a/roles/server/ssh.nix
+++ b/roles/server/ssh.nix
@@ -48,6 +48,7 @@ in {
       UseDns = true;
       PermitRootLogin = "no";
       PasswordAuthentication = false;
+      AllowUsers = ["toast"];
     };
     # The forgejo module is fucky so I can't set this with the nixos option
     # https://github.com/NixOS/nixpkgs/issues/306205