diff --git a/.env.tmpl b/.env.tmpl
new file mode 100644
index 0000000..83c9de4
--- /dev/null
+++ b/.env.tmpl
@@ -0,0 +1,15 @@
+# Name of the restricted SSH user
+BACKUP_USER=backup-trigger
+
+# Absolute path to python binary (resolve once!)
+PYTHON_BIN=/usr/bin/python3
+
+# Absolute path where the repo is installed
+# (directory that contains run_backup.py)
+BACKUP_INSTALL_DIR=/usr/local/kvm-backup
+
+# Name of the python entrypoint file
+BACKUP_RUNNER=run_backup.py
+
+# Optional: fixed wrapper path (recommended)
+WRAPPER_PATH=/usr/local/bin/run-kvm-backup
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ce10898
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+.env
+job-runner/*
+job-runner
\ No newline at end of file
diff --git a/Archive.zip b/Archive.zip
new file mode 100644
index 0000000..79b137f
Binary files /dev/null and b/Archive.zip differ
diff --git a/remove_backup_user.sh b/remove_backup_user.sh
new file mode 100644
index 0000000..ffa02b5
--- /dev/null
+++ b/remove_backup_user.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ===============================
+# Load environment
+# ===============================
+ENV_FILE="./.env"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+    echo "ERROR: .env file not found. Cannot determine what to remove."
+    exit 1
+fi
+
+# shellcheck disable=SC1090
+source "$ENV_FILE"
+
+# ===============================
+# Validate required variables
+# ===============================
+: "${BACKUP_USER:?missing}"
+: "${WRAPPER_PATH:?missing}"
+
+HOME_DIR="/home/$BACKUP_USER"
+SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
+
+echo "This will REMOVE the following:"
+echo "  user:        $BACKUP_USER"
+echo "  home dir:    $HOME_DIR"
+echo "  sudo rule:   $SUDOERS_FILE"
+echo "  wrapper:     $WRAPPER_PATH"
+echo
+read -rp "Type YES to continue: " CONFIRM
+
+if [[ "$CONFIRM" != "YES" ]]; then
+    echo "Aborted."
+    exit 1
+fi
+
+# ===============================
+# Remove SSH + user
+# ===============================
+if id "$BACKUP_USER" >/dev/null 2>&1; then
+    userdel -r "$BACKUP_USER"
+    echo "User $BACKUP_USER removed."
+else
+    echo "User $BACKUP_USER does not exist. Skipping."
+fi
+
+# ===============================
+# Remove sudoers rule
+# ===============================
+if [[ -f "$SUDOERS_FILE" ]]; then
+    rm -f "$SUDOERS_FILE"
+    echo "Removed sudoers file."
+fi
+
+# ===============================
+# Remove wrapper
+# ===============================
+if [[ -f "$WRAPPER_PATH" ]]; then
+    rm -f "$WRAPPER_PATH"
+    echo "Removed wrapper script."
+fi
+
+echo
+echo "Cleanup completed successfully."
\ No newline at end of file
diff --git a/setup_backup_user.sh b/setup_backup_user.sh
new file mode 100644
index 0000000..92536b8
--- /dev/null
+++ b/setup_backup_user.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ===============================
+# Load environment
+# ===============================
+ENV_FILE="./.env"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+    echo "ERROR: .env file not found. Copy .env.tmpl to .env and edit it."
+    exit 1
+fi
+
+# shellcheck disable=SC1090
+source "$ENV_FILE"
+
+# ===============================
+# Validate required variables
+# ===============================
+: "${BACKUP_USER:?missing}"
+: "${PYTHON_BIN:?missing}"
+: "${BACKUP_INSTALL_DIR:?missing}"
+: "${BACKUP_RUNNER:?missing}"
+: "${WRAPPER_PATH:?missing}"
+
+RUNNER_PATH="$BACKUP_INSTALL_DIR/$BACKUP_RUNNER"
+HOME_DIR="/home/$BACKUP_USER"
+
+if [[ ! -x "$PYTHON_BIN" ]]; then
+    echo "ERROR: Python binary not executable: $PYTHON_BIN"
+    exit 1
+fi
+
+if [[ ! -f "$RUNNER_PATH" ]]; then
+    echo "ERROR: Runner not found: $RUNNER_PATH"
+    exit 1
+fi
+
+# ===============================
+# Create user (no shell)
+# ===============================
+if ! id "$BACKUP_USER" >/dev/null 2>&1; then
+    useradd -m -d "$HOME_DIR" -s /usr/sbin/nologin "$BACKUP_USER"
+fi
+
+# ===============================
+# SSH setup
+# ===============================
+install -d -m 700 "$HOME_DIR/.ssh"
+touch "$HOME_DIR/.ssh/authorized_keys"
+chmod 600 "$HOME_DIR/.ssh/authorized_keys"
+chown -R "$BACKUP_USER:$BACKUP_USER" "$HOME_DIR/.ssh"
+
+# ===============================
+# Create root-owned wrapper
+# ===============================
+cat > "$WRAPPER_PATH" <<EOF
+#!/usr/bin/env bash
+exec "$PYTHON_BIN" "$RUNNER_PATH"
+EOF
+
+chown root:root "$WRAPPER_PATH"
+chmod 750 "$WRAPPER_PATH"
+
+# ===============================
+# Lock sudo to wrapper ONLY
+# ===============================
+SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
+
+cat > "$SUDOERS_FILE" <<EOF
+$BACKUP_USER ALL=(root) NOPASSWD: $WRAPPER_PATH
+EOF
+
+chmod 440 "$SUDOERS_FILE"
+
+# ===============================
+# Fix runner permissions
+# ===============================
+chown root:root "$RUNNER_PATH"
+chmod 750 "$RUNNER_PATH"
+
+# ===============================
+# Output next steps
+# ===============================
+echo
+echo "User '$BACKUP_USER' created and locked down."
+echo
+echo "NEXT STEP (manual): add SSH public key:"
+echo
+echo "command=\"sudo $WRAPPER_PATH\",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <SSH_PUBLIC_KEY>"
+echo
\ No newline at end of file