diff --git a/.gitignore b/.gitignore
index b3860cc..5375927 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,5 +25,8 @@ logs/
 #valid-auth.edn
 #valid-config.edn
 my-auth.edn
+my-config.edn
 auth.edn
 config.edn
+
+ca.crt
diff --git a/src/test/resources/local-integration-test/README.md b/src/test/resources/local-integration-test/README.md
new file mode 100644
index 0000000..e75169a
--- /dev/null
+++ b/src/test/resources/local-integration-test/README.md
@@ -0,0 +1,38 @@
+# Requirements
+
+* Restic
+* (optional) AWS-CLI
+
+
+# Usage
+
+`setup-local-s3.sh [BUCKET_NAME]`:
+- sets up a k3s instance
+- installs a localstack pod
+- creates http and https routing to localstack via localhost
+- saves the self-signed certificate as ca.crt
+- uses the certificate to initialize a restic repo at `https://localhost/BUCKET_NAME`
+
+`start-k3s.sh`:
+- creates and starts a k3s instance
+
+`k3s-uninstall.sh`:
+- deletes everything k3s related
+
+## Other useful commands
+- `sudo k3s kubectl get pods`
+- `curl localhost/health`
+  expected: `{"services": {"s3": "running"}, "features": {"persistence": "disabled", "initScripts": "initialized"}}` 
+
+#### Requires AWS-CLI
+- create bucket `aws --endpoint-url=http://localhost s3 mb s3://mybucket`
+- list buckets `aws --endpoint-url=http://localhost s3 ls`
+- upload something `aws --endpoint-url=http://localhost s3 cp test.txt s3://mybucket`
+- check files `aws --endpoint-url=http://localhost s3 ls s3://mybucket`
+
+
+# TODO
+
+* add possibility to use local certificate in dda-backup backup function
+  * if ENV_VARIABLE set: use certificate
+* get restic password from config
\ No newline at end of file
diff --git a/src/test/resources/local-integration-test/certificate.yaml b/src/test/resources/local-integration-test/certificate.yaml
new file mode 100644
index 0000000..96554a3
--- /dev/null
+++ b/src/test/resources/local-integration-test/certificate.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: localstack-cert
+  namespace: default
+spec:
+  secretName: localstack-secret
+  commonName: localhost
+  dnsNames:
+  - localhost
+  issuerRef:
+    name: selfsigning-issuer
+    kind: ClusterIssuer
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigning-issuer
+spec:
+  selfSigned: {}
\ No newline at end of file
diff --git a/src/test/resources/local-integration-test/localstack.yaml b/src/test/resources/local-integration-test/localstack.yaml
new file mode 100644
index 0000000..11480bd
--- /dev/null
+++ b/src/test/resources/local-integration-test/localstack.yaml
@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: localstack
+spec:
+  selector:
+    matchLabels:
+      app: localstack
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: localstack
+    spec:
+      containers:
+        - image: localstack/localstack
+          name: localstack-app
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SERVICES
+              value: s3
+---
+# service
+apiVersion: v1
+kind: Service
+metadata:
+  name: localstack-service
+spec:
+  selector:
+    app: localstack
+  ports:
+    - port: 4566
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: localstack-secret
+type: Opaque
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-localstack
+  annotations:
+    cert-manager.io/cluster-issuer: selfsigning-issuer
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+  namespace: default
+spec:
+  tls:
+  - hosts:
+    - localhost
+    secretName: localstack-secret
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: localstack-service
+                port:
+                  number: 4566
\ No newline at end of file
diff --git a/src/test/resources/local-integration-test/setup-local-s3.sh b/src/test/resources/local-integration-test/setup-local-s3.sh
new file mode 100755
index 0000000..048656c
--- /dev/null
+++ b/src/test/resources/local-integration-test/setup-local-s3.sh
@@ -0,0 +1,33 @@
+function main()
+{
+  local bucket_name="${1:-mybucket}"; shift
+
+  ./start-k3s.sh
+
+  sudo k3s kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
+
+  sudo k3s kubectl apply -f localstack.yaml
+
+  until sudo k3s kubectl apply -f certificate.yaml
+  do
+    sleep 10
+  done
+  echo
+
+  echo
+  echo "[INFO] Waiting for localstack health endpoint"
+  until curl --connect-timeout 3 -s -f -o /dev/null "localhost/health"
+  do
+    sleep 5
+  done
+  echo
+
+  sudo k3s kubectl get secret localstack-secret -o jsonpath="{.data.ca\.crt}" | base64 --decode > ca.crt
+
+  #aws --endpoint-url=http://localhost s3 mb s3://$bucket_name
+  export RESTIC_PASSWORD="temporary-test-password"
+  restic init --cacert ca.crt -r s3://localhost/$bucket_name
+
+}
+
+main $@
diff --git a/src/test/resources/local-integration-test/setup-local.sh b/src/test/resources/local-integration-test/setup-local.sh
new file mode 100755
index 0000000..6f70064
--- /dev/null
+++ b/src/test/resources/local-integration-test/setup-local.sh
@@ -0,0 +1,9 @@
+function main()
+{
+  ./start-k3s.sh
+
+  sudo k3s kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
+
+}
+
+main
diff --git a/src/test/resources/local-integration-test/start-k3s.sh b/src/test/resources/local-integration-test/start-k3s.sh
new file mode 100755
index 0000000..27a6f60
--- /dev/null
+++ b/src/test/resources/local-integration-test/start-k3s.sh
@@ -0,0 +1 @@
+curl -sfL https://get.k3s.io | K3S_NODE_NAME=localhost sh -