diff --git a/ansible/host_vars/restic.yml b/ansible/host_vars/restic.yml
new file mode 100644
index 0000000..8df576d
--- /dev/null
+++ b/ansible/host_vars/restic.yml
@@ -0,0 +1,2 @@
+restic_backup_locations:
+  - /mnt/tank
diff --git a/ansible/main.yml b/ansible/main.yml
index fa44d3d..f7c1b4f 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -90,3 +90,7 @@
 - hosts: jellyfin
   roles:
     - jellyfin
+
+- hosts: restic
+  roles:
+    - restic
diff --git a/ansible/roles/restic/defaults/main.yml b/ansible/roles/restic/defaults/main.yml
new file mode 100644
index 0000000..1f35a5d
--- /dev/null
+++ b/ansible/roles/restic/defaults/main.yml
@@ -0,0 +1 @@
+restic_backup_locations: []
diff --git a/ansible/roles/restic/tasks/files/backrest.sh b/ansible/roles/restic/tasks/files/backrest.sh
new file mode 100644
index 0000000..74e0f0a
--- /dev/null
+++ b/ansible/roles/restic/tasks/files/backrest.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -e
+
+export B2_ACCOUNT_ID="{{ restic_b2_account_id }}"
+export B2_ACCOUNT_KEY="{{ restic_b2_account_key }}"
+export RESTIC_PASSWORD="{{ restic_key }}"
+export RESTIC_REPOSITORY="b2:{{ restic_b2_bucket }}"
+
+export RESTIC_LOG_DIR="$HOME/log"
+export RESTIC_LOG_FILE="$RESTIC_LOG_DIR/$(date -Iseconds).log"
+
+mkdir -p "$RESTIC_LOG_DIR"
+
+# Run backup, and capture logs to file
+cron_backup() {
+    restic --verbose backup {{ restic_backup_locations|join(' ') }} | tee -a $RESTIC_LOG_FILE
+    exit_code=${PIPESTATUS[0]}
+    echo "Exit code: $exit_code"
+}
+
+# Run backup, but show all the progress
+backup() {
+    restic --verbose backup {{ restic_backup_locations|join(' ') }}
+}
+
+# Run restic, but with environment variables set
+exec () {
+    set -x
+    restic $@
+}
+
+# Run the things
+"$@"
diff --git a/ansible/roles/restic/tasks/main.yml b/ansible/roles/restic/tasks/main.yml
new file mode 100644
index 0000000..659166f
--- /dev/null
+++ b/ansible/roles/restic/tasks/main.yml
@@ -0,0 +1,33 @@
+- name: Install restic
+  package:
+    name: restic
+  become: true
+
+- name: Make user
+  user:
+    name: restic
+    shell: /bin/nologin
+    system: false
+  become: true
+
+- name: backrest
+  template:
+    src: files/backrest.sh
+    dest: /home/restic/backrest.sh
+    mode: "0700"
+    owner: restic
+  become: true
+
+- name: Set restic binary permissions
+  file:
+    path: /usr/bin/restic
+    mode: "0750"
+    owner: root
+    group: restic
+  become: true
+
+- name: Set cap_sys_chroot=+ep on restic
+  community.general.capabilities:
+    path: /usr/bin/restic
+    capability: cap_dac_read_search=+ep
+  become: true
diff --git a/ansible/roles/restic/vars/main.yml b/ansible/roles/restic/vars/main.yml
new file mode 100644
index 0000000..0f4b882
--- /dev/null
+++ b/ansible/roles/restic/vars/main.yml
@@ -0,0 +1,26 @@
+restic_b2_account_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  37653465353462333831333031373566343362316461643463303737356332363364666264666562
+  6436353430313239643831626537383664376264393430310a353434306465653934356164393265
+  65336534356636386634366533313039643438656439636434666464636338373130636661303536
+  6638356530373062640a376430663231396538386161353165363538346266663135363337303166
+  35613838363336393032643965373437663937626532356239336535663064363438
+restic_b2_account_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31343939356266366364313631633836653364633331306134663163653939373663316632626161
+  3262376666323366313563313836643133393437663462320a653637633663636663353234323265
+  63633632383461616437636230643430613635626431383966326666383030393735623963333263
+  3433633830356530390a623436376364343630313066663965303238646564323266303865623965
+  66353963376434333030333332646464653637633737633832663762303339666336
+restic_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65326130653631643138373231336439303962356666353737373832633666373965666466613034
+  3730333664373334316436396435356137313337633836330a653366343732656539663439313838
+  34326361353232663533663366393464643761343864623965386633313438303738343238623430
+  6661313730646166330a393336333635623832653232653863626135343164363831366134316465
+  30306238613865393664383865323233626636333063393936613864303365386431613838366363
+  39633865393761366134633933333237313362636234323330313135336637613235303764383938
+  34383938396366363937643864393838363638383066646663393363393562653431653764356537
+  61303164333662353732656265386430383566343462633435626334373331316663363563616662
+  66643135336539333738623231346331623464636637373639666435663961383936
+restic_b2_bucket: 0rng-restic