diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index 732cb18..3481219 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -42,3 +42,9 @@ nextcloud_smtp_from_domain: "{{ server_domain }}"
 # nextcloud_s3_ssl: true
 # nextcloud_s3_region: eu-central-1
 # nextcloud_s3_usepath_style: true
+
+nextcloud_backup_db_enable: false
+# nextcloud_backup_db_repo: s3.eu-central-1.wasabisys.com/myrepo
+# nextcloud_backup_db_key: <s3-key>
+# nextcloud_backup_db_secret: <s3-secret>
+# nextcloud_backup_db_timezone: US/Chicago
diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2
index 80f28fa..07a57f4 100644
--- a/roles/nextcloud/templates/docker-stack.yml.j2
+++ b/roles/nextcloud/templates/docker-stack.yml.j2
@@ -160,6 +160,26 @@ services:
     networks:
       - backend
 
+{% if nextcloud_backup_db_enable is not undefined and not false %}
+  backup:
+    image: mazzolino/restic
+    environment:
+      - "TZ={{ nextcloud_backup_db_timezone }}"
+       # go-cron starts w seconds
+      - "BACKUP_CRON=0 30 3 * * *"
+      - "RESTIC_REPOSITORY={{ nextcloud_backup_db_repo }}"
+      - "AWS_ACCESS_KEY_ID={{ nextcloud_backup_db_key }}"
+      - "AWS_SECRET_ACCESS_KEY={{ nextcloud_backup_db_secret }}"
+      - "RESTIC_PASSWORD={{ nextcloud_backup_db_pass }}"
+      - "RESTIC_BACKUP_TAGS=nextcloud-db"
+      - "RESTIC_BACKUP_SOURCES=/mnt/volumes"
+    volumes:
+      - db:/mnt/volumes/nextcloud_db:ro
+      - data:/mnt/volumes/nextcloud_data:ro
+    networks:
+      - backend
+{% endif %}
+
   # metrics:
   #   image: telegraf
   #   hostname: "${HOSTNAME:-vmi352583.contaboserver.net}"