diff --git a/roles/native-pull-remote-backups/Readme.md b/roles/native-pull-remote-backups/Readme.md
index aecf64a0..4d91bd28 100644
--- a/roles/native-pull-remote-backups/Readme.md
+++ b/roles/native-pull-remote-backups/Readme.md
@@ -21,3 +21,7 @@ To track what the service is doing execute the following command:
 ```bash
   sudo journalctl -u pull-remote-backups
 ```
+
+## see
+- https://superuser.com/questions/363444/how-do-i-get-the-output-and-exit-value-of-a-subshell-when-using-bash-e
+- https://gist.github.com/otkrsk/b0ffd4018e8a79b9010c461af298471e
diff --git a/roles/native-pull-remote-backups/files/pull-remote-backup.sh b/roles/native-pull-remote-backups/files/pull-remote-backup.sh
index 26c74538..b7630c93 100644
--- a/roles/native-pull-remote-backups/files/pull-remote-backup.sh
+++ b/roles/native-pull-remote-backups/files/pull-remote-backup.sh
@@ -1,17 +1,36 @@
 #!/bin/bash
 # @param $1 hostname from which backup should be pulled
+
+# error counter
+errors=0
+
 source_host="backup@$1"
-source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)"
+source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)" || exit 1
 source_path="/Backups/$source_machine_id/"
-directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)"
+directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)" || exit 1
+
 for folder in $directories; do
   if [ "$folder" != "$source_path" ]; then
-    diff_path="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
+    # this folder is neccessary to make restricted rsync possible:
+    diff_current="$folder/diffs/current/"
+    # this is the folder where the diffs will be copied to:
+    diff_store="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
+    # this is the folder which contains the actual backup:
     latest_path="$folder/latest/"
+    # source path of the backup files:
     remote_source_path="$source_host:$latest_path"
+    # file in which the logs will be saved:
     log_path="$folder/log.txt"
+
+    # create working folders:
     mkdir -vp "$latest_path"
-    mkdir -vp "$diff_path"
-    rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path" || exit 1
+    mkdir -vp "$diff_store"
+    rm -vr "$diff_current"
+    mkdir -vp "$diff_current"
+
+    # do backup:
+    rsync -abP --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_current" "$remote_source_path" "$latest_path" || ((errors+=1));
+    mv -v "$diff_current"* "$diff_store"
   fi
 done
+exit $errors;
diff --git a/roles/native-pull-remote-backups/templates/pull-remote-backups.sh b/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
index e7353246..e10e2544 100644
--- a/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
+++ b/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
@@ -3,6 +3,6 @@
 hosts="{{pull_remote_backups_hosts}}";
 errors=0
 for host in $hosts; do
-        bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
+  bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
 done;
 exit $errors;
diff --git a/roles/native-user-backup/readme.md b/roles/native-user-backup/readme.md
index dd363802..b651c8ab 100644
--- a/roles/native-user-backup/readme.md
+++ b/roles/native-user-backup/readme.md
@@ -2,7 +2,7 @@
 User for backups
 
 ## todo
-- add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
+- optimize authorized_keys.j2 for multiple pull clients
 
 # see
 - https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
@@ -10,3 +10,5 @@ User for backups
 - http://gergap.de/restrict-ssh-to-rsync.html
 - https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
 - https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
+- https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken
+- https://serverfault.com/questions/793669/what-is-the-rsync-option-logdtprze-ilsf-for/793676
diff --git a/roles/native-user-backup/tasks/main.yml b/roles/native-user-backup/tasks/main.yml
index 1ca42b71..81876818 100644
--- a/roles/native-user-backup/tasks/main.yml
+++ b/roles/native-user-backup/tasks/main.yml
@@ -23,7 +23,15 @@
     group: backup
     mode: '0644'
 
-- name: grant backup sudo rights with password
+- name: create /home/backup/ssh-wrapper.sh
+  template:
+    src: "ssh-wrapper.sh.j2"
+    dest: /home/backup/ssh-wrapper.sh
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: grant backup sudo rights
   copy:
     src: "backup"
     dest: /etc/sudoers.d/backup
diff --git a/roles/native-user-backup/templates/authorized_keys.j2 b/roles/native-user-backup/templates/authorized_keys.j2
index dda80838..29256455 100644
--- a/roles/native-user-backup/templates/authorized_keys.j2
+++ b/roles/native-user-backup/templates/authorized_keys.j2
@@ -1,3 +1 @@
-#command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
-#command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
-{{authorized_keys}}
+command="/home/backup/ssh-wrapper.sh" {{authorized_keys}}
diff --git a/roles/native-user-backup/templates/ssh-wrapper.sh.j2 b/roles/native-user-backup/templates/ssh-wrapper.sh.j2
new file mode 100644
index 00000000..506f2bc1
--- /dev/null
+++ b/roles/native-user-backup/templates/ssh-wrapper.sh.j2
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# log
+if [ -n "$SSH_ORIGINAL_COMMAND" ]
+then
+  echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log
+fi
+
+# filter commands
+case "$SSH_ORIGINAL_COMMAND" in
+	"sha256sum /etc/machine-id")
+		sha256sum /etc/machine-id
+		;;
+	"find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d")
+		find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d
+		;;
+	"sudo rsync --server --sender -blogDtpre.iLsfxCIvu --backup-dir /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/diffs/current/ . /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest/")
+		sudo rsync --server --sender -blogDtpre.iLsfxCIvu --backup-dir /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/diffs/current/ . /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest/
+		;;
+	*)
+		echo "This command is not supported."
+		exit 1
+		;;
+esac