diff --git a/deploy.yml b/deploy.yml
index 248cd81..819161e 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -75,6 +75,7 @@
     users:
       - rilla
       - ansible
+      - btrbk
       - builder
       - gopass
       - woodpecker
@@ -110,6 +111,14 @@
   roles:
     - wifi
 
+- name: btrbk
+  hosts:
+    - narwhal
+    - suricata
+  become: true
+  roles:
+    - btrbk
+
 - name: caladan-specific things
   hosts: caladan
   become: true
diff --git a/roles/btrbk/tasks/alpine.yml b/roles/btrbk/tasks/alpine.yml
new file mode 100644
index 0000000..c4b4b7c
--- /dev/null
+++ b/roles/btrbk/tasks/alpine.yml
@@ -0,0 +1,7 @@
+---
+- name: install packages
+  apk:
+    name:
+      - btrbk
+      - coreutils  # needed by btrbk
+      - btrfs-progs
diff --git a/roles/btrbk/tasks/debian.yml b/roles/btrbk/tasks/debian.yml
new file mode 100644
index 0000000..3d8ae55
--- /dev/null
+++ b/roles/btrbk/tasks/debian.yml
@@ -0,0 +1,6 @@
+---
+- name: install packages
+  apt:
+    name:
+      - btrbk
+      - btrfs-progs
diff --git a/roles/btrbk/tasks/main.yml b/roles/btrbk/tasks/main.yml
new file mode 100644
index 0000000..6efa87f
--- /dev/null
+++ b/roles/btrbk/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: alpine setup
+  include_tasks: alpine.yml
+  when: ansible_distribution == "Alpine"
+
+- name: debian/ubuntu setup
+  include_tasks: debian.yml
+  when: ansible_distribution in ["Debian", "Ubuntu"]
+
+- name: copy btrbk config
+  copy:
+    src: "host_files/btrbk/{{ ansible_hostname }}/btrbk.conf"
+    dest: /etc/btrbk/btrbk.conf
diff --git a/roles/cryptoraid/tasks/alpine.yml b/roles/cryptoraid/tasks/alpine.yml
index 3f13480..c534065 100644
--- a/roles/cryptoraid/tasks/alpine.yml
+++ b/roles/cryptoraid/tasks/alpine.yml
@@ -2,8 +2,6 @@
 - name: install packages
   apk:
     name:
-      - btrbk
-      - coreutils  # needed by btrbk
       - btrfs-progs
       - cryptsetup
       - gnupg
diff --git a/roles/users/tasks/btrbk.yml b/roles/users/tasks/btrbk.yml
new file mode 100644
index 0000000..6e12566
--- /dev/null
+++ b/roles/users/tasks/btrbk.yml
@@ -0,0 +1,32 @@
+---
+- name: create group 'btrbk'
+  group:
+    name: btrbk
+    gid: 505
+
+- name: create user 'btrbk'
+  user:
+    name: btrbk
+    uid: 505
+    group: btrbk
+    home: /var/lib/btrbk
+    password: "*"  # disabled password but can be accessed with SSH
+    groups:
+      - wheel
+    append: true
+
+- name: make sure btrbk owns its home
+  file:
+    state: directory
+    path: /var/lib/btrbk
+    owner: brtrbk
+    group: brtrbk
+    mode: '2755'
+
+- name: commit btrbk's home to lbu
+  lbu:
+    include:
+      - /var/lib/btrbk
+    exclude:
+      - /var/lib/btrbk/.ash_history
+  when: ansible_distribution == "Alpine" and alpine_mode in ["diskless", "data"]