diff --git a/hosts/raisin/configuration.nix b/hosts/raisin/configuration.nix
index a3e1d76e86..6fc8802f4c 100644
--- a/hosts/raisin/configuration.nix
+++ b/hosts/raisin/configuration.nix
@@ -20,6 +20,7 @@ in
     ../../mixins/rclone-googledrive-mounts.nix
     ../../mixins/syncthing.nix
 
+    ./zrepl.nix
     # ./services/monitoring.nix
 
     inputs.nixos-hardware.nixosModules.common-cpu-amd
diff --git a/hosts/raisin/zrepl.nix b/hosts/raisin/zrepl.nix
new file mode 100644
index 0000000000..572ecc584a
--- /dev/null
+++ b/hosts/raisin/zrepl.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = {
+    networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
+      8888
+    ];
+    services.zrepl = {
+      enable = true;
+      settings = {
+        jobs = [
+          {
+            name = "sink_origionraisin";
+            type = "sink";
+            root_fs = "orionraisinpool/backups";
+            serve = {
+              type = "tcp";
+              listen = "100.112.194.64:8888";
+              listen_freebind = true;
+              clients = {
+                # TODO: source from data/
+                "100.109.239.83" = "zeph";
+              };
+            };
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/zeph/zrepl.nix b/hosts/zeph/zrepl.nix
index 4a84cc4200..c903b0bbb3 100644
--- a/hosts/zeph/zrepl.nix
+++ b/hosts/zeph/zrepl.nix
@@ -1,5 +1,36 @@
 { config, pkgs, lib, ... }:
 
+let
+  _pushSettings = {
+    filesystems = {
+      "zephpool/data<" = true;
+      "zephpool/home<" = true;
+    };
+    replication = {
+      protection = {
+        initial = "guarantee_resumability";
+        incremental = "guarantee_incremental";
+      };
+    };
+    send = {
+      encrypted = false;
+    };
+    snapshotting = {
+      type = "manual";
+    };
+    pruning = {
+      keep_sender = [{
+        type = "regex";
+        regex = ".*";
+      }];
+      keep_receiver = [{
+        # TODO: we don't really need pruning for now probably
+        type = "regex";
+        regex = ".*";
+      }];
+    };
+  };
+in
 {
   config = {
     services.zrepl = {
@@ -39,9 +70,22 @@
               ];
             };
           }
+
+          # PUSH JOB (TCP->RAISIN)
+          #
+          ({
+            name = "push_to_raisin";
+            type = "push";
+            connect = {
+              type = "tcp";
+              address = "100.112.194.64:8888";
+              dial_timeout = "10s";
+            };
+          } // _pushSettings)
+
           #
           # PUSH JOB
-          {
+          ({
             name = "push_to_orion";
             type = "push";
             connect = {
@@ -49,34 +93,8 @@
               listener_name = "sink_orion";
               client_identity = "zeph";
             };
-            filesystems = {
-              "zephpool/data<" = true;
-              "zephpool/home<" = true;
-            };
-            replication = {
-              protection = {
-                initial = "guarantee_resumability";
-                incremental = "guarantee_incremental";
-              };
-            };
-            send = {
-              encrypted = false;
-            };
-            snapshotting = {
-              type = "manual";
-            };
-            pruning = {
-              keep_sender = [{
-                type = "regex";
-                regex = ".*";
-              }];
-              keep_receiver = [{
-                # TODO: we don't really need pruning for now probably
-                type = "regex";
-                regex = ".*";
-              }];
-            };
-          }
+          } // _pushSettings)
+
           # #
           # # SINK JOB
           {
diff --git a/misc/zfs-readme.md b/misc/zfs-readme.md
index 326f648647..e59728ca1b 100644
--- a/misc/zfs-readme.md
+++ b/misc/zfs-readme.md
@@ -10,4 +10,9 @@ sudo cryptsetup luksFormat --header ~/Sync/ORION_RAISIN/header.img /dev/sdc
 sudo cryptsetup luksOpen --header ~/Sync/ORION_RAISIN/header.img /dev/sdc orionraisin
 
