diff --git a/build/samba/Dockerfile b/build/samba/Dockerfile
index 396d047..5482ddf 100644
--- a/build/samba/Dockerfile
+++ b/build/samba/Dockerfile
@@ -3,5 +3,5 @@ RUN apk add --no-cache --update samba shadow
 RUN adduser -S -D -H -h /tmp -s /sbin/nologin -g 'Samba Owner' smbowner
 ADD samba.conf /etc/samba/smb.conf
 EXPOSE 445/tcp 139/tcp
-ENTRYPOINT ["smbd", "--foreground", "--no-process-group", "-s", "/etc/samba/smb.conf"]
+ENTRYPOINT ["smbd", "--foreground", "--no-process-group", "-S", "-s", "/etc/samba/smb.conf"]
 VOLUME ["/var/log/samba"]
diff --git a/build/samba/samba.conf b/build/samba/samba.conf
index 4f139b8..65c80d1 100644
--- a/build/samba/samba.conf
+++ b/build/samba/samba.conf
@@ -5,7 +5,6 @@
 	dns proxy = no
 	log file = /var/log/samba/log.%m
 	max log size = 1000
-	syslog = 0
 	server role = standalone server
 	passdb backend = tdbsam
 	obey pam restrictions = yes
@@ -20,7 +19,7 @@
 	printable = no
 [backups]
 	valid users = smbowner
-	path = /mnt/smbstorage
+	path = /mnt/privstorage
 	writable = yes
 	create mask = 0600
 	directory mask = 0700
diff --git a/keys/public.pub b/keys/public.pub
new file mode 100644
index 0000000..66d69c0
--- /dev/null
+++ b/keys/public.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD3v739paRsEE55LRfE1CAhcAZKeEiixvQOZ5kXwdd5bGzC+o1HkKG+LU9nBnf7mQu4fKzJLYFsTKuZRmcE7xEaJiwOfBpOsVdyIww2Y27QTNzUx0ZW3PV8f/3i391LW+ZdrgP7zCtkBPB8O8qTcbSyfAUzw0FV+oR6s3I4TVqYzJNSsfCUw0RQt7fERO7nmpK8oc8yn7jsNqoPURYi0WOs4yzgaMKIr2L3kqE7+rNvUPiDObjaFonXDKOkkjlPQfa8r1Hav/wBx78OQ9Z4A3SaD8KKVn0qy7ameY3NPAWDyhBPIwzvlINVPd0fz++TNYzq+ft1hpEV8CRJZxNSWtWpidR8kk2FkLNOrPS9DdJOzcaVeIbWHUTzKL/DyUySNb7HccM+XT2u7h8KnuDdbaUfO0i1FiZz1Qy6eutEJdxFPI8C+pE+LuMQcGcesvdtQFeY7RyAURIndxUDtovHeTfdQSs3xWp7hEI7luQj+8PG4s48m8j+o/3pRS/8C8QkCVudN5qWyVwBt0z3eW68nVCudCSfaW5ND7gEig3JVOHmKj3fUMq1iRooKa2mQUCTrNOEHL/qVmWrMEdNGbeg7tyw61wxK/pO/nXEHnnmkg7OQHZ/W/t1FaVJIi+9KTnC/2sAbp+1Z+FKJlIdEkga9l/wcS9QYAQwYXSTMhqkbt1Ptw== (none)
diff --git a/storage.yml b/storage.yml
index e55142f..3b2ad34 100644
--- a/storage.yml
+++ b/storage.yml
@@ -13,24 +13,58 @@ networks:
     driver_opts:
       encrypted: "true"
 
+volumes:
+  ssh-config:
+
+secrets:
+  pubkey:
+    file: ./keys/public.pub
+
 services:
-  samba:
-    image: localhost:5000/samba:latest
+  sftp:
+    image: atmoz/sftp
     deploy:
+      replicas: 1
+      resources:
+        limits:
+          cpus: '0.2'
+          memory: '100M'
       restart_policy:
         condition: any
       update_config:
-        parallelism: 2
+        parallelism: 1
         delay: 5s
-        order: start-first
+        order: stop-first
         failure_action: rollback
       placement:
         constraints: [node.hostname == nbg-4]
-#   volumes:
-#     - '/mnt/db-storage/samba-data:/var/lib/samba:rw'
     logging: *json-log
     ports:
-      - '445:445'
-      - '139:139'
-    networks:
-      - backend
+      - '2112:22'
+    volumes:
+      - '/mnt/backups:/home/backups'
+      - 'ssh-config:/etc/ssh:rw'
+    secrets:
+      - source: pubkey
+        target: /home/backups/.ssh/keys/sftp-publickey.pub
+    command: backups::1002:1002:data
+# samba:
+#   image: localhost:5000/samba:latest
+#   deploy:
+#     restart_policy:
+#       condition: any
+#     update_config:
+#       parallelism: 2
+#       delay: 5s
+#       order: start-first
+#       failure_action: rollback
+#     placement:
+#       constraints: [node.hostname == nbg-4]
+#   volumes:
+#     - '/mnt/db_storage/samba:/var/lib/samba:rw'
+#   logging: *json-log
+#   ports:
+#     - '445:445'
+#     - '139:139'
+#   networks:
+#     - backend