diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix
index 8776288..8017a51 100644
--- a/machines/modules/malobeo/users.nix
+++ b/machines/modules/malobeo/users.nix
@@ -9,12 +9,17 @@ in
     malobeo = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      description = "enable malobeo user, defaults to on";
+      description = "enable malobeo user, defaults to on, ";
     };
     admin = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      description = "enable admin user, defaults to on to prevent lockouts";
+      description = "enable admin user, defaults to on to prevent lockouts, passwordless sudo access";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable backup user, ";
     };
   };
   config = lib.mkMerge [
@@ -50,6 +55,26 @@ in
         }
       ];
     })
+    (lib.mkIf cfg.backup {
+      users.users.backup = {
+        isNormalUser = true;
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.backup;
+        description = "backup user for pull style backups, can only use zfs commands";
+      };
+      environment.systemPackages = with pkgs; [];
+      security.sudo.extraRules = [
+        {
+          users = [ "backup" ];
+          commands = [
+            {
+              command = "${pkgs.zfs-user}/bin/zfs";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
     {
       users.mutableUsers = false;
       services.openssh.hostKeys = [
diff --git a/machines/ssh_keys.nix b/machines/ssh_keys.nix
index 0f71ec3..0a45f15 100644
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -5,4 +5,8 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
  ];
+ backup = [
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKl5FWPskhlnzJs1+mMYrVTMNnRG92uFKUgGlteTPhL"
+ ];
 }