diff --git a/bundles/backup-client/files/check_backup_last_run b/bundles/backup-client/files/check_backup_last_run
index 61b7ca2..0fa0fa6 100644
--- a/bundles/backup-client/files/check_backup_last_run
+++ b/bundles/backup-client/files/check_backup_last_run
@@ -27,6 +27,12 @@ elif status[0] == 'rsync_error':
         ', '.join(status[1:])
     ))
     exit(2)
+elif status[0] == 'hook':
+    print('run-parts /etc/backup-pre-hook.d failed with exit code {}'.format(status[1]))
+    exit(2)
+elif status[0] == 'abort_no_key':
+    print('no ssh key found in /etc/backup.priv!')
+    exit(1)
 else:
     # garbage in file
     print(' '.join(status))
diff --git a/bundles/backup-client/files/generate-backup b/bundles/backup-client/files/generate-backup
index b413cd7..dcd8c5c 100644
--- a/bundles/backup-client/files/generate-backup
+++ b/bundles/backup-client/files/generate-backup
@@ -9,6 +9,14 @@ then
     exit 1
 fi
 
+run-parts --exit-on-error -- /etc/backup-pre-hooks.d
+exitcode=$?
+if [[ $exitcode != 0]]
+then
+    echo "hook $exitcode" > "$statusfile"
+    exit 1
+fi
+
 rsync_errors=""
 % for path in sorted(paths):
 rsync -zaAP --numeric-ids --delete --relative \
diff --git a/bundles/backup-client/items.py b/bundles/backup-client/items.py
index 4499bfa..d59cf75 100644
--- a/bundles/backup-client/items.py
+++ b/bundles/backup-client/items.py
@@ -1,10 +1,8 @@
 from os.path import join
 
 if node.metadata['backups'].get('exclude_from_backups', False):
-    files = {
-        '/etc/backup.priv': {
-            'delete': True,
-        },
+    files['/etc/backup.priv'] = {
+        'delete': True,
     }
 else:
     if ':' in node.metadata['backup-client']['server']:
@@ -13,23 +11,31 @@ else:
         server = node.metadata['backup-client']['server']
         port = 22
 
-    files = {
-        '/usr/local/bin/generate-backup': {
-            'content_type': 'mako',
-            'context': {
-                'username': node.metadata['backup-client']['user-name'],
-                'server': server,
-                'port': port,
-                'paths': node.metadata.get('backups', {}).get('paths', {}),
-            },
-            'mode': '0700',
-        },
-        '/usr/local/share/icinga/plugins/check_backup_last_run': {
-            'mode': '0755',
-        },
-        '/etc/backup.priv': {
-            'content': repo.vault.decrypt_file(join('backup', 'keys', f'{node.name}.key.vault')),
-            'mode': '0400',
+    files['/usr/local/bin/generate-backup'] = {
+        'content_type': 'mako',
+        'context': {
+            'username': node.metadata['backup-client']['user-name'],
+            'server': server,
+            'port': port,
+            'paths': node.metadata.get('backups', {}).get('paths', {}),
         },
+        'mode': '0700',
+    }
+    files['/etc/backup.priv'] = {
+        'content': repo.vault.decrypt_file(join('backup', 'keys', f'{node.name}.key.vault')),
+        'mode': '0400',
     }
 
+files['/usr/local/share/icinga/plugins/check_backup_last_run'] = {
+    'mode': '0755',
+}
+
+directories['/etc/backup-pre-hooks.d'] = {
+    'purge': True,
+}
+
+for hname, hcontent in node.metadata['backup-client'].get('pre-hooks', {}).items():
+    files[f'/etc/backup-pre-hooks.d/{hname}'] = {
+        'content': hcontent,
+        'mode': '0700',
+    }