diff --git a/host_vars/overwatch.kde.org.yml b/host_vars/overwatch.kde.org/vars.yml
similarity index 58%
rename from host_vars/overwatch.kde.org.yml
rename to host_vars/overwatch.kde.org/vars.yml
index 2c50f88..a4ea6bb 100644
--- a/host_vars/overwatch.kde.org.yml
+++ b/host_vars/overwatch.kde.org/vars.yml
@@ -1,4 +1,6 @@
 ---
 backup_apt_dependencies: [rdiff-backup]
 gohma_backup_user: overwatchbackup
 gohma_backup_home: BACKUP.overwatch.kde.org
+backup_install_restic: yes
+backup_restic_password: "{{vault_backup_restic_password}}"
diff --git a/host_vars/overwatch.kde.org/vault.yml b/host_vars/overwatch.kde.org/vault.yml
new file mode 100644
index 0000000..1fc5b04
--- /dev/null
+++ b/host_vars/overwatch.kde.org/vault.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+64616139663963646166643636333134663137646461363036323062356333633062613731373730
+3639613335333339373333663738363539373436343561650a643832346437373438323762613030
+38316136313032333236343738623730623264306461313961613539633137363530663435646338
+3266623466393062640a666634306339343334643331656535343565613162306635623763306234
+31323935323731653265306461373630663530326161653961343634336638623962356163333261
+6565376436336163376231353137313862323634313238313238
diff --git a/roles/kde-backup/tasks/main.yml b/roles/kde-backup/tasks/main.yml
index d2190aa..b45c24c 100644
--- a/roles/kde-backup/tasks/main.yml
+++ b/roles/kde-backup/tasks/main.yml
@@ -1,117 +1,147 @@
 ---
 - name: ensure bin directory exists
   file:
     path: /root/bin
     state: directory
     owner: root
     group: root
 
 - name: ensure backup directory exists
   file:
     path: /root/{{backup_directory}}
     state: directory
     owner: root
     group: root
     mode: 0700
 
 - name: ensure lftp is installed
   apt:
     name: lftp
     state: present
   when: hetzner_backup_host is defined
 
 - name: install Hetzner ftp script
   template:
     src: backup-options.j2
     dest: /root/bin/backup-options
     owner: root
     group: root
     mode: 0600
   when: hetzner_backup_host is defined
 
 - name: ensure host has a ssh key
   user:
     name: root
     generate_ssh_key: yes
   register: root_user
   when: gohma_backup_user is defined
 
 - name: ensure a backup account exists in gohma
   delegate_to: gohma.kde.org
   user:
     name: "{{gohma_backup_user}}"
     home: "/home/{{gohma_backup_home}}/"
   when: gohma_backup_user is defined
 
 - name: create .ssh in gohma account
   delegate_to: gohma.kde.org
   file:
     state: directory
     dest: "/home/{{gohma_backup_home}}/.ssh"
     owner: root
     group: root
     mode: 0755
   when: gohma_backup_user is defined
 
 - name: assign authorized keys
   delegate_to: gohma.kde.org
   copy:
     dest: "/home/{{gohma_backup_home}}/.ssh/authorized_keys"
     owner: root
     group: root
     mode: 0644
     content: "no-pty,no-x11-forwarding,no-port-forwarding,no-agent-forwarding {{root_user.ssh_public_key}}\n"
   when: gohma_backup_user is defined
 
 # This will *fail* if gohma is not present in known_hosts,
 # and will need manual intervention to add it.
 # A better solution might need a custom Ansible module.
 - name: ensure gohma is in known_hosts
   command: ssh-keygen -F gohma.kde.org
   check_mode: no
   changed_when: False
   when: gohma_backup_user is defined
 
 - name: install other dependencies of backup script
   apt:
     name: "{{item}}"
     state: present
   with_items: "{{backup_apt_dependencies}}"
 
