diff --git a/inventories/production/group_vars/all.yml b/inventories/production/group_vars/all.yml
index addd5cd..e359f07 100644
--- a/inventories/production/group_vars/all.yml
+++ b/inventories/production/group_vars/all.yml
@@ -29,6 +29,13 @@ adminuser_ssh_authorized_keys:
   - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKwcV0mKhhQveIOjFKwt01S8WVtOn3Pfz6qa2P4/JR7S salt@lap-s76-lemp13-0.ws.mgmt.desu.ltd
 
 # For backups
+backup_restic_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65623036653432326435353932623037626532316631613763623237323533363938363462316237
+          6363613363346239666630323134643866653436633537300a663732363565383061326135656539
+          33313334656330366632613334366664613366313631363964373038396636623735633830386336
+          3230316663373966390a663732373134323561313633363435376263643834383739643739303761
+          62376231353936333666613661323864343439383736386636356561636463626266
 backup_s3_bucket: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           66316231643933316261303631656432376339663264666661663634616465326537303331626634
diff --git a/playbooks/prod_web.yml b/playbooks/prod_web.yml
index 20c0fe8..03c5d20 100755
--- a/playbooks/prod_web.yml
+++ b/playbooks/prod_web.yml
@@ -3,7 +3,7 @@
 # Webservers
 ---
 - hosts: vm-general-1.ashburn.mgmt.desu.ltd
-  gather_facts: no
+  #gather_facts: no
   module_defaults:
     docker_container:
       restart_policy: unless-stopped
diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml
index 54d1d14..1db9703 100644
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@@ -1,12 +1,27 @@
 #!/usr/bin/env ansible-playbook
 # vim:ft=ansible:
 ---
+  # Install restic if we can
+- name: install restic
+  block:
+    - name: install restic through apt
+      ansible.builtin.apt: name=restic state=present
+      when: ansible_pkg_mgr == "apt"
+  # The script
 - name: template out backup script
   ansible.builtin.template: src={{ backup_script }}.sh dest=/opt/backup.sh mode=0700 owner=root group=root
+  # Some restic-specific stuff
+- name: template out restic password file
+  ansible.builtin.template: src={{ backup_script }}-password dest=/opt/restic-password mode=0700 owner=root group=root
+- name: template out restic wrapper
+  ansible.builtin.template: src=restic-wrapper.sh dest=/opt/restic-wrapper mode=0700 owner=root group=root
+  # An analyzer for... reasons?
 - name: template out analyze script
   ansible.builtin.template: src={{ backup_script }}-analyze.sh dest=/opt/analyze.sh mode=0700 owner=root group=root
+  # This restore script doesn't even work???
 - name: template out restore script
   ansible.builtin.template: src={{ restore_script }}.sh dest=/opt/restore.sh mode=0700 owner=root group=root
+  # And service/timer definitions
 - name: configure systemd service
   ansible.builtin.template: src=backup.service dest=/etc/systemd/system/backup.service mode=0644
 - name: configure systemd timer
diff --git a/roles/backup/templates/restic-wrapper.sh b/roles/backup/templates/restic-wrapper.sh
new file mode 100644
index 0000000..b7a8b2a
--- /dev/null
+++ b/roles/backup/templates/restic-wrapper.sh
@@ -0,0 +1,6 @@
+#! /bin/sh
+exec nice -n 10 restic \
+	-r "s3:{{ backup_s3_aws_endpoint_url }}/{{ backup_s3_bucket }}/restic" \
+	-p /opt/restic-password \
+	--verbose \
+	"$@"
diff --git a/roles/backup/templates/s3backup-password b/roles/backup/templates/s3backup-password
new file mode 100644
index 0000000..310649f
--- /dev/null
+++ b/roles/backup/templates/s3backup-password
@@ -0,0 +1 @@
+{{ backup_restic_password }}
diff --git a/roles/backup/templates/s3backup.sh b/roles/backup/templates/s3backup.sh
index 7f96634..c952ba2 100644
--- a/roles/backup/templates/s3backup.sh
+++ b/roles/backup/templates/s3backup.sh
@@ -53,16 +53,22 @@ backup() {
 	dir="$1"
 	echo "- $dir"
 
-	nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
+	if command -v restic > /dev/null 2>&1; then
+		/opt/restic-wrapper \
+			backup \
+			"$dir"
+	else
+		nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
 	{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
-		--exclude "{{ item }}" \
+			--exclude "{{ item }}" \
 	{% endfor %}
-		"$dir" \
-		| aws s3 cp --expected-size 274877906944 - \
+			"$dir" \
+			| aws s3 cp --expected-size 274877906944 - \
 {% if backup_s3_aws_endpoint_url is defined %}
-		--endpoint-url="{{ backup_s3_aws_endpoint_url }}" \
+			--endpoint-url="{{ backup_s3_aws_endpoint_url }}" \
 {% endif %}
-		"s3://{{ backup_s3_bucket }}/$HOSTNAME/$dir/$(date "+{{ backup_dateformat }}").tar.gz"
+			"s3://{{ backup_s3_bucket }}/$HOSTNAME/$dir/$(date "+{{ backup_dateformat }}").tar.gz"
+	fi
 }
 
 # Tar up all items in the backup list, recursively, and pipe them straight
@@ -72,7 +78,12 @@ if [ -n "${DIRS[*]}" ]; then
 	for dir in "${DIRS[@]}"; do
 		echo "- $dir"
 	done
-	echo "Will ignore the following items:"
+	if command -v restic > /dev/null 2>&1; then
+		echo "An ignore list was specified, but restic was detected as the backup method."
+		echo "The following list of items WILL be backed up:"
+	else
+		echo "Will ignore the following items:"
+	fi
 	{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
 	echo "- {{ item }}"
 	{% endfor %}