diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index 3481219..916c7ee 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -18,6 +18,10 @@ nextcloud_redis_password: myredispass
 nextcloud_db_username: nextcloud
 nextcloud_db_password: secretnextcloud
 
+# run restic backups
+nextcloud_backup_enable: false
+nextcloud_backup_cron: 0 30 3 * * *
+
 nextcloud_php_memory_limit: 5G # maximum ram php may use
 nextcloud_php_upload_limit: 15G # maximum size of (web) uploaded files
 
@@ -42,9 +46,3 @@ nextcloud_smtp_from_domain: "{{ server_domain }}"
 # nextcloud_s3_ssl: true
 # nextcloud_s3_region: eu-central-1
 # nextcloud_s3_usepath_style: true
-
-nextcloud_backup_db_enable: false
-# nextcloud_backup_db_repo: s3.eu-central-1.wasabisys.com/myrepo
-# nextcloud_backup_db_key: <s3-key>
-# nextcloud_backup_db_secret: <s3-secret>
-# nextcloud_backup_db_timezone: US/Chicago
diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2
index 07a57f4..ff5f6ce 100644
--- a/roles/nextcloud/templates/docker-stack.yml.j2
+++ b/roles/nextcloud/templates/docker-stack.yml.j2
@@ -160,24 +160,22 @@ services:
     networks:
       - backend
 
-{% if nextcloud_backup_db_enable is not undefined and not false %}
+{% if backup_enable is not undefined and not false and nextcloud_backup_enable is not undefined and not false %}
   backup:
     image: mazzolino/restic
     environment:
-      - "TZ={{ nextcloud_backup_db_timezone }}"
+      - "TZ={{ restic_timezone }}"
        # go-cron starts w seconds
-      - "BACKUP_CRON=0 30 3 * * *"
-      - "RESTIC_REPOSITORY={{ nextcloud_backup_db_repo }}"
-      - "AWS_ACCESS_KEY_ID={{ nextcloud_backup_db_key }}"
-      - "AWS_SECRET_ACCESS_KEY={{ nextcloud_backup_db_secret }}"
-      - "RESTIC_PASSWORD={{ nextcloud_backup_db_pass }}"
-      - "RESTIC_BACKUP_TAGS=nextcloud-db"
-      - "RESTIC_BACKUP_SOURCES=/mnt/volumes"
+      - "BACKUP_CRON={{ nextcloud_backup_cron }}"
+      - "RESTIC_REPOSITORY={{ restic_repo }}"
+      - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}"
+      - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}"
+      - "RESTIC_PASSWORD={{ restic_pass }}"
+      - "RESTIC_BACKUP_TAGS=nextcloud"
+      - "RESTIC_BACKUP_SOURCES=/volumes"
     volumes:
-      - db:/mnt/volumes/nextcloud_db:ro
-      - data:/mnt/volumes/nextcloud_data:ro
-    networks:
-      - backend
+      - db:/volumes/nextcloud_db:ro
+      - data:/volumes/nextcloud_data:ro
 {% endif %}
 
