diff --git a/.gitignore b/.gitignore
index 4519f72..b5990d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,5 @@ __pycache__/
 process_list.txt
 secrets
 repos.yml
-rsync_backup_excludes
 .talismanrc
 .roles_played
diff --git a/configs.yml b/configs.yml
index 04c5198..a52933d 100644
--- a/configs.yml
+++ b/configs.yml
@@ -11,17 +11,6 @@ etckeeper:
     - run:
         - sudo etckeeper commit "First commit"
 
-rsync_backup:
-    - run:
-        - sudo ln -rsi dotfiles/systemd/rsync_backup.timer /etc/systemd/system/rsync_backup.timer
-    - run:
-        - sudo ln -rsi dotfiles/systemd/rsync_backup.service /etc/systemd/system/rsync_backup.service
-    - run:
-        - sudo systemctl enable rsync_backup.timer
-    - symlink:
-        - ~/src/secrets/setup-cockpit/rsync_backup_excludes
-        - ~/setup-cockpit/rsync_backup_excludes
-
 gitea_backup_rsync:
     - run:
         - sudo ln -rsi dotfiles/systemd/gitea_backup_rsync.timer /etc/systemd/system/gitea_backup_rsync.timer
diff --git a/dotfiles/systemd/rsync_backup.service b/dotfiles/systemd/rsync_backup.service
deleted file mode 100644
index c2ba3da..0000000
--- a/dotfiles/systemd/rsync_backup.service
+++ /dev/null
@@ -1,6 +0,0 @@
-[Unit]
-Description=Backup with rsync daily
-
-[Service]
-Type=simple
-ExecStart=/bin/bash -c 'source /home/*/setup-cockpit/secrets && /home/*/setup-cockpit/rsync_backup.sh'
diff --git a/playbook.yml b/playbook.yml
index 4a86c9c..02cb377 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -28,3 +28,4 @@
     - { role: repos, tags: repos }
     - { role: libvirt, tags: libvirt }
     - { role: mariadb, tags: mariadb }
+    - { role: rsync-backup, tags: rsync-backup }
diff --git a/roles/rsync-backup/files/rsync_backup.service b/roles/rsync-backup/files/rsync_backup.service
new file mode 100644
index 0000000..8f5ff14
--- /dev/null
+++ b/roles/rsync-backup/files/rsync_backup.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Backup with rsync daily
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/rsync_backup.sh
+
+# vim: ft=systemd
diff --git a/dotfiles/systemd/rsync_backup.timer b/roles/rsync-backup/files/rsync_backup.timer
similarity index 87%
rename from dotfiles/systemd/rsync_backup.timer
rename to roles/rsync-backup/files/rsync_backup.timer
index 4ae2115..5938e1e 100644
--- a/dotfiles/systemd/rsync_backup.timer
+++ b/roles/rsync-backup/files/rsync_backup.timer
@@ -7,3 +7,5 @@ Persistent=true
 
 [Install]
 WantedBy=timers.target
+
+# vim: ft=systemd
diff --git a/roles/rsync-backup/handlers/main.yml b/roles/rsync-backup/handlers/main.yml
new file mode 100644
index 0000000..aba8add
--- /dev/null
+++ b/roles/rsync-backup/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Run daemon-reload
+  become: true
+  systemd:
+    daemon-reload: true
+
+- name: Enable rsync_backup timer
+  become: true
+  systemd:
+    name: rsync_backup.timer
+    enabled: true
diff --git a/roles/rsync-backup/meta/main.yml b/roles/rsync-backup/meta/main.yml
new file mode 100644
index 0000000..de1d46c
--- /dev/null
+++ b/roles/rsync-backup/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: check-sudo
+  - role: secrets-repo
diff --git a/roles/rsync-backup/tasks/main.yml b/roles/rsync-backup/tasks/main.yml
new file mode 100644
index 0000000..db24602
--- /dev/null
+++ b/roles/rsync-backup/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- include_vars: vault.yml
+
+- name: Copy rsync_backup timer
+  become: true
+  copy:
+    src: rsync_backup.timer
+    dest: /etc/systemd/system/rsync_backup.timer
+  notify:
+    - Run daemon-reload
+    - Enable rsync_backup timer
+
+- name: Copy rsync_backup service
+  become: true
+  copy:
+    src: rsync_backup.service
+    dest: /etc/systemd/system/rsync_backup.service
+  notify: Run daemon-reload
+
+- name: Copy rsync_backup script
+  become: true
+  template:
+    src: rsync_backup.sh.j2
+    dest: /usr/local/bin/rsync_backup.sh
+    mode: 0755
diff --git a/roles/rsync-backup/templates/rsync_backup.sh.j2 b/roles/rsync-backup/templates/rsync_backup.sh.j2
new file mode 100644
index 0000000..a233343
--- /dev/null
+++ b/roles/rsync-backup/templates/rsync_backup.sh.j2
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Backup script that uses rsync, taken from https://wiki.archlinux.org/index.php/Rsync#As_a_backup_utility
+# This script should be run daily with cron or a systemd timer.
