diff --git a/modules/homelab/services/arr/default.nix.template b/modules/homelab/services/arr/default.nix.template
new file mode 100644
index 0000000..36e7d24
--- /dev/null
+++ b/modules/homelab/services/arr/default.nix.template
@@ -0,0 +1,61 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "<service_name>";          # Default: <service_name>
+      group = "<service_name>";         # Default: <service_name>
+      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 8096 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+      };
+    };
+  };
+}
diff --git a/modules/homelab/services/arr/sonarr_backup_v4.0.15.2941_2025.10.01_20.42.01.zip b/modules/homelab/services/arr/sonarr_backup_v4.0.15.2941_2025.10.01_20.42.01.zip
new file mode 100755
index 0000000..c23e417
Binary files /dev/null and b/modules/homelab/services/arr/sonarr_backup_v4.0.15.2941_2025.10.01_20.42.01.zip differ
diff --git a/modules/homelab/services/default.nix.template b/modules/homelab/services/default.nix.template
index 8fbbd62..6c1a4fc 100644
--- a/modules/homelab/services/default.nix.template
+++ b/modules/homelab/services/default.nix.template
@@ -4,17 +4,18 @@ let
   cfg = config.modules.services.<service_name>;
   ids = <gid_and_uid_number>;
   default_port = <port_number>;
+  data_dir = "/var/lib/<service_name>";
 in
 {
   options.modules.services.<service_name> = {
     enable = lib.mkEnableOption "enables <service_name>";
 
-#    set port options
-#    port = lib.mkOption {
-#      type = lib.types.int;
-#      default = cfg.default_port;
-#      description = "set port for <service_name> (default: ${toString default_port}";
-#    };
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.default_port;
+      description = "set port for <service_name> (default: ${toString default_port}";
+    };
 
   };
 
@@ -25,7 +26,7 @@ in
 
     # declare <service_name> user
     users.users.<service_name> = {
-      description = "<service_name> media server user";
+      description = "<service_name> server user";
       uid = ids;
       isSystemUser = true;
       home = "/var/lib/<service_name>";
@@ -37,21 +38,20 @@ in
     # enable the <service_name> service
     services.<service_name> = {
       enable = true;
-      openFirewall = true;        # Opens 8096/8920 automatically
-      user = "<service_name>";          # Default: <service_name>
-      group = "<service_name>";         # Default: <service_name>
-      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
-      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
-#      settings = {
-#        server.port = cfg.port;
-#      };
+      openFirewall = true;
+      user = "<service_name>";
+      group = "<service_name>";
+      dataDir = data_dir;
+      settings = {
+        server.port = cfg.port;
+      };
     };
 
     # override umask to make permissions work out
     systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
 
-    # open firewall
-    #networking.firewall.allowedTCPPorts = [ port ];
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ port ];
 
