diff --git a/deploy.yml b/deploy.yml
index c7390e8..1b10102 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -15,6 +15,7 @@
     users:
       - rilla
       - ansible
+      - gopass
       - woodpecker
 
 - name: quality of life tools
@@ -45,10 +46,19 @@
   become: true
   roles:
     - wireguard
-  tags: wg
 
 - name: lbu commit
   hosts: snitch
   become: true
   roles:
     - lbu_commit
+
+- name: setup gopass
+  become: true
+  hosts:
+    - caladan
+    - fugu
+    - narwhal
+  roles:
+    - gopass
+  tags: gopass
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
new file mode 100644
index 0000000..f9ebe07
--- /dev/null
+++ b/group_vars/all/main.yml
@@ -0,0 +1,9 @@
+---
+
+deb_arch_mapping: {
+  "armv6l": "armhf",
+  "armv7l": "armhf",
+  "aarch64": "arm64",
+  "x86_64": "amd64",
+  "i386": "i386"
+}
diff --git a/roles/gopass/tasks/debian.yml b/roles/gopass/tasks/debian.yml
new file mode 100644
index 0000000..fdc6750
--- /dev/null
+++ b/roles/gopass/tasks/debian.yml
@@ -0,0 +1,19 @@
+---
+
+- name: add gopass apt key
+  get_url:
+    url: https://packages.gopass.pw/repos/gopass/gopass-archive-keyring.gpg
+    dest: /etc/apt/trusted.gpg.d/gopass-archive-keyring.gpg
+
+- name: add gopass repo
+  apt_repository:
+    repo: deb https://packages.gopass.pw/repos/gopass stable main
+    filename: gopass.sources
+    update_cache: true
+    state: present
+
+- name: install gopass
+  apt:
+    name:
+      - gopass
+    state: present
diff --git a/roles/gopass/tasks/main.yml b/roles/gopass/tasks/main.yml
new file mode 100644
index 0000000..eec2ea8
--- /dev/null
+++ b/roles/gopass/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: install gopass
+  apk:
+    name: gopass
+  when: ansible_distribution == "Alpine"
+
+- name: install gopass
+  include_tasks: debian.yml
+  when: ansible_distribution in ["Debian", "Ubuntu"]
+
+- name: install gopass
+  openbsd_pkg:
+    name: gopass
+  when: ansible_distribution == "OpenBSD"
diff --git a/roles/users/tasks/gopass.yml b/roles/users/tasks/gopass.yml
new file mode 100644
index 0000000..3676633
--- /dev/null
+++ b/roles/users/tasks/gopass.yml
@@ -0,0 +1,29 @@
+---
+- name: create group 'gopass'
+  group:
+    name: gopass
+    gid: 503
+
+- name: create user 'gopass'
+  user:
+    name: gopass
+    uid: 503
+    group: gopass
+    home: /var/lib/gopass
+    password: "!"
+
+- name: make sure gopass owns its home
+  file:
+    state: directory
+    path: /var/lib/gopass
+    owner: gopass
+    group: gopass
+    mode: '2755'
+
+- name: commit gopass's home to lbu
+  lbu:
+    include:
+      - /var/lib/gopass
+    exclude:
+      - /var/lib/gopass/.ash_history
+  when: ansible_distribution == "Alpine" and use_lbu