diff --git a/zfsrent/configuration.nix b/zfsrent/configuration.nix
index db2d023..27cfbb3 100644
--- a/zfsrent/configuration.nix
+++ b/zfsrent/configuration.nix
@@ -103,8 +103,40 @@ in
     zsh
     tmux
     docker-compose
+    lzop # for syncoid
+    pv # for syncoid
+    mbuffer # for syncoid
   ];
 
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "weekly";
+    pools = [ "tank" ];
+  };
+
+  services.sanoid = {
+    enable = true;
+
+    templates.backup = {
+      frequently = 0;
+      hourly = 0;
+      daily = 30;
+      monthly = 6;
+      yearly = 3;
+      autosnap = false;
+      autoprune = true;
+      recursive = true;
+    };
+
+    datasets."tank" = {
+      useTemplate = [ "backup" ];
+    };
+
+    datasets."rpool/safe" = {
+      useTemplate = [ "backup" ];
+    };
+  };
+
   # Define a user account
   users.users.hunner = {
     isNormalUser = true;
@@ -126,8 +158,79 @@ in
       tldr
       unzip
       lsof
+      gnupg
     ];
   };
+  users.users.backup = {
+    isNormalUser = true;
+    description = "Backup replication user";
+    shell = pkgs.bash;
+    packages = with pkgs; [
+      sanoid
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
+    ];
+  };
+
+  #services.syncoid = {
+  #  enable = true;
+  #  user = "backup";
+  #  sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
+  #  commonArgs = [
+  #    #"--sshoption=StrictHostKeyChecking=off"
+  #    "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
+  #    "--sshoption=IdentitiesOnly=yes"
+  #  ];
+  #  #commands."zima-bitrot" = {
+  #  #  source = "backup@zima:bitrot";
+  #  #  target = "tank/backups/zima/bitrot";
+  #  #  recursive = true;
+  #  #};
+  #  commands."zima-rpool-safe" = {
+  #    source = "backup@zima:rpool/safe";
+  #    target = "tank/backups/zima/rpool-safe";
+  #    recursive = true;
+  #  };
+  #};
+  #systemd.services.syncoid-zima-rpool-safe.serviceConfig = {
+  #  Environment = [
+  #    "HOME=/var/lib/syncoid"
+  #    "SSH_AUTH_SOCK="
+  #  ];
+  #  ExecStartPre = [
+  #    "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
+  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
+  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
+  #    "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
+  #    "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
+  #    "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
+  #  ];
+  #};
+
+  #systemd.services.syncoid-replication = {
+  #  description = "ZFS syncoid replication";
+  #  path = with pkgs; [ sanoid openssh zfs ];
+  #  wants = [ "network-online.target" ];
+  #  after = [ "network-online.target" "zfs.target" ];
+
+  #  startAt = "03:00";
+
+  #  serviceConfig = {
+  #    Type = "oneshot";
+  #    User = "backup";
+  #    ExecStart = ''
+  #      ${pkgs.sanoid}/bin/syncoid \
+  #        --recursive \
+  #        --create-bookmark \
+  #        --sendoptions=w \
+  #        --source-bwlimit=50000 \
+  #        backup@zima:rpool/safe \
+  #        tank/backups/zima/rpool-safe
+  #    '';
+  #    TimeoutStartSec = "6h";
+  #  };
+  #};
 
   programs.direnv = {
     enable = true;
@@ -136,6 +239,14 @@ in
   programs.zsh.enable = true;
   services.openssh.enable = true;
   services.openssh.settings.PermitRootLogin = "prohibit-password";
+  services.openssh.settings.Macs = [
+    "hmac-sha2-512"
+    "hmac-sha2-512-etm@openssh.com"
+    "hmac-sha2-256-etm@openssh.com"
+    "umac-128-etm@openssh.com"
+  ];
+
+  services.tailscale.enable = true;
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   nixpkgs.config.allowUnfree = true;
diff --git a/zfsrent/hardware-configuration.nix b/zfsrent/hardware-configuration.nix
new file mode 100644
index 0000000..e4cc5ee
--- /dev/null
+++ b/zfsrent/hardware-configuration.nix
@@ -0,0 +1,64 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/local/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8553-FF36";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/persist" =
+    { device = "rpool/safe/persist";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib" =
+    { device = "rpool/local/var/lib";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/log" =
+    { device = "rpool/local/var/log";
+      fsType = "zfs";
+    };
+
+  #swapDevices =
+  #  [ { device = "/dev/disk/by-uuid/c9c11edf-7989-4141-b647-4dbac7de5293"; }
+  #  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}