diff --git a/group_vars/crans_server/vars.yml b/group_vars/crans_server/vars.yml
index 136ce4ab..e05f2029 100644
--- a/group_vars/crans_server/vars.yml
+++ b/group_vars/crans_server/vars.yml
@@ -7,3 +7,16 @@ ldap:
 # Parameters for debian mirror
 debian_mirror: http://mirror.adm.crans.org/debian
 debian_components: main non-free
+
+
+glob_borg:
+  to_backup:
+    - /etc
+    - /var
+  remote:
+    - borg@zephir.adm.crans.org:/backup/borg/{{ ansible_hostname }}
+  retention:
+    - ["daily", 4]
+    - ["monthly", 6]
+  consistency_check:
+    - disabled
diff --git a/plays/backup.yml b/plays/backup.yml
index b39bb870..c656364c 100755
--- a/plays/backup.yml
+++ b/plays/backup.yml
@@ -1,17 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
-# zephir backups virtual machines.
-# omnomnom backups home dirs.
 
-- import_playbook: get_adm_iface.yml
+- hosts: server
+  vars:
+    borg: '{{ glob_borg | default({}) | combine(loc_borg | default({})) }}'
+    mirror: '{{ glob_mirror | default({}) | combine(loc_mirror | default({})) }}'
+  roles:
+    - borgbackup-client
 
-# Rsync client on all server to allow backup
-#- hosts: server
-#  vars:
-#    # Backup password
-#    backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
-#  roles: ["rsync-client"]
-
-# Backuppc backup software
-#- hosts: zephir.adm.crans.org,omnomnom.adm.crans.org
-# roles: ["backuppc"]
diff --git a/roles/borgbackup-client/tasks/main.yml b/roles/borgbackup-client/tasks/main.yml
index 8b5a68d6..26dc4e67 100644
--- a/roles/borgbackup-client/tasks/main.yml
+++ b/roles/borgbackup-client/tasks/main.yml
@@ -1,35 +1,24 @@
 ---
+- name: Pin borgmatic
+  template:
+    src: "apt/{{ item }}.j2"
+    dest: "/etc/apt/{{ item }}"
+  loop:
+    - sources.list.d/bullseye.list
+    - preferences.d/borgmatic-bullseye
+  when: ansible_lsb.release | int <= 10
+
 - name: Install borgbackup
   apt:
     update_cache: true
     name:
       - borgbackup
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-- name: Install borgmatic with apt
-  apt:
-    update_cache: true
-    name:
       - borgmatic
     state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
-  when: ansible_lsb.release >= 10
 
-- name: Install borgmatic with pip
-  pip:
-    executable: pip3
-    name:
-      - borgmatic
-  register: pip_result
-  retries: 3
-  until: pip_result is succeeded
-  when: ansible_lsb.release <= 9
-  
 - name: Ensures /etc/borgmatic exists
   file:
     path: /etc/borgmatic
@@ -39,8 +28,8 @@
   
 - name: Deploy ssh private key
   template:
-    src: "borgbackup/id_ed25519.j2"
-    dest: "/etc/borgbackup/id_ed25519"
+    src: "borgmatic/id_ed25519_borg.j2"
+    dest: "/etc/borgmatic/id_ed25519_borg"
     mode: 0600
     owner: root
 
@@ -48,6 +37,9 @@
   template:
     src: "borgmatic/config.yaml.j2"
     dest: "/etc/borgmatic/config.yaml"
+    mode: 0600
+    owner: root
+    group: root
 
