diff --git a/.envrc.sample b/.envrc.sample
index adb349c..2397d6c 100644
--- a/.envrc.sample
+++ b/.envrc.sample
@@ -1,8 +1,15 @@
-export RESTIC_SFTP_HOST="user@domain.tld"
+export RESTIC_HOST="user@domain.tld"
 export RESTIC_PASSWORD_FILE=/run/secrets/restic-password
 export BACKUP_DEST=/backups
 
 export SERVER_NAME=domain.tld
 export DOCKER_CONTEXT=$SERVER_NAME
 
+# uncomment either this:
+#export SSH_KEY_FILE=~/.ssh/id_rsa
+# or this:
+#export AWS_SECRET_ACCESS_KEY_FILE=s3
+#export AWS_ACCESS_KEY_ID=easter-october-emphatic-tug-urgent-customer
+
+# optionally limit subset of services for testing
 #export SERVICES_OVERRIDE="ghost_domain_tld_app ghost_domain_tld_db"
diff --git a/backup.sh b/backup.sh
index 991c371..82cb95c 100755
--- a/backup.sh
+++ b/backup.sh
@@ -19,14 +19,14 @@ if [ -n "$ssh_key_file" ] && [ -f "$ssh_key_file" ]; then
 	restic_extra_options="sftp.command=ssh -i $ssh_key_file $restic_host -s sftp"
 fi
 
-if [ -n "$s3_key_file" ] && [ -f "$s3_key_file" ]; then
+if [ -n "$s3_key_file" ] && [ -f "$s3_key_file" ] && [ -n "$AWS_ACCESS_KEY_ID" ]; then
 	AWS_SECRET_ACCESS_KEY="$(cat "${s3_key_file}")"
 	export AWS_SECRET_ACCESS_KEY
 	restic_repo="s3:$restic_host$server_name"
 fi
 
 if [ -z "$restic_repo" ]; then
-	echo "You must configure either SFTP or S3 storage"
+	echo "You must configure either SFTP or S3 storage, see README"
 	exit 1
 fi
 
@@ -34,11 +34,18 @@ echo "restic_repo: $restic_repo"
 
 # Pre-bake-in some default restic options
 _restic() {
-	# shellcheck disable=SC2068
-	restic -p "$restic_password_file" \
-		--quiet -r "$restic_repo" \
-		"${restic_extra_options:+-o}" "$restic_extra_options" \
-		$@
+	if [ -z "$restic_extra_options" ]; then
+		# shellcheck disable=SC2068
+		restic -p "$restic_password_file" \
+			--quiet -r "$restic_repo" \
+			$@
+	else
+		# shellcheck disable=SC2068
+		restic -p "$restic_password_file" \
+			--quiet -r "$restic_repo" \
+			-o "$restic_extra_options" \
+			$@
+	fi
 }
 
 if [ -n "$SERVICES_OVERRIDE" ]; then