diff --git a/machines/beagle/modules/kanidm.nix b/machines/beagle/modules/kanidm.nix
index 12a5f3c..e4ca3d4 100644
--- a/machines/beagle/modules/kanidm.nix
+++ b/machines/beagle/modules/kanidm.nix
@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
   services.kanidm = {
     enableServer = true;
     enableClient = true;
@@ -11,7 +17,7 @@
       domain = "idm.peprolinbot.com";
       bindaddress = "[::1]:8443";
       ldapbindaddress = "[::]:636";
-      http_client_address_info.x-forward-for = ["::1"];
+      http_client_address_info.x-forward-for = [ "::1" ];
       tls_chain = "/var/lib/kanidm/cert.pem";
       tls_key = "/var/lib/kanidm/key.pem";
     };
@@ -27,6 +33,43 @@
       chown kanidm:kanidm /var/lib/kanidm/{cert,key,chain}.pem
       chmod 400 /var/lib/kanidm/{cert,key,chain}.pem
     '';
-    reloadServices = ["kanidm.service"];
+    reloadServices = [ "kanidm.service" ];
+  };
+
+  clan.core.state.kanidm = {
+    folders = [ "/var/backup/kanidm" ];
+
+    preBackupScript = ''
+      export PATH=${
+        lib.makeBinPath [
+          pkgs.coreutils
+          config.services.kanidm.package
+        ]
+      }
+
+      mkdir -p /var/backup/kanidm
+
+      kanidmd database backup /var/backup/kanidm/backup.json
+    '';
+
+    postRestoreScript = ''
+      export PATH=${
+        lib.makeBinPath [
+          config.systemd.package
+          pkgs.coreutils
+          config.services.kanidm.package
+        ]
+      }
+
+      service_status="$(systemctl is-active kanidm)"
+
+      systemctl stop kanidm
+
+      kanidmd database restore /var/backup/kanidm/backup.json
+
+      if [ "$service_status" = "active" ]; then
+        systemctl start kanidm
+      fi
+    '';
   };
 }