diff --git a/modules/backrest/default.nix b/modules/backrest/default.nix
index 9fe3540..758e7dd 100644
--- a/modules/backrest/default.nix
+++ b/modules/backrest/default.nix
@@ -74,13 +74,17 @@ in
     description = "Backrest service user";
   };
 
-  # Write the declarative config at activation time.
-  # The file is owned by root (readable by backrest via group or world-read)
-  # but we set it 640 and add backrest to read it via the service's User=.
-  environment.etc."backrest/config.json" = {
-    text = backrestConfig;
-    mode = "0440";
-    group = "backrest";
+  # Write the declarative config into the backrest state dir at activation time.
+  # The file must be in a writable location because backrest creates a .bak
+  # alongside it when migrating. /var/lib/backrest is owned by the backrest user.
+  system.activationScripts.backrestConfig = {
+    deps = [ "users" ];
+    text = ''
+      install -d -m 750 -o backrest -g backrest /var/lib/backrest
+      install -m 640 -o backrest -g backrest \
+        ${pkgs.writeText "backrest-config.json" backrestConfig} \
+        /var/lib/backrest/config.json
+    '';
   };
 
   systemd.services.backrest = {
@@ -92,7 +96,7 @@ in
     environment = {
       BACKREST_PORT = "9004";
       BACKREST_RESTIC_COMMAND = "${pkgs.restic}/bin/restic";
-      BACKREST_CONFIG = "/etc/backrest/config.json";
+      BACKREST_CONFIG = "/var/lib/backrest/config.json";
       BACKREST_DATA = "/var/lib/backrest/data";
     };