 - name: Deploy borg cron
   template:
diff --git a/roles/borgbackup-client/templates/apt/preferences.d/borgmatic-bullseye.j2 b/roles/borgbackup-client/templates/apt/preferences.d/borgmatic-bullseye.j2
new file mode 100644
index 00000000..32e59b73
--- /dev/null
+++ b/roles/borgbackup-client/templates/apt/preferences.d/borgmatic-bullseye.j2
@@ -0,0 +1,12 @@
+{{ ansible_header | comment }}
+
+
+Package: *
+Pin: release n=bullseye
+Pin-Priority: 1
+
+
+Package: borgmatic
+Pin: release n=bullseye
+Pin-Priority: 900
+
diff --git a/roles/borgbackup-client/templates/apt/sources.list.d/bullseye.list.j2 b/roles/borgbackup-client/templates/apt/sources.list.d/bullseye.list.j2
new file mode 100644
index 00000000..e8bbe8d2
--- /dev/null
+++ b/roles/borgbackup-client/templates/apt/sources.list.d/bullseye.list.j2
@@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+
+deb http://{{ mirror.name }}/debian bullseye main
diff --git a/roles/borgbackup-client/templates/borgmatic/config.yaml.j2 b/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
index e69de29b..123a57ac 100644
--- a/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
+++ b/roles/borgbackup-client/templates/borgmatic/config.yaml.j2
@@ -0,0 +1,83 @@
+{{ ansible_header | comment }}
+
+location:
+    source_directories:
+{% for dir in borg.to_backup %}
+        - {{ dir }}
+{% endfor %}
+
+    repositories:
+{% for remote in borg.remote %}
+        - {{ remote }}
+{% endfor %}
+
+    exclude_patterns:
+        - '*.pyc'
+        - '\#*\#'
+        - '*~'
+{% for pattern in borg.to_exclude | default([]) %}
+        - {{ pattern }}
+{% endfor %}
+
+    exclude_caches: true
+
+    exclude_if_present:
+        - .nobackup
+
+    borgmatic_source_directory: /tmp/borgmatic
+
+storage:
+    encryption_passphrase: {{ vault_borgbackup_passwd }}
+    ssh_command: ssh -i /etc/borgmatic/id_ed25519_borg
+    borg_base_directory: /etc/borgmatic
+    borg_config_directory: /etc/borgmatic/config/
+    borg_cache_directory: /etc/borgmatic/cache
+    borg_security_directory: /etc/borgmatic/config/security
+    borg_keys_directory: /etc/borgmatic/config/keys
+    compression: 'lz4'
+    umask: 0077
+    lock_wait: 5
+    archive_name_format: '{hostname}-{now}'
+{% set extra_prune = borg.extra_prune | default([]) %}
+{% set extra_create = borg.extra_create | default([]) %}
+{% set extra_check = borg.extra_check | default([]) %}
+    extra_borg_options:
+        # Extra command-line options to pass to "borg init".
+        init: --make-parent-dirs {% for cmd in borg.extra_init | default([]) %}--{{ cmd }} {% endfor %}
+{% if extra_prune  %}
+        # Extra command-line options to pass to "borg prune".
+        prune: {% for cmd in extra_prune  %}--{{ cmd }} {% endfor %}
+{% endif %}
+
+{% if extra_create %}
+        # Extra command-line options to pass to "borg create".
+        create: {% for cmd in extra_create %}--{{ cmd }} {% endfor %}
+{% endif %}
+
+{% if extra_check %}
+        # Extra command-line options to pass to "borg check".
+        check: {% for cmd in extra_check %}--{{ cmd }} {% endfor %}
+{% endif %}
+
+retention:
+{% for retention in borg.retention %}
+    keep_{{ retention[0] }}: {{ retention[1] }}
+{% endfor %}
+    prefix: '{hostname}-'
+
+consistency:
+    checks:
+{% for check in borg.consistency_check %}
+        - {{ check }}
+{% endfor %}
+
+{% if borg.hooks | default([]) %}
+  hooks:
+  {% for hook in borg.hooks %}
+    {{ hook.type }}:
+    {% for value in hook.values %}
+      - {{ value }}
+    {% endfor %}
+  {% endfor %}
+  umask: 0077
+{% endif %}
diff --git a/roles/borgbackup-client/templates/borgmatic/id_ed25519.j2 b/roles/borgbackup-client/templates/borgmatic/id_ed25519.j2
deleted file mode 100644
index e69de29b..00000000
diff --git a/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2 b/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
new file mode 100644
index 00000000..1ef022e0
--- /dev/null
+++ b/roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2
@@ -0,0 +1 @@
+{{ vault_borgbackup_ssh_privkey }}
diff --git a/roles/borgbackup-client/templates/cron.d/borg.j2 b/roles/borgbackup-client/templates/cron.d/borg.j2
new file mode 100644
index 00000000..41c84ebd
--- /dev/null
+++ b/roles/borgbackup-client/templates/cron.d/borg.j2
@@ -0,0 +1,5 @@
+{{ ansible_header | comment }}
+
+PATH=$PATH:/usr/sbin:/usr/bin:/usr/local/bin:/sbin:/bin
+
+{{ 60 | random(seed=inventory_hostname) }} {{ 24 | random(seed=inventory_hostname) }} * * * root borgmatic --syslog-verbosity 1
diff --git a/roles/borgbackup-client/templates/cron.d/borgbackup b/roles/borgbackup-client/templates/cron.d/borgbackup
deleted file mode 100644
index e69de29b..00000000