diff --git a/tasks/system_cfg/backup_dest.yml b/tasks/system_cfg/backup_dest.yml
new file mode 100644
index 0000000000000000000000000000000000000000..14a15a8448c37a061c78a32d10b07b66c4f9661a
--- /dev/null
+++ b/tasks/system_cfg/backup_dest.yml
@@ -0,0 +1,67 @@
+---
+- name: "BACKUP | USER | set user «{{ backup_user }}»"
+  ansible.builtin.user:
+    groups: backup
+    name: "{{ backup_user }}"
+    shell: "{{ user_shell }}"
+    state: present
+    uid: 1001
+
+- name: "BACKUP | USER | ssh dir presence for «{{ backup_user }}»"
+  ansible.builtin.file:
+    group: "{{ backup_user }}"
+    mode: 0740
+    owner: "{{ backup_user }}"
+    path: "/home/{{ backup_user }}/.ssh/"
+    state: directory
+
+- name: "BACKUP | USER | ssh config for «{{ backup_user }}»"
+  ansible.builtin.template:
+    dest: "/home/{{ backup_user }}/.ssh/config"
+    group: "{{ backup_user }}"
+    mode: 0640
+    owner: "{{ backup_user }}"
+    src: templates/ssh_config_backup.j2
+
+- name: BACKUP | ZFS | parent destination dataset
+  when: inventory_hostname in groups.zfs
+  community.general.zfs:
+    name: zp0/bkp
+    state: present
+    extra_zfs_properties:
+      mountpoint: none
+      compression: lz4
+
+- name: "BACKUP | ZFS | allow commands for «{{ backup_user }}»"
+  community.general.zfs_delegate_admin:
+    name: zp0/bkp
+    users: "{{ backup_user }}"
+    permissions: receive,hold,release
+
+- name: BACKUP | ZFS | children destination datasets (production)
+  when: inventory_hostname in groups.zfs
+  loop: "{{ groups['production'] }}"
+  community.general.zfs:
+    name: "zp0/bkp/{{ hostvars[item]['inventory_hostname'] }}"
+    state: present
+    extra_zfs_properties:
+      "autobackup:bkp_{{ hostvars[item]['inventory_hostname'] }}": true
+      "autobackup:prod_policy": true
+      mountpoint: "/home/{{ backup_user }}/repo/{{ hostvars[item]['inventory_hostname'] }}"
+      sharenfs: "ro={{ hostvars[item]['ansible_host'] }}"
+      "src:fqdn": "{{ hostvars[item]['inventory_fqdn' ]}}"
+      "src:ip": "{{ hostvars[item]['ansible_host'] }}"
+
+- name: BACKUP | ZFS | children destination datasets (station)
+  when: inventory_hostname in groups.zfs
+  loop: "{{ groups['station'] }}"
+  community.general.zfs:
+    name: "zp0/bkp/{{hostvars[item]['inventory_hostname']}}"
+    state: present
+    extra_zfs_properties:
+      "autobackup:bkp_{{ hostvars[item]['inventory_hostname'] }}": true
+      "autobackup:stat_policy": true
+      mountpoint: "/home/{{ backup_user }}/repo/{{ hostvars[item]['inventory_hostname'] }}"
+      sharenfs: "ro={{ gateway }}"
+      "src:fqdn": "{{ hostvars[item]['inventory_fqdn' ]}}"
+      "src:ip": "{{ hostvars[item]['ansible_host'] }}"
diff --git a/tasks/system_cfg/backup_tools.yml b/tasks/system_cfg/backup_tools.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ee910e632014cac8d5c070490bb9c2db8e27345e
--- /dev/null
+++ b/tasks/system_cfg/backup_tools.yml
@@ -0,0 +1,30 @@
+---
+- name: BACKUP | BORG | install packages
+  when: inventory_hostname not in groups.zfs
+  ansible.builtin.apt:
+    cache_valid_time: 3600
+    force_apt_get: true
+    pkg:
+      - borgbackup
+      - borgmatic
+    state: present
+    update_cache: true
+
+- name: BACKUP | ZAB | install zfs-autobackup package
+  when: inventory_hostname in groups.zfs
+  ansible.builtin.pip:
+    name: zfs-autobackup
+    virtualenv: /opt/zfs-autobackup
+    virtualenv_command: /usr/bin/python3 -m venv
+
+- name: BACKUP | ZAB | set zfs-autobackup command in PATH
+  when: inventory_hostname in groups.zfs
+  copy:
+    content: |
+      #!/bin/bash
+      . /opt/zfs-autobackup/bin/activate
+      zfs-autobackup "$@"
+    dest: /usr/local/bin/zfs-autobackup
+    owner: root
+    group: root
+    mode: "0755"
diff --git a/tasks/system_cfg/main.yml b/tasks/system_cfg/main.yml
index 373ab9e7f4a7340d5a53ebbcd21c56b047e7f2e0..e2a0786c75abbcd9d00979d40b82292d49a3813a 100644
--- a/tasks/system_cfg/main.yml
+++ b/tasks/system_cfg/main.yml
@@ -20,11 +20,10 @@
   - name: ANSIBLE | re-gather facts
     ansible.builtin.setup:
 
-  - name: IMPORT_TASKS | ldp
-    ansible.builtin.import_tasks: ldp.yml
+  - name: IMPORT_TASKS | backup destination
+    when: inventory_hostname in groups.backup
+    ansible.builtin.import_tasks: backup_dest.yml
 
-  - name: IMPORT_TASKS | ntp
-    ansible.builtin.import_tasks: ntp.yml
-
-  - name: IMPORT_TASKS | shell
-    ansible.builtin.import_tasks: shell.yml
+  - name: IMPORT_TASKS | backup tools
+    when: inventory_hostname not in groups.production
+    ansible.builtin.import_tasks: backup_tools.yml