     # reverse proxy entryo
     services.nginx.virtualHosts."<service_name>.snowbelle.lan" = {
@@ -63,5 +63,8 @@ in
         proxyPass = "http://127.0.0.1:${toString port}";
       };
     };
+
+    # add to backups
+    modules.system.backups.paths = lib.mkIf cfg.backups [ data_dir ];
   };
 }
diff --git a/modules/system/backups.nix b/modules/system/backups.nix
new file mode 100644
index 0000000..e3474a1
--- /dev/null
+++ b/modules/system/backups.nix
@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+
+let
+  borg = "${pkgs.borgbackup}/bin/borg";
+  backup_paths = lib.unique config.modules.system.backups.paths;
+  passwd_file = config.sops.secrets."borg_passwd".path;
+in
+{
+  options.modules.system.backups = {
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [];
+      description = "list of directories to back up";
+    };
+    repo = lib.mkOption {
+      type = lib.types.path;
+      default = "/backups";
+      description = "borg repository path";
+    };
+    passphraseFile = lib.mkOption {
+      type = lib.types.path;
+      default = passwd_file;
+      description = "borg repository passphrase file";
+    };
+  };
+
+  config = lib.mkIf (backup_paths != []) {
+    systemd.services.borg-backup = {
+      description = "BorgBackup service for system data";
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = config.modules.system.backups.passphraseFile;
+      };
+      script = ''
+        set -eux
+        export BORG_REPO=${config.modules.system.backups.repo}
+        export BORG_PASSPHRASE="$(cat ${config.modules.system.backups.passphraseFile})"
+
+        # Initialize repo if it doesn’t exist
+        if ! ${borg} info "${repo}" >/dev/null 2>&1; then
+          echo "Initializing new Borg repository at ${repo}"
+          ${borg} init --encryption=repokey "${repo}"
+        fi
+
+        timestamp=$(date +%Y-%m-%d_%H-%M-%S)
+
+        ${borg} create \
+          --stats \
+          --compression zstd,3 \
+          ::${timestamp} \
+          ${lib.concatStringsSep " " backup_paths}
+
+        # Retention policy
+        ${borg} prune -v --list \
+          --keep-daily=7 \
+          --keep-weekly=52 \
+          --keep-monthly=-1
+      '';
+    };
+
+    systemd.timers.borg-backup = {
+      description = "daily borg backup timer";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
+
+    environment.systemPackages = [ pkgs.borgbackup ];
+  };
+}
+
+# add to module
+# modules.system.backups.paths = lib.mkIf cfg.backups [ <path> ];
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index d7e98c5..c990bea 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -2,6 +2,8 @@
 blake_passwd: ENC[AES256_GCM,data:AfFql6/ghGhCDLOb4+QuAsDznz4hC4ilxZYCIH2sgBWX9tWXsUOgFw1k7CIhDoXIehz6YlTy0czekXPCqHL5gmIKRQTowU4svocw/Bl/Qz5CQ58RASB6YpnzOKTrwX7HCnu/ghpdMrcy2A==,iv:hMAkLcHjP0hiyCY4rhMU0Ae7jdYPa6MffEd2WGolbEo=,tag:p/6xmD8Te1RnFkp0zWw+ew==,type:str]
 #ENC[AES256_GCM,data:ZxHtUSuOy19M0EKoT5xltFiqRg==,iv:72PJL2eG68VC4wiJFo6wL0l7AaDIsge8l/D/ZlLOWWA=,tag:Q16ztObK2AnbCCS5mRgjtA==,type:comment]
 tailscale_authkey: ENC[AES256_GCM,data:SU0k3asrJd+WZ86VbC4w8TDJp+MqsbyagrzCfDcgTzO5yvBjpWAKbJ7A+VxgQvdu4+S2jMYbdrONPp3YbQ==,iv:VMYmGVk5GpUQApKKQYhdOw/cYCXrXxEZJJwHfQL4MjQ=,tag:7ruaoCDxuFQ7tE/JLJ37Xw==,type:str]
+#ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
+borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
