diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py
index e5b933a..3139db4 100644
--- a/bundles/backup-server/metadata.py
+++ b/bundles/backup-server/metadata.py
@@ -23,11 +23,19 @@ def zfs(metadata):
             other_node.has_bundle('backup') and
             other_node.metadata.get('backup/server') == node.name
         ):
+            # container
+            datasets[f"tank/{other_node.metadata.get('id')}"] = {
+                'mountpoint': 'none',
+                'readonly': 'on',
+                'backup': False,
+            }
+            # for rsync backups
             datasets[f"tank/{other_node.metadata.get('id')}/fs"] = {
                 'mountpoint': f"/mnt/backups/{other_node.metadata.get('id')}",
                 'backup': False,
             }
             
+            # for zfs send/recv
             if other_node.has_bundle('zfs'):
                 for path in other_node.metadata.get('backup/paths'):
                     for dataset, config in other_node.metadata.get('zfs/datasets').items():
diff --git a/bundles/backup/metadata.py b/bundles/backup/metadata.py
index e619e12..843f8da 100644
--- a/bundles/backup/metadata.py
+++ b/bundles/backup/metadata.py
@@ -9,4 +9,10 @@ defaults = {
         'server': None,
         'paths': [],
     },
+    'systemd-timers': {
+        f'backup': {
+            'command': '/opt/backup/backup_all',
+            'when': 'daily',
+        },
+    },
 }
diff --git a/bundles/ssh/files/sshd_config b/bundles/ssh/files/sshd_config
new file mode 100644
index 0000000..c4e6252
--- /dev/null
+++ b/bundles/ssh/files/sshd_config
@@ -0,0 +1,21 @@
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+PermitRootLogin prohibit-password
+StrictModes yes
+MaxAuthTries 10
+MaxSessions 255
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthorizedKeysFile	.ssh/authorized_keys
+UsePAM yes
+
+PermitTTY yes
+TCPKeepAlive yes
+ClientAliveInterval 30
+ClientAliveCountMax 5
+AcceptEnv LANG LC_*
+Subsystem	sftp	/usr/lib/openssh/sftp-server
diff --git a/bundles/ssh/items.py b/bundles/ssh/items.py
new file mode 100644
index 0000000..7c7de09
--- /dev/null
+++ b/bundles/ssh/items.py
@@ -0,0 +1,7 @@
+files['/etc/ssh/sshd_config'] = {
+    'triggers': [
+        'svc_systemd:ssh:restart'
+    ],
+}
+
+svc_systemd['ssh'] = {}
diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py
index 287f6c3..124d1e2 100644
--- a/bundles/users/metadata.py
+++ b/bundles/users/metadata.py
@@ -4,6 +4,7 @@ defaults = {
     'users': {
         'root': {
             'home': '/root',
+            'password': repo.vault.password_for(f'{node.name} user root'),
         },
     },
 }
@@ -29,12 +30,10 @@ def authorized_users(metadata):
     }
 
 
-# FIXME: bw bug?
-# @metadata_reactor.provides(
-#     'users',
-# )
-@metadata_reactor
-def user(metadata):
+@metadata_reactor.provides(
+    'users',
+)
+def user_defaults(metadata):
     users = {}
 
     for name, config in metadata.get('users').items():
diff --git a/groups/os/linux.py b/groups/os/linux.py
index 81f18e6..71e8dc2 100644
--- a/groups/os/linux.py
+++ b/groups/os/linux.py
@@ -4,11 +4,12 @@
     ],
     'bundles': [
         'hostname',
+        'hosts',
         'network',
+        'ssh',
         'systemd',
         'systemd-networkd',
         'systemd-timers',
-        'hosts',
     ],
     'metadata': {
         'hosts': {
diff --git a/nodes/netcup.secondary.py b/nodes/netcup.secondary.py
index a211d30..c9db5ee 100644
--- a/nodes/netcup.secondary.py
+++ b/nodes/netcup.secondary.py
@@ -9,6 +9,10 @@
     ],
     'metadata': {
         'id': '890848b2-a900-4f74-ad5b-b811fbb4f0bc',
+        'postfix': {
+            'master_node': 'htz.mails',
+            'hostname': 'mail2.sublimity.de',
+        },
         'network': {
             'external': {
                 'interface': 'eth0',