diff --git a/configs/pepe/borg.nix b/configs/pepe/borg.nix
index c135954..5fd86c4 100644
--- a/configs/pepe/borg.nix
+++ b/configs/pepe/borg.nix
@@ -8,6 +8,7 @@
       authorizedKeys = [
         # todo rename
         (lib.fileContents <common_secrets/backup/ssh_rsa.pub>)
+        (lib.fileContents <assets/ssh/card_rsa.pub>)
       ];
     };
   };
diff --git a/configs/workhorse/borg.nix b/configs/workhorse/borg.nix
index 9436a0f..abb6761 100644
--- a/configs/workhorse/borg.nix
+++ b/configs/workhorse/borg.nix
@@ -7,6 +7,7 @@
       authorizedKeys = [
         # todo rename
         (lib.fileContents <common_secrets/backup/ssh_rsa.pub>)
+        (lib.fileContents <assets/ssh/card_rsa.pub>)
       ];
     };
   };
diff --git a/system/all/borg-jobs.nix b/system/all/borg-jobs.nix
index 5228655..374e709 100644
--- a/system/all/borg-jobs.nix
+++ b/system/all/borg-jobs.nix
@@ -4,6 +4,19 @@
     backup.dirs = lib.mkOption {
       default = [ ];
       type = with lib.types; listOf str;
+      description = ''
+        folders to backup
+      '';
+    };
+    backup.exclude = lib.mkOption {
+      default = [ ];
+      type = with lib.types; listOf str;
+      description = ''
+        exclude files and folders matching a pattern.
+        Theses patterns effect all folders in `backup.dirs`.
+        see man borg pattern for more information
+      '';
+      example = [ ".git" "/home/*/.cache" ".stfolder" ];
     };
   };
 
@@ -24,7 +37,8 @@
     myHostname = config.networking.hostName;
 
     setup = server: {
-      paths = dirs;
+      paths = config.backup.dirs;
+      exclude = config.backup.exclude;
       doInit = true;
       repo = "borg@${server}:./${myHostname}";
       encryption = {
@@ -32,10 +46,14 @@
         # todo rename
         passCommand = "cat ${toString <secrets/backup/repo>}";
       };
-      environment.BORG_RSH =
-        "ssh -i ${toString <secrets/backup/ssh_rsa>}";
+      environment.BORG_RSH = "ssh -i ${toString <secrets/backup/ssh_rsa>}";
       compression = "auto,lzma";
       startAt = "daily";
+      prune.keep = {
+        within = "10d"; # Keep all backups in the last 10 days.
+        weekly = 8; # Keep 8 additional end of week archives.
+        monthly = -1; # Keep end of month archive for every month
+      };
 
     };
 
diff --git a/system/all/borg-scripts.nix b/system/all/borg-scripts.nix
new file mode 100644
index 0000000..8b991aa
--- /dev/null
+++ b/system/all/borg-scripts.nix
@@ -0,0 +1,20 @@
+{ pkgs, lib, ... }: {
+
+  environment.systemPackages = let
+    createScript = command: host: repository:
+      pkgs.writers.writeBashBin
+      "borg-${command}-on-${host}-for-${repository}" ''
+        ${pkgs.borgbackup}/bin/borg \
+          ${command} \
+          --rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
+          "$@"
+      '';
+    hosts = [ "workhorse" "pepe" ];
+    repositories = [ "workhorse" "pepe" "sterni" "workout" ];
+    commands = [ "list" ];
+  in lib.flatten (map (command:
+    map
+    (host: map (repository: createScript command host repository) repositories)
+    hosts) commands);
+
+}
diff --git a/system/all/default.nix b/system/all/default.nix
index 8a5caf1..018f5c0 100644
--- a/system/all/default.nix
+++ b/system/all/default.nix
@@ -18,6 +18,7 @@
     ./nginx.nix
     ./packages.nix
     ./borg-jobs.nix
+    ./borg-scripts.nix
     ./sshd-known-hosts-bootup.nix
     ./sshd-known-hosts-private.nix
     ./sshd-known-hosts-public.nix
@@ -29,6 +30,9 @@
 
   ];
 
+  # default backup excludes
+  backup.exclude = [ ".git" ".stfolder" ".stversions" ];
+
   # provide overlays
   # -----------------
   nixpkgs.overlays = [ (import <pkgs>) (import <nix-writers/pkgs>) ];