diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..8934280
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:3
+
+ENV RESTIC_PASSWORD_FILE=
+ENV RESTIC_REPOSITORY=
+ENV AWS_ACCESS_KEY_ID=
+ENV AWS_SECRET_ACCESS_KEY=
+
+RUN apk add --update --no-cache docker-cli bash jq restic
+
+RUN echo "*       *       *       *       *       /backup.sh" | crontab -
+RUN crontab -l
+COPY backup.sh /
+
+ENTRYPOINT ["crond", "-f", "-L", "/dev/stdout"]
diff --git a/backup.sh b/backup.sh
index 43fa83f..32f647e 100755
--- a/backup.sh
+++ b/backup.sh
@@ -1,15 +1,20 @@
 #!/bin/bash
 
-# FIXME: just for testing
-backup_path=backups
+### FIXME: just for testing
+echo $RESTIC_PASSWORD_FILE
+echo $RESTIC_REPOSITORY
+echo $AWS_ACCESS_KEY_ID
+echo $AWS_SECRET_ACCESS_KEY
 
-# FIXME: just for testing
-export DOCKER_CONTEXT=demo.coopcloud.tech
+export DOCKER_CONTEXT=default
+
+mkdir /tmp/backups
+backup_path=/tmp/backups
 
 mapfile -t services < <(docker service ls --format '{{ .Name }}')
 
 # FIXME: just for testing
-services=( "ghost_demo_app" "ghost_demo_db" )
+services=("cloud_local_db")
 
 for service in "${services[@]}"; do
 	echo "service: $service"
@@ -18,17 +23,17 @@ for service in "${services[@]}"; do
 		pre=$(echo "$details" | jq -r '.["backupbot.backup.pre-hook"]')
 		post=$(echo "$details" | jq -r '.["backupbot.backup.post-hook"]')
 		path=$(echo "$details" | jq -r '.["backupbot.backup.path"]')
-		
+
 		if [ "$path" = "null" ]; then
 			echo "ERROR: missing 'path' for $service"
 			continue  # or maybe exit?
 		fi
 
 		container=$(docker container ls -f "name=$service" --format '{{ .ID }}')
-		
+
 		echo "backing up $service"
 		test -d "$backup_path/$service" || mkdir "$backup_path/$service"
-		
+
 		if [ "$pre" != "null" ]; then
 			# run the precommand
 			# shellcheck disable=SC2086
@@ -36,7 +41,7 @@ for service in "${services[@]}"; do
 		fi
 
 		# run the backup
-		docker cp "$container:$path" "$backup_path/$service"
+		docker cp -a "$container:$path" "$backup_path/$service"
 
 		if [ "$post" != "null" ]; then
 			# run the postcommand
@@ -44,7 +49,11 @@ for service in "${services[@]}"; do
 			docker exec "$container" $post
 		fi
 	fi
-	restic -p restic-password \
-		backup --quiet -r sftp:u272979@u272979.your-storagebox.de:/demo.coopcloud.tech \
-		--tag coop-cloud "$backup_path"
+
+	# Check if restic repo exists
+	if [ -z "$(restic cat config)" ] 2>/dev/null; then
+		echo "initializing restic repo"
+		restic init "$backup_path"
+	fi
+	restic backup --tag coop-cloud "$backup_path" # --quiet
 done
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..dcacf83
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    build: .
+    environment:
+      RESTIC_PASSWORD_FILE: "/run/secrets/restic_password"
+      RESTIC_REPOSITORY:  "s3:http://172.20.0.2:9000/backup"  # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
+      AWS_ACCESS_KEY_ID: "root"
+      AWS_SECRET_ACCESS_KEY: "foobar"
+    secrets:
+      - restic_password
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+secrets:
+  restic_password:
+    #external: true
+    #name: restic_password
+    file: restic_password