diff --git a/hosts/helios/default.nix b/hosts/helios/default.nix
index b6a5a98..c308dca 100644
--- a/hosts/helios/default.nix
+++ b/hosts/helios/default.nix
@@ -23,6 +23,34 @@
 
   system.stateVersion = "22.11";
 
+  age.secrets."passwords/services/borg/helios-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/helios-passphrase.age";
+  };
+
+  services.borgmatic = {
+    enable = true;
+    settings = {
+      source_directories = [
+        "/home/jordan/Documents"
+      ];
+      repositories = [
+        { label = "borgbase"; path = "ssh://cb2vwh9g@cb2vwh9g.repo.borgbase.com/./repo"; }
+      ];
+      storage = {
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/helios-passphrase".path}";
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      };
+      retention = {
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+  };
+
+  # Without this override, `cat` is unavailable for `encryption_passcommand`
+  systemd.services.borgmatic.confinement.fullUnit = true;
+
   modules = {
     desktop = {
       apps.qbittorrent.enable = true;