diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix
new file mode 100644
index 0000000..0af7fb6
--- /dev/null
+++ b/nix/os/containers/backup-target.nix
@@ -0,0 +1,69 @@
+{ hostAddress
+, localAddress
+, containerBackupCfg
+, sshPort ? containerBackupCfg.portInt
+}: {
+  config = { config, pkgs, lib, ... }: {
+    imports = [
+      ../profiles/containers/configuration.nix
+    ];
+
+    networking.firewall.enable = false;
+
+    services.ddclientovh = {
+        enable = true;
+        domain = containerBackupCfg.addr;
+    };
+
+    services.openssh.enable = true;
+
+    users.extraUsers."${containerBackupCfg.user}" = {
+      uid = 2000;
+      shell = pkgs.bashInteractive;
+      home = "/${containerBackupCfg.targetPath}";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
+      ];
+
+      packages = with pkgs; [
+        btrfsProgs
+        # btrbk
+      ];
+    };
+
+    security.sudo = {
+      enable = true;
+      extraRules = [
+        { 
+          users = [ "bkp" ]; 
+          commands = [
+            { command = "/etc/profiles/per-user/bkp/bin/btrfs"; options = [ "NOPASSWD" ]; }
+            { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
+            { command = "/run/current-system/sw/bin/test"; options = [ "NOPASSWD" ]; }
+          ];
+        }
+      ];
+    };
+  };
+
+  autoStart = true;
+
+  bindMounts = {
+    "/${containerBackupCfg.targetPath}" = {
+      hostPath = "/var/lib/container-volumes/backup-target";
+      isReadOnly = false;
+    };
+  };
+
+  privateNetwork = true;
+  forwardPorts = [
+    {
+      # ssh
+      containerPort = 22;
+      hostPort = sshPort;
+      protocol = "tcp";
+    }
+  ];
+
+  inherit hostAddress localAddress;
+}
diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix
index 6e1a9b6..7660200 100644
--- a/nix/os/containers/backup.nix
+++ b/nix/os/containers/backup.nix
@@ -62,8 +62,8 @@ in {
       script = let 
         btrbkConf = pkgs.writeText "cfg" ''
           timestamp_format long
-          ssh_identity ${passwords.storage.homeChBackup.keyPath}
-          ssh_user ${passwords.storage.homeChBackup.user}
+          ssh_identity ${passwords.storage.backupTarget.keyPath}
+          ssh_user ${passwords.storage.backupTarget.user}
           ssh_compression no
           backend_remote btrfs-progs-sudo
           compat_remote busybox
@@ -75,7 +75,7 @@ in {
           target_preserve 7d 4w 12m *y
 
           volume ${subvolumeParentDir}
-            target ${passwords.storage.homeChBackup.target}/container-volumes/${targetPathSuffix}
+            target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
           ${builtins.foldl' (sum: elem: sum + "  subvolume " + elem + "\n") "" subvolumes}
         '';
       in ''
diff --git a/nix/os/devices/vmd32387.contaboserver.net/system.nix b/nix/os/devices/vmd32387.contaboserver.net/system.nix
index a29e3a7..a3305eb 100644
--- a/nix/os/devices/vmd32387.contaboserver.net/system.nix
+++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix
@@ -5,6 +5,7 @@
 
 let
   keys = import ../../../variables/keys.nix;
+  passwords = import ../../../variables/passwords.crypt.nix;
 
 in {
   # TASK: new device
@@ -106,13 +107,10 @@ in {
   networking.useHostResolvConf = true;
 
   containers = {
-    backup = import ../../containers/backup.nix {
-      inherit config;
-      hostAddress = "192.168.100.16";
-      localAddress = "192.168.100.17";
-      subvolumes = [
-        "backup"
-      ];
+    bkpTarget = import ../../containers/backup-target.nix {
+      hostAddress = "192.168.100.18";
+      localAddress = "192.168.100.19";
+      containerBackupCfg = passwords.storage.backupTarget;
     };
   };
 
diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix
index 98713c6..ff47308 100644
Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