diff --git a/hosts/bicep/services/mysql.nix b/hosts/bicep/services/mysql.nix
index a3d1c38..c8d8a3e 100644
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -44,6 +44,22 @@ in
     location = "/var/lib/mysql/backups";
   };
 
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${config.services.mysqlBackup.location} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
+    };
+  };
+
   networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
 
   systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
diff --git a/hosts/bicep/services/postgres.nix b/hosts/bicep/services/postgres.nix
index ad4be68..e2bad28 100644
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -121,7 +121,23 @@
 
   services.postgresqlBackup = {
     enable = true;
-    location = "/var/lib/postgres/backups";
+    location = "/var/lib/postgres-backups";
     backupAll = true;
   };
+
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${config.services.postgresqlBackup.location} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
+    };
+  };
 }