diff --git a/configuration.nix b/configuration.nix
index 75f1edc..75b64c0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -12,6 +12,17 @@ let
     "chocobozzz/peertube@" +
     "sha256:3bd126fc8b66a6a12593d73f74d0a3ffc7fc3206e5e9ebf39c8a8e0ca5408194";
 
+  s3cmd = pkgs.writeShellScript "s3cmd" ''
+    ${pkgs.s3cmd}/bin/s3cmd \
+      --access_key='${secrets.backup.accessKey}' \
+      --secret_key='${secrets.backup.secretKey}' \
+      --host='${secrets.backup.host}' \
+      --host-bucket='${secrets.backup.hostBucket}' \
+      $@
+  '';
+
+  bucket = secrets.backup.bucket;
+
   domainName = "v.lor.sh";
   hostName = builtins.replaceStrings [ "." ] [ "-" ] "${domainName}";
 in {
@@ -156,6 +167,26 @@ in {
     enableTCPIP = true;
   };
 
+  services.postgresqlBackup = {
+    enable = true;
+    databases = [ "peertube" ];
+    compression = "gzip";
+  };
+
+  systemd.services.postgresqlBackup-peertube.serviceConfig.ExecStartPost =
+    pkgs.writeShellScript "backup-to-s3" ''
+      cd /var/backup/postgresql
+
+      ${pkgs.gnupg}/bin/gpg --batch --passphrase '${secrets.backup.password}' \
+                            --symmetric peertube.sql.gz
+
+      ${s3cmd} rm ${bucket}/peertube.prev.sql.gz.gpg
+      ${s3cmd} mv ${bucket}/peertube.sql.gz.gpg ${bucket}/peertube.prev.sql.gz.gpg
+      ${s3cmd} put peertube.sql.gz.gpg ${bucket}/
+
+      rm peertube.sql.gz.gpg
+    '';
+
   services.redis.servers.peertube = {
     enable = true;
     bind = "127.0.0.1";
diff --git a/secrets.nix.example b/secrets.nix.example
index a1471ca..7a4fc10 100644
--- a/secrets.nix.example
+++ b/secrets.nix.example
@@ -3,6 +3,15 @@
     ""
   ];
 
+  backup = {
+    password = "";
+    accessKey = "";
+    secretKey = "";
+    host = "";
+    hostBucket = "";
+    bucket = "";
+  };
+
   peertube = {
     secret = "";
     db = {