   # metrics:
diff --git a/roles/restic/README.md b/roles/restic/README.md
new file mode 100644
index 0000000..8849990
--- /dev/null
+++ b/roles/restic/README.md
@@ -0,0 +1,49 @@
+# restic
+
+Backup maintenance stack.
+
+Takes care of regularly pruning the backup repository and checking its integrity.
+Currently only supports S3 as a backend.
+
+## Defaults
+
+```yaml
+restic_timezone: US/Chicago
+```
+
+The timezone to be used for the cronjob.
+
+```yaml
+restic_version: latest
+```
+
+The docker image version to be used in stack creation.
+
+```yaml
+restic_repo: s3.eu-central-1.wasabisys.com/myrepo
+restic_pass: <restic-pass>
+```
+
+The repository url and the restic repository password.
+See the restic documentation for more information.
+
+```yaml
+restic_s3_key: <s3-key>
+restic_s3_secret: <s3-secret>
+```
+
+The restic S3 credentials, i.e. the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
+
+```yaml
+restic_prune_cron: 0 0 4 * * *
+restic_forget_args: --prune --keep-last 14 --keep-daily 2 --keep-weekly 2
+```
+
+The default prune and forget cronjob schedule and arguments: Prune the repository every day at 4:00 AM and keep the last 14 snapshots, 2 daily snapshots and 2 weekly snapshots.
+
+```yaml
+restic_check_cron: 0 15 5 * * *
+restic_check_args: --read-data-subset=5%
+```
+
+The default check cronjob schedule and arguments: Check the repository integrity every day at 5:15 AM and in addition to structural checks, read 5 randomly chosen % for a data integrity check.
diff --git a/roles/restic/defaults/main.yml b/roles/restic/defaults/main.yml
new file mode 100644
index 0000000..8022df5
--- /dev/null
+++ b/roles/restic/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+restic_version: latest
+
+# restic_repo: s3.eu-central-1.wasabisys.com/myrepo
+# restic_pass: <restic-pass>
+# restic_s3_key: <s3-key>
+# restic_s3_secret: <s3-secret>
+restic_timezone: "{{ server_timezone | default('US/Chicago') }}"
+
+restic_prune_cron: 0 0 4 * * *
+restic_forget_args: --prune --keep-last 14 --keep-daily 2 --keep-weekly 2
+
+restic_check_cron: 0 15 5 * * *
+restic_check_args: --read-data-subset=5%
diff --git a/roles/restic/meta/main.yml b/roles/restic/meta/main.yml
new file mode 100644
index 0000000..dd49542
--- /dev/null
+++ b/roles/restic/meta/main.yml
@@ -0,0 +1,11 @@
+---
+galaxy_info:
+  author: Marty Oehme
+  description: Installs a restic-based backup maintenance stack. Only supports S3 atm.
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  galaxy_tags: []
+
+dependencies:
+  - docker-swarm
+  - caddy_id
diff --git a/roles/restic/tasks/main.yml b/roles/restic/tasks/main.yml
new file mode 100644
index 0000000..5bb5027
--- /dev/null
+++ b/roles/restic/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Deploy restic to swarm
+  community.general.docker_stack:
+    name: "{{ stack_name }}"
+    state: present
+    prune: yes
+    compose:
+      - "{{ stack_compose }}"
+  become: true
+  tags:
+    - docker-swarm
diff --git a/roles/restic/templates/docker-stack.yml.j2 b/roles/restic/templates/docker-stack.yml.j2
new file mode 100644
index 0000000..822572d
--- /dev/null
+++ b/roles/restic/templates/docker-stack.yml.j2
@@ -0,0 +1,31 @@
+version: '3.4'
+
+services:
+  prune:
+    image: "{{ stack_image }}:{{ restic_version }}"
+    hostname: docker
+    environment:
+      - "TZ={{ restic_timezone }}"
+      - SKIP_INIT: "true"
+       # go-cron starts w seconds
+      - "PRUNE_CRON={{ restic_prune_cron }}"
+      - RESTIC_FORGET_ARGS: "{{ restic_forget_args }}"
+      - "RESTIC_REPOSITORY={{ restic_repo }}"
+      - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}"
+      - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}"
+      - "RESTIC_PASSWORD={{ restic_pass }}"
+
+  check:
+    image: "{{ stack_image }}:{{ restic_version }}"
+    hostname: docker
+    environment:
+      - "TZ={{ restic_timezone }}"
+      - SKIP_INIT: "true"
+      - RUN_ON_STARTUP: "false"
+       # go-cron starts w seconds
+      - "CHECK_CRON={{ restic_check_cron }}"
+      - RESTIC_CHECK_ARGS: "{{ restic_check_args }}"
+      - "RESTIC_REPOSITORY={{ restic_repo }}"
+      - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}"
+      - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}"
+      - "RESTIC_PASSWORD={{ restic_pass }}"
diff --git a/roles/restic/vars/main.yml b/roles/restic/vars/main.yml
new file mode 100644
index 0000000..8b3dcf5
--- /dev/null
+++ b/roles/restic/vars/main.yml
@@ -0,0 +1,8 @@
+---
+stack_name: restic
+
+stack_image: "mazzolino/restic"
+
+stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}"
+
+backup_enable: true