diff --git a/hosts/defiant/backup.nix b/hosts/defiant/backup.nix
index df263d5..3cbfc2e 100644
--- a/hosts/defiant/backup.nix
+++ b/hosts/defiant/backup.nix
@@ -12,14 +12,34 @@
         "--keep-monthly 3"
       ];
     };
+    cloudJob = name: paths: {
+      inherit paths;
+      # "rsyncnet" connection details specified in /root/.ssh/config
+      repository = "sftp://rsyncnet/restic/challenger/${name}";
+      passwordFile = config.sops.secrets."restic/${name}".path;
+      initialize = true;
+      pruneOpts = [
+        # rsync.net keeps daily snapshots
+        "--keep-weekly 4"
+        "--keep-monthly 36"
+      ];
+    };
   in {
     postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
       timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
     };
+    postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
+    };
 
     gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
+    gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
+
     matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
+    matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
+
     vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
+    vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
   };
 
   # TODO: home-assistant, pihole