 #ENC[AES256_GCM,data:lS++LQwlDVP0aYcdaaudBkKxNB3P3UBE,iv:UqGcXcX/Jvf60o409Cxj7VJCDh63uUxy45PuZbHK2l8=,tag:OXdMwuJwdN8DQaLXACpcRA==,type:comment]
 ssl_blakedheld_crt: ENC[AES256_GCM,data:EvImZ3y5lrmD2P2Cehd4yAyranHRBkejbnad1qmH9KbKeLNFsTcqW4L3NDYydbKurWCWYa/jJAL/BwT2xmUhwdFlarCiTFGnLXxMFhd6Tq+5if8r6BfSLCCS4IXcXnXP4k96ZR2fdD+lnDN1ljb7pI5hekz+HoVwBoLVVrfvQvqj72Kr5rfm5ttLN21yfi5DbgfX7n9AO6X32wzpIAXxQaYIFdPpm12WMpEX+zfxjjcpOR+Xv8npbs4AlopFaZ1N8d2AlM19ChwTZm/Zmq3BQt5Z2bhGsQD/s357F5ofmSfQ8BGXdeUguLj0BtZw6zrxQlySmJMNroBxrQresE7cdeoeEagZXXxJd0S64HcvonV3jjp4s5817YWLxGD8rws2fH9Ci91DEMlI+4/U9Jb/fWz7nxXSMekpNkGRrKPm6L+3/dxpvbkv9UyQi3OVTcx642WYyFaZnP6J6qcbH+itwfuPE1Fu+fe9IlIbAopDrvau0CGisU4FhX+NYMEmFu6N/+unFyMpj9qsqS8UFAXfgvSPRQTULqcaaOK7MRVh3JGOfR9qnbbPjt+aJRrkTW7q/8OWcqvxLgPnZlpPkvsg9PjcZmwxV4ooh3FC85vsrEc8tEqzzbrSWrJRXpL2ZJxsO2AfpHICexyjJium2Dm0hfR9EP5b4ltzeqg0rBeczec7/Tckafy3cGk1jCkPoDYN857Kl6oHi/9TduYvqReKJTV8dLB256M3TBeAYNQypCGceemPtcYrAgG+yMC8tnR57k5QjXsCmT69fAlPibvZdHUxh6Hqlx9sj5WU1NhGRCQsAj362UzGsEcVoF5/zcXVf4i2yCT+axNRyK/JU4JW6GaldJQ8PV+ay5RhNHtErgP18IaY7RjwTA0PVd5G839qbHZlJXiO/EvqrVpuy7UthQlvN+9Y+YM5jQMi64ahEcdWXYSjhqnbh6cZ3xfOXK0egTpy1/xG+FXpFMIvqK2gPZrB1B1Wc0XSvpOBFxTRaWlfDYeVwDtw9QCbM/7jhD9jaopdhMoPH5J/guLxMhRtRw0CJUemnTX1KJ8dGpvDfaCdj+I7ptb7vQ0wAfU/ferpfLX07j6g8MMa4p9jzI9BtXyd9OEOtyFfV5X5Mls9FfhmNi4+ES8LmawsLiyptKKUA7db4GZ4CLJqeR3khh/sej/ESgeXTfLXlOQbIALOdfrPo1t0fDRlW0H42FhmyHeily7KCBFS/pcziTVkM1YPrfyCXH6p8hVBNJ/JYWlEoS5qAxfcXP6cS+/3L16Y5XEP2Aea02qhim02C3qIX+6CQAc5QmuMfl+itnmWdTdwpPzEwVExoUQLCNTU610mkkKtSdMe3aLzmMrfQskEwjMhfXCwVsO+HWugi7im5GAezs+3wuK8j4GYai2sMerKesl4mJXIZWTLJqG8Vj7yKMHJ5mCiOPPYQ3AL++s916kRu3gO1evxfzul7ndh1GypVbX66QZotV9/MN4wSGxw/RCRscZrM+XzmlrhiKT3uezF9KKiw9J1F3zDrtcjmIqll2WVn+U5uzPYEj6TeC5ty/q3OdhYY58U7qe84Pj5zq72bLegBMMK8sG685ylPWD5l79+3D+JGCbjRTwu2oNaIdy9wem0rl56YX+kcGQC2IQcWXcIDASVhAQjguTU/mmMzLNZb3effZ4ZNAmnWgra4hnjEqChuxKlEM7blm057K2G7HP/j82Xy9VsBOTTc0Q2KJZpdb9t+vfDUNJtNdog5w5SnObRqIkUdDrFx04tGUDp/8eqqSHZWZOLq+G4jzarn6YhvNpEote89cARCqdZGhREJFi+zeFWhguasltfSjXhQrYc2p46GlV4USKuWiyIUny5I5/HR2/0Ci5vK2wh1jZ+JC53sKxA3MHg5Udyqkt8tLK+5X5NL6F9EBCRSzCqXDCds6mGu26X5Qt10UZdLTxJs3M0x3bSbN1qJUnv6K0iKgAVw09jeXzKcVXbmFQUDJoVEErIcg1Oed8EwfJu274rF8Nfxh+29LE0CO3q/pR0P91eiUKLKK6oy9tpGnGrnRViAZS3LvVsNVdlWBSEm6WSiwM97hDH3CFqwUHPYzM830DZS6bfIL0OfT9lH5a1f7+Uywi3O3EaJaR0lr5esGJImOQG02yjCvqmdS+igFMKzdAyxQO1WSXDwHXZGTYZbhqyGYK+zc89lKdBaXiC91POQIiz5/xciXqb77YnXKeg4g==,iv:VQIqXN3r7DOVREX4fP5/OR8xECXLjYKfhd6XP3ghMaY=,tag:eVdyxrw/w5zBGxV6Tai2Pg==,type:str]
 #ENC[AES256_GCM,data:3G8XqUKua1QgUxv2YJkW0fDnQPX7+v8GDC9BHg==,iv:BkESkMmMalgesy9why9eaKkOOvwSsN2EhNCRRRmZNtA=,tag:x95zt2B2M19BkzeMpAlXIg==,type:comment]
@@ -17,7 +19,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-06T21:04:51Z"
-    mac: ENC[AES256_GCM,data:/Bv7QRu1vFgbOz+KDDcV5qmYfmJiGic+veiULUJkuwBjv1jrp0XhwxXcLo+0b6owEtdjbVUdV2tGpqmYfcKiKsTa6jF9GWbj5tXdxNv3c8CTZiB/K/wXwPkOF1oyZzMuw6MWwA6r11TPzH0/EMMAVxsxYjaqr+pj/XBVNwyShBQ=,iv:Ykdd4XuyEcNqVcN4d0ZMy/TKJ/oYz9NrpI8ExmUhr5A=,tag:oObzt6HUvrgpvW2jFmRV7w==,type:str]
+    lastmodified: "2025-10-07T18:45:21Z"
+    mac: ENC[AES256_GCM,data:BDWPh3k/0cRioWIIsyB37sNOBeV876pp8ziWcstkuthHD2RA5JdXMGxBF5U2mphaeHO7n/Gdsek3pFYsvLpgCjp2dQcll3iYzQ5kjls12Oays44j5vwJd1oDceuW5QqhMg7Cbvlm0CahWHnZTMkf+aLqssw++pVEPXBJX06kF3w=,iv:jMNkrCXlIECdc7Ri1wriep2/OjAqDebxwxKKUJ6sZUo=,tag:R0QAXZ6SCtex8UkH1LgHfA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2