diff --git a/hosts/pi/default.nix b/hosts/pi/default.nix
index 34b5d45..cecd620 100644
--- a/hosts/pi/default.nix
+++ b/hosts/pi/default.nix
@@ -77,6 +77,35 @@
     };
   };
 
+  age.secrets."passwords/services/borg/pi-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/pi-passphrase.age";
+  };
+
+  services.borgmatic = {
+    enable = true;
+    settings = {
+      source_directories = [
+        "/var/lib/mosquitto"
+        "/var/lib/zigbee2mqtt"
+      ];
+      repositories = [
+        { label = "borgbase"; path = "ssh://qcw86s11@qcw86s11.repo.borgbase.com/./repo"; }
+      ];
+      storage = {
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/pi-passphrase".path}";
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      };
+      retention = {
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+  };
+
+  # Without this override, `cat` is unavailable for `encryption_passcommand`
+  systemd.services.borgmatic.confinement.fullUnit = true;
+
   environment.systemPackages = with pkgs; [
     libraspberrypi
     raspberrypi-eeprom