diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index c8e96771..fd6da7bc 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -20,9 +20,8 @@ in
   services.syncthing.user = "ragon";
 
   ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
-  services.syncoid.enable = true;
-  services.syncoid.sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
-  services.syncoid.commands =
+  ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; };
+  services.syncoid =
     let
       datasets = {
         backups = "rpool/content/local/backups";
@@ -31,7 +30,25 @@ in
         hassosvm = "spool/safe/vms/hassos";
       };
     in
-    builtins.mapAttrs (n: v: { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }) datasets;
+
+    lib.mkMerge (
+      [{
+        localSourceAllow = [
+          "hold"
+          "send"
+          "snapshot"
+          "destroy"
+          "mount"
+        ];
+        enable = true;
+        interval = "*-*-* 2:15:00";
+        commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
+        sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+      }] ++
+      (builtins.attrValues
+        (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
+      )
+    );
 
   programs.mosh.enable = true;
   security.sudo.wheelNeedsPassword = false;
diff --git a/nixos-modules/system/fs.nix b/nixos-modules/system/fs.nix
index 951579b3..b197945c 100644
--- a/nixos-modules/system/fs.nix
+++ b/nixos-modules/system/fs.nix
@@ -39,18 +39,6 @@ in
     services.sanoid = {
       enable = mkDefault persistentSnapshot;
     } // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
-    services.syncoid = {
-      user = "root";
-      group = "root";
-      sshKey = /persistent/root/.ssh/id_rsa;
-      enable = mkDefault true;
-      commonArgs = [
-      ];
-      commands."${persistent}" = {
-        target = "ragon@ds9:rpool/content/local/backups/${hostName}"; # FIXME extra user
-        recvOptions = "x encryption";
-      };
-    };
     boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
     fileSystems."/" =
       {
diff --git a/secrets/gatebridgeHostKeys.age b/secrets/gatebridgeHostKeys.age
new file mode 100644
index 00000000..dd1dca83
Binary files /dev/null and b/secrets/gatebridgeHostKeys.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9fa6db24..35296dac 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,6 +14,7 @@ in
   "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
   "photoprismEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
+  "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.host "ds9";
   "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
   "mailmoverConf.age".publicKeys = pubkeys.ragon.host "picard";
   "matrixSecrets.age".publicKeys = pubkeys.ragon.host "picard";