+- name: download restic
+  get_url:
+    url: https://github.com/restic/restic/releases/download/v0.8.1/restic_0.8.1_linux_amd64.bz2
+    checksum: sha256:78abad9b589f303f6d9c129ed5ebfe240fbdbdaa5bb0ffec43dacb2991bd526a
+    dest: /root/bin/restic_0.8.1_linux_amd64.bz2
+    owner: root
+    group: root
+  when: backup_install_restic is defined
+
+- name: decompress restic
+  command: bunzip2 -k -f restic_0.8.1_linux_amd64.bz2
+  args:
+    chdir: /root/bin
+    creates: restic_0.8.1_linux_amd64
+  when: backup_install_restic is defined
+
+- name: set mode +x on restic
+  file:
+    path: /root/bin/restic_0.8.1_linux_amd64
+    state: file
+    mode: 0744
+  when: backup_install_restic is defined
+
+- name: create restic symlink
+  file:
+    dest: /root/bin/restic
+    src: restic_0.8.1_linux_amd64
+    state: link
+  when: backup_install_restic is defined
+
 - name: install backup script
   template:
     src: backup-{{inventory_hostname_short}}.sh
     dest: /root/bin/run-backup.sh
     owner: root
     group: root
     mode: 0744
 
 - name: configure backup cronjob
   cron:
     hour: "{{backup_cron.hour}}"
     minute: "{{backup_cron.minute}}"
     weekday: "{{backup_cron.weekday | default('*')}}"
     user: root
     job: /root/bin/run-backup.sh
     name: "run backup"
 
 
 - block:
   - name: install Hetzner ftp script for gitolite logs
     template:
       src: backup-options-logs.j2
       dest: /root/bin/backup-options-logs
       owner: root
       group: root
       mode: 0600
 
   - name: configure cronjob for gitolite log backups
     cron:
       hour: "{{backup_logs_cron.hour}}"
       minute: "{{backup_logs_cron.minute}}"
       weekday: "{{backup_logs_cron.weekday | default('*')}}"
       user: root
       job: "lftp -f ~/bin/backup-options-logs"
       name: "backup gitolite logs"
 
   when: inventory_hostname == 'code.kde.org'
diff --git a/roles/kde-backup/templates/backup-overwatch.sh b/roles/kde-backup/templates/backup-overwatch.sh
index 4112705..0b0308a 100755
--- a/roles/kde-backup/templates/backup-overwatch.sh
+++ b/roles/kde-backup/templates/backup-overwatch.sh
@@ -1,28 +1,26 @@
 #!/bin/bash
 
 LOCATION=/root/{{backup_directory}}
 
 # capture all output in a log file
 exec &> /tmp/backup.log
 # if anything fails, output the log file so that cron emails
 trap 'cat /tmp/backup.log' ERR
 
 set -ex
 
 tar -czf $LOCATION/etc.`date +%w`.tgz -C / etc/
 dpkg -l > $LOCATION/dpkg.`date +%w`
 
 cp /var/lib/grafana/grafana.db $LOCATION/grafana.db.`date +%w`
 
-# delete staging dir in case it was left behind by an interrupted backup
-rm -rf influxdb-backup-staging
+chmod -R 700 $LOCATION
 
-echo "InfluxDB backups temporarily disabled!"
-#ionice -c3 influxd backup -database telegraf influxdb-backup-staging
-#ionice -c3 rdiff-backup influxdb-backup-staging $LOCATION/influxdb
-#rm -rf influxdb-backup-staging
-#rdiff-backup --force --remove-older-than 14D $LOCATION/influxdb
+rsync --timeout=600 -a backup overwatchbackup@gohma.kde.org:
 
-chmod -R 700 $LOCATION
+export RESTIC_REPOSITORY=sftp:overwatchbackup@gohma.kde.org:backup/restic
+export RESTIC_PASSWORD="{{backup_restic_password}}"
+ionice -c3 ~/bin/restic backup /var/lib/influxdb
 
-rsync --timeout=600 --delete -a backup overwatchbackup@gohma.kde.org:
+# force it to send email
+exit 1