 sudo zpool create -O mountpoint=none "orionraisinpool" /dev/mapper/orionraisin
+
+sudo zfs create -o mountpoint=legacy -o compression=zstd -o xattr=sa -o acltype=posixacl
+  -o relatime=on orionraisinpool/backups/zeph/zephpool
 ```
+
+
diff --git a/misc/zrepl-remote.nu b/misc/zrepl-remote.nu
new file mode 100644
index 0000000000..f869bcd7ec
--- /dev/null
+++ b/misc/zrepl-remote.nu
@@ -0,0 +1,6 @@
+#!/usr/bin/env nu
+
+let remote = $"cole@(tailscale ip --4 raisin)"
+scp ./zrepl-local-replication.nu $"($remote):/tmp/zrepl.nu
+
+ssh $"(remote)" "bash "-c" "chmod +x; /tmp/zrepl.nu raisin"
diff --git a/misc/zrepl-zeph-local-backup.nu b/misc/zrepl-zeph-local-backup.nu
index 3ff4db35dd..7527cdd0e6 100755
--- a/misc/zrepl-zeph-local-backup.nu
+++ b/misc/zrepl-zeph-local-backup.nu
@@ -1,32 +1,54 @@
 #!/usr/bin/env nu
 
-let ssd = "usb-Realtek_RTL9210_NVME_012345678903-0:0"
-let hdr = "/home/cole/Sync/ORION_NVME_SSD/header.img"
-
-let luksdev = "orion"
-let backup_pool = "orionpool"
-let secret = "orion_luks"
-
-let pass = (prs show $secret | complete | get stdout | str trim)
-
-print -e "::: close backup pool"
-do -i { sudo sync; sync }
-do -i { sudo zpool export $backup_pool }
-do -i { sudo cryptsetup luksClose $luksdev }
-
-print -e "::: open backup pool"
-
-echo $pass | sudo cryptsetup luksOpen --header $hdr $"/dev/disk/by-id/($ssd)" $luksdev -
-sudo zpool import $backup_pool
-
-print -e "::: trigger push_to_orion"
-# TRIGGER ZREPL to copy
-sudo zrepl signal wakeup 'push_to_orion'
-
-# TODO: how to wait for replication to finish?
-
-print -e ""
-print -e "::: running, run these commands when it's done"
-print -e $"sudo sync; sudo zpool export ($backup_pool); sudo cryptsetup luksClose ($luksdev); sudo sync"
-
-sudo zrepl status
+def main [ job: string ] {
+  let cfg = {
+    job:  "push_to_raisin"
+    # use ssd+hdr on remote to unlock, bp to import
+    remote: $"(tailscale ip --4 raisin)"
+    ssd: "/dev/disk/by-id/usb-Realtek_RTL9210B-CG_012345678904-0:0"
+    hdr: "/home/cole/SyncThingData/Sync/ORION_NVME_SSD/header_raisin.img"
+    bp: "orionraisinpool"
+    secret: "orionraisin_luks"
+  }
+  
+  # if job == "push_to_orion" {
+  #   $cfg = {
+  #     job:  "push_to_orion"
+  #     remote: "localhost"
+  #     ssd: "/dev/disk/by-id/usb-Realtek_RTL9210_NVME_012345678903-0:0"
+  #     hdr: "/home/cole/Sync/ORION_NVME_SSD/header.img"
+  #     bp: "orionpool"
+  #     secret: "orion_luks"
+  #   }
+  # }
+
+  print -e $cfg
+  
+  let luksdev = "orion"
+  
+  let pass = (prs show $cfg.secret | complete | get stdout | str trim)
+  
+  print -e "::: close backup pool"
+  do -i { ssh $"($cfg.remote)" -- sudo sync; }
+  do -i { ssh $"($cfg.remote)" -- sudo zpool export $cfg.bp }
+  do -i { ssh $"($cfg.remote)" -- sudo cryptsetup luksClose $luksdev }
+  
+  print -e "::: open backup pool"
+  
+  # printf "%s" $pass out> /tmp/secret
+  printf "%s" $pass | ssh $"($cfg.remote)" -- sudo cryptsetup luksOpen --header $cfg.hdr $cfg.ssd $luksdev -
+  ssh $cfg.remote -- sudo zpool import $cfg.bp
+  
+  print -e $"::: trigger ($cfg.job)"
+  # TRIGGER ZREPL to copy
+  sudo zrepl signal wakeup $cfg.job
+  
+  # TODO: how to wait for replication to finish?
+  print -e ""
+  print -e "::: running, run these commands when it's done"
+  print -e $"sudo sync"
+  print -e $"sudo zpool export ($cfg.bp)"
+  print -e $"sudo sync; sudo cryptsetup luksClose ($luksdev); sudo sync"
+  
+  sudo zrepl status
+}