+
+RSYNC_BACKUP_SRC={{ rsync_backup_src }}
+RSYNC_BACKUP_DEST={{ rsync_backup_dest }}
+
+rsync -a --delete --quiet --exclude-from={{ ansible_facts.user_dir }}/src/secrets/setup-cockpit/rsync_backup_excludes "$RSYNC_BACKUP_SRC" "$RSYNC_BACKUP_DEST"
diff --git a/roles/rsync-backup/vars/main.yml b/roles/rsync-backup/vars/main.yml
new file mode 100644
index 0000000..1b2e042
--- /dev/null
+++ b/roles/rsync-backup/vars/main.yml
@@ -0,0 +1,3 @@
+---
+rsync_backup_src: "{{ vault_rsync_backup_src }}"
+rsync_backup_dest: "{{ vault_rsync_backup_dest }}"
diff --git a/roles/rsync-backup/vars/vault.yml b/roles/rsync-backup/vars/vault.yml
new file mode 100644
index 0000000..d1141cd
--- /dev/null
+++ b/roles/rsync-backup/vars/vault.yml
@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+61383863303237303961343965343335363265396463326631633665626534376634376237656133
+6334633039666136323338383364376433353031346134330a663664336632356666383462353465
+38623966383132346237613564356562303033353164623331653966383034353865366362366238
+3136353736353364370a633361376133376462353332306230396437393164316536396535653266
+36303034376630396631616237663239326363633232613762346637323266336433333066363233
+61633835356461303265663438386434636434616136633661656135393462626561353530383439
+33636266336335323531633836633034613631626431626565363561376637613263663637376331
+62343230663166323433626338326364356364386132366137643966663836613934373233666137
+64316533636339613330383732373564333262353136333831643033373336663961626638666638
+64333066306631353462363131623234616564303764343037636539623838666635663737623536
+39396439356136343239626262326532386166616563336531313531356435323662323462326336
+66343137633839363439
diff --git a/rsync_backup.sh b/rsync_backup.sh
deleted file mode 100755
index 74f08a9..0000000
--- a/rsync_backup.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-# Backup script that uses rsync, taken from https://wiki.archlinux.org/index.php/Rsync#As_a_backup_utility
-# This script should be run daily with cron or a systemd timer.
-
-[ -z "$SETUP_COCKPIT_USER" ] && echo "SETUP_COCKPIT_USER was not set, quitting" && exit 1
-[ -z "$RSYNC_BACKUP_SRC" ] && echo "RSYNC_BACKUP_SRC was not set, quitting" && exit 1
-[ -z "$RSYNC_BACKUP_DEST" ] && echo "RSYNC_BACKUP_DEST was not set, quitting" && exit 1
-
-rsync -a --delete --quiet --exclude-from=/home/"$SETUP_COCKPIT_USER"/setup-cockpit/rsync_backup_excludes "$RSYNC_BACKUP_SRC" "$RSYNC_BACKUP_DEST"