diff --git a/ansible/roles/restic/files/restic-post.hook b/ansible/roles/restic/files/restic-post.hook
new file mode 100644
index 0000000..f605774
--- /dev/null
+++ b/ansible/roles/restic/files/restic-post.hook
@@ -0,0 +1,9 @@
+[Trigger]
+Operation = Upgrade
+Type = Package
+Target = restic
+
+[Action]
+Description = Set restic binary permissions
+When = PostTransaction
+Exec = /usr/share/libalpm/scripts/restic-post.sh
diff --git a/ansible/roles/restic/files/restic-post.sh b/ansible/roles/restic/files/restic-post.sh
new file mode 100644
index 0000000..103a052
--- /dev/null
+++ b/ansible/roles/restic/files/restic-post.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# See https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
+
+set -e
+
+RESTIC_BIN=$(which restic)
+
+# Set owner
+chown root:restic $RESTIC_BIN
+chmod 750 $RESTIC_BIN
+
+# Lest restic run root things
+setcap cap_dac_read_search=+ep $RESTIC_BIN
diff --git a/ansible/roles/restic/tasks/main.yml b/ansible/roles/restic/tasks/main.yml
index ddfac7c..f251a57 100644
--- a/ansible/roles/restic/tasks/main.yml
+++ b/ansible/roles/restic/tasks/main.yml
@@ -58,3 +58,19 @@
     dest: /etc/logrotate.d/backrest
     mode: "0600"
   become: true
+
+- name: Install pacman post script
+  template:
+    src: files/restic-post.sh
+    dest: /usr/share/libalpm/scripts/restic-post.sh
+    mode: "0700"
+  become: true
+  when: ansible_os_family == 'Archlinux'
+
+- name: Install pacman post hook
+  template:
+    src: files/restic-post.hook
+    dest: /usr/share/libalpm/hooks/restic-post.hook
+    mode: "0600"
+  become: true
+  when: ansible_os_family == 'Archlinux'