diff --git a/roles/backup/templates/s3backup.sh b/roles/backup/templates/s3backup.sh
index fe23298..a41408e 100644
--- a/roles/backup/templates/s3backup.sh
+++ b/roles/backup/templates/s3backup.sh
@@ -54,7 +54,19 @@ backup() {
 		for dir in "$@"; do
 			echo "- $dir"
 		done
+		# First, we remove stale locks. This command will only remove locks that have not been
+		# updated in the last half hour. By default, restic updates them during an ongoing
+		# operation every 5 minutes, so this should be perfectly fine to do.
+		# What I'm not sure of (but should be fine because we auto-restart if need be) is if two
+		# processes doing this concurrently will cause issues. I'd hope not but you never know.
+		# restic-unlock(1)
+		/opt/restic-wrapper \
+			--verbose \
+			unlock
 		# Back up everything in the $DIRS array (which was passed as args)
+		# This results in some level of pollution with regard to what paths are backed up
+		# (especially on ostree systems where we do the etc diff) but that's syntactic and
+		# we can script around it.
 		/opt/restic-wrapper \
 			--verbose \
 			backup \
@@ -65,11 +77,12 @@ backup() {
 		# --keep-weekly n	Keeps weekly backups for the last n weeks
 		# --keep-montly n	Keeps monthly backups for the last n months
 		# --keep-tag foo	Keeps all snapshots tagged with "foo"
-		# --host "$HOSTNAME"	Only act on *our* snapshots. We don't care about other machines'
+		# --host "$HOSTNAME"	Only act on *our* snapshots. We assume other machines are taking
+		#			care of their own houses.
 		# --prune		Remove orphaned blobs when we remove snapshots
 		/opt/restic-wrapper \
-			forget \
 			--verbose \
+			forget \
 			--keep-daily 7 \
 			--keep-weekly 4 \
 			--keep-monthly 6 \