diff --git a/config/hosts/florp/configuration.nix b/config/hosts/florp/configuration.nix
index c258a57..133e22d 100644
--- a/config/hosts/florp/configuration.nix
+++ b/config/hosts/florp/configuration.nix
@@ -1,4 +1,4 @@
-{ lib, ... }: {
+{ lib, config, ... }: {
   imports = [
     ../../common
     ../../profiles/headless.nix
@@ -13,7 +13,9 @@
   };
   kyouma.nginx.defaultForbidden = "florp.social";
 
-  kyouma.restic = {
+  kyouma.restic = let
+    pgBackup = "/var/cache/postgresql.sql";
+  in {
     enable = true;
     remoteUser = "zh3485s1";
     timerConfig = {
@@ -22,9 +24,21 @@
     };
     paths = [
       "/var/lib/akkoma"
-      "/var/lib/postgresql"
       "/var/lib/secrets"
+      pgBackup
     ];
+
+    backupPrepareCommand = ''
+      umask 0077
+      rm -f -- ${pgBackup}
+      ${lib.getExe' config.services.postgresql.package "pg_dumpall"} \
+        -U ${config.services.postgresql.superUser} \
+        -f ${pgBackup}
+    '';
+
+    backupCleanupCommand = ''
+      rm -f -- ${pgBackup}
+    '';
   };
   systemd.network.networks."98-eth-default" = {
     address = [
diff --git a/flake.lock b/flake.lock
index cca7698..e18f443 100644
--- a/flake.lock
+++ b/flake.lock
@@ -437,11 +437,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731185407,
-        "narHash": "sha256-4LdV+ZK7slyONezfW3aZmBuTt4lnxBTmREemBW7VBtk=",
+        "lastModified": 1731187545,
+        "narHash": "sha256-n/BOlXvOcX5yn2mbjazfCcbojzczCdmcjQNaH7Dcdd4=",
         "ref": "refs/heads/main",
-        "rev": "1d3098ad7775426c092a5bd13498d98a8b02b116",
-        "revCount": 6,
+        "rev": "1845276697adca236be3e7a983238d2a2d0d57b5",
+        "revCount": 7,
         "type": "git",
         "url": "https://woof.rip/florp/about.git"
       },
diff --git a/modules/restic/default.nix b/modules/restic/default.nix
index 2661253..b1c8ca3 100644
--- a/modules/restic/default.nix
+++ b/modules/restic/default.nix
@@ -48,6 +48,19 @@ in {
         Persistent = true;
       };
     };
+
+    # FIXME: Can these be just inherited?
+    backupPrepareCommand = mkOption {
+      description = "preparation script";
+      type = with types; nullOr str;
+      default = null;
+    };
+
+    backupCleanupCommand = mkOption {
+      description = "cleanup script";
+      type = with types; nullOr str;
+      default = null;
+    };
   };
   config = lib.mkIf cfg.enable {
     sops.secrets."restic/${cfg.remoteUser}/password" = {