diff --git a/hosts/hetzner-arm/containers/stream/default.nix b/hosts/hetzner-arm/containers/owncast/default.nix
similarity index 88%
rename from hosts/hetzner-arm/containers/stream/default.nix
rename to hosts/hetzner-arm/containers/owncast/default.nix
index 8325bc0..eced22e 100644
--- a/hosts/hetzner-arm/containers/stream/default.nix
+++ b/hosts/hetzner-arm/containers/owncast/default.nix
@@ -7,14 +7,14 @@
   config,
   ...
 }: let
-  containerName = "stream";
+  containerName = "owncast";
 
   containerAddresses = import "${hostPath}/data/containerAddresses.nix";
 
   hostIP = containerAddresses.host;
   containerIP = containerAddresses.containers.${containerName};
 in {
-  containers.stream = {
+  containers.owncast = {
     autoStart = true;
     privateNetwork = true;
     hostAddress = hostIP;
@@ -33,9 +33,11 @@ in {
       imports = with tree;
         [
           presets.nixos.containerBase
+          ./secrets.nix
         ]
-        ++ (with hosts.hetzner-arm.containers.stream.profiles; [
+        ++ (with hosts.hetzner-arm.containers.owncast.profiles; [
           owncast
+          restic
         ]);
 
       networking.firewall.allowedTCPPorts = [
diff --git a/hosts/hetzner-arm/containers/stream/profiles/owncast.nix b/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix
similarity index 100%
rename from hosts/hetzner-arm/containers/stream/profiles/owncast.nix
rename to hosts/hetzner-arm/containers/owncast/profiles/owncast.nix
diff --git a/hosts/hetzner-arm/containers/owncast/profiles/restic.nix b/hosts/hetzner-arm/containers/owncast/profiles/restic.nix
new file mode 100644
index 0000000..f3d2458
--- /dev/null
+++ b/hosts/hetzner-arm/containers/owncast/profiles/restic.nix
@@ -0,0 +1,39 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  secrets = config.services.secrets.secrets;
+in {
+  environment.systemPackages = with pkgs; [
+    restic
+    (pkgs.writeShellScriptBin "restic-owncast" ''
+      env \
+        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
+        $(cat ${secrets.restic_env.path}) \
+      ${pkgs.restic}/bin/restic $@
+    '')
+  ];
+
+  services.restic.backups.owncast = {
+    user = "root";
+    paths = [
+      "/var/lib/owncast"
+    ];
+
+    # repository is overrided in environmentFile to contain auth
+    # make sure to keep up to date when changing repository
+    repository = "rest:https://storage-restic.owo.monster/Owncast";
+    passwordFile = "${secrets.restic_password.path}";
+    environmentFile = "${secrets.restic_env.path}";
+
+    pruneOpts = [
+      "--keep-last 5"
+    ];
+
+    timerConfig = {
+      OnBootSec = "10m";
+      OnCalendar = "8h";
+    };
+  };
+}
diff --git a/hosts/hetzner-arm/containers/owncast/secrets.nix b/hosts/hetzner-arm/containers/owncast/secrets.nix
new file mode 100644
index 0000000..dc436f1
--- /dev/null
+++ b/hosts/hetzner-arm/containers/owncast/secrets.nix
@@ -0,0 +1,37 @@
+{pkgs, ...}: {
+  services.secrets = {
+    enable = true;
+
+    vaultLogin = {
+      enable = true;
+      loginUsername = "hetzner-arm-container-owncast";
+    };
+
+    autoSecrets = {
+      enable = true;
+    };
+
+    requiredVaultPaths = [
+      "api-keys/data/storage/restic/Owncast"
+      "private-public-keys/data/restic/Owncast"
+    ];
+
+    secrets = {
+      vault_password = {
+        manual = true;
+      };
+
+      restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Owncast" .password > "$secretFile"
+        '';
+      };
+      restic_env = {
+        fetchScript = ''
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Owncast" .restic)
+          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Owncast" > "$secretFile"
+        '';
+      };
+    };
+  };
+}
diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix
index 6559005..9d1100e 100644
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@@ -17,6 +17,7 @@ in {
   restic_mail = restic + 5;
   restic_forgejo = restic + 6;
   restic_caldav = restic + 7;
+  restic_owncast = restic + 8;
 
   http_music = http + 0;
   http_public = http + 1;
diff --git a/hosts/hetzner-arm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix
index 8bfcd42..af116e1 100644
--- a/hosts/hetzner-arm/containers/storage/default.nix
+++ b/hosts/hetzner-arm/containers/storage/default.nix
@@ -98,6 +98,7 @@ in {
       "/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}";
       "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}";
       "/CalDAV/".proxyPass = "http://${containerIP}:${toString ports.restic_caldav}";
+      "/Owncast/".proxyPass = "http://${containerIP}:${toString ports.restic_owncast}";
     };
     extraConfig = ''
       client_max_body_size ${clientMaxBodySize};
diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
index d78d1a5..e9194a2 100644
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@@ -187,6 +187,16 @@ in {
           "--baseurl=/Forgejo/"
         ];
       }
+      {
+        id = "restic-owncast";
+        remote = "StorageBox:Backups/Restic/Owncast";
+        type = "restic";
+        extraArgs = [
+          "--addr=0.0.0.0:${toString ports.restic_owncast}"
+          "--htpasswd=${secrets.restic_owncast_htpasswd.path}"
+          "--baseurl=/Owncast/"
+        ];
+      }
     ];
   };
 }
diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix
index 0c3f3d5..0df271a 100644
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@@ -31,6 +31,7 @@
       "api-keys/data/storage/restic/Mail"
       "api-keys/data/storage/restic/Forgejo"
       "api-keys/data/storage/restic/CalDAV"
+      "api-keys/data/storage/restic/Owncast"
 
       "api-keys/data/storage/webdav/Main"
       "api-keys/data/storage/webdav/Media"
@@ -160,6 +161,14 @@
         '';
       };
 
+      restic_owncast_htpasswd = {
+        user = "storage";
+        group = "storage";
+        fetchScript = ''
+          simple_get_htpasswd "/api-keys/storage/restic/Owncast" "$secretFile"
+        '';
+      };
+
       webdav_main_htpasswd = {
         user = "storage";
         group = "storage";
diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix
index 6bdfa14..8902a19 100644
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@@ -9,6 +9,6 @@
     postgresql = "10.0.1.7";
     piped-fi = "10.0.1.8";
     caldav = "10.0.1.9";
-    stream = "10.0.1.10";
+    owncast = "10.0.1.10";
   };
 }
diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix
index 6ddab30..6f99f1e 100644
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@@ -29,7 +29,7 @@ in {
       "mail"
       "forgejo"
       "caldav"
-      "stream"
+      "owncast"
     ] (name: ./containers + "/${name}"))
     ++ (with hosts.hetzner-arm.profiles; [
       staticSites