diff --git a/configuration.nix b/configuration.nix
index e127d9b..b3a81b8 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -108,13 +108,13 @@
     home = "/home/sondell";
     isNormalUser = true;
     description = "sondell";
-    extraGroups = ["networkmanager" "wheel" "backup"];
+    extraGroups = ["networkmanager" "wheel" "backup" "opendkim" ];
     packages = with pkgs; [
       firefox
       #  thunderbird
     ];
   };
-  users.groups."backup".gid = 1337;
+  # users.groups."backup".gid = 1337;
 
 
   users.users.root = {
diff --git a/mail.nix b/mail.nix
index 632e706..3e615ec 100644
--- a/mail.nix
+++ b/mail.nix
@@ -1,17 +1,39 @@
-{ mailserver , ... }:
-let
+{mailserver, ...}: let
   domain = "sondell.org";
-  fqdn =  "mail.${domain}";
-in
-{
+  fqdn = "mail.${domain}";
+  mailDirectory = "/var/vmail";
+  dkimKeyDirectory = "/var/dkim";
+in {
   imports = [
     mailserver
   ];
 
+  services.restic.backups = {
+     "mail" = {
+        passwordFile = "/etc/nixos/.secrets/restic_pw";
+        repository = "sftp:Glenn@nas:/home/back/mail/restic";
+        initialize = true;
+        paths = [
+          mailDirectory
+          dkimKeyDirectory
+        ];
+        user = "sondell";
+        timerConfig.OnCalendar = "02:05";
+        pruneOpts = [
+          "--keep-daily 10"
+          "--keep-weekly 5"
+          "--keep-monthly 12"
+          "--keep-yearly 75"
+        ];
+      };
+  };
+  
   mailserver = {
     enable = true;
+    inherit mailDirectory dkimKeyDirectory;
     fqdn = fqdn;
-    domains = [ domain ];
+    domains = [domain];
+    vmailGroupName = "backup";
 
     # A list of all login accounts. To create the password hashes, use
     # cat .secrets/nextadminpw | nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > .secrets/mailpw.hash
@@ -35,17 +57,16 @@ in
   };
 
   services.roundcube = {
-     enable = true;
-     # this is the url of the vhost, not necessarily the same as the fqdn of
-     # the mailserver
-     hostName = "webmail.${domain}";
-     extraConfig = ''
-       # starttls needed for authentication, so the fqdn required to match
-       # the certificate
-       $config['smtp_server'] = "tls://${fqdn}";
-       $config['smtp_user'] = "%u";
-       $config['smtp_pass'] = "%p";
-     '';
+    enable = true;
+    # this is the url of the vhost, not necessarily the same as the fqdn of
+    # the mailserver
+    hostName = "webmail.${domain}";
+    extraConfig = ''
+      # starttls needed for authentication, so the fqdn required to match
+      # the certificate
+      $config['smtp_server'] = "tls://${fqdn}";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+    '';
   };
-  
 }