diff --git a/roles/baikal-web/meta/main.yml b/roles/baikal-web/meta/main.yml
new file mode 100644
index 0000000..1dbd0f6
--- /dev/null
+++ b/roles/baikal-web/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy
diff --git a/roles/baikal-web/tasks/main.yml b/roles/baikal-web/tasks/main.yml
new file mode 100644
index 0000000..a6f84c3
--- /dev/null
+++ b/roles/baikal-web/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'baikal.Caddyfile.j2'
+    dest: '/etc/caddy/baikal.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload
diff --git a/roles/baikal-web/templates/baikal.Caddyfile.j2 b/roles/baikal-web/templates/baikal.Caddyfile.j2
new file mode 100644
index 0000000..0ed7d65
--- /dev/null
+++ b/roles/baikal-web/templates/baikal.Caddyfile.j2
@@ -0,0 +1,3 @@
+dav.roosens.me {
+    reverse_proxy {{ hostvars[groups['baikal'][0]].static_ip }}:8005
+}
diff --git a/roles/baikal/files/baikal.backup.sh b/roles/baikal/files/baikal.backup.sh
new file mode 100644
index 0000000..a8e5e71
--- /dev/null
+++ b/roles/baikal/files/baikal.backup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/baikal'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/baikal/files/compose.yml b/roles/baikal/files/compose.yml
new file mode 100644
index 0000000..730c73e
--- /dev/null
+++ b/roles/baikal/files/compose.yml
@@ -0,0 +1,11 @@
+version: '3'
+
+services:
+  app:
+    image: 'ckulka/baikal:0.9.4-nginx'
+    restart: always
+    ports:
+      - '8005:80'
+    volumes:
+      - '/mnt/data1/baikal/config:/var/www/baikal/config'
+      - '/mnt/data1/baikal/Specific:/var/www/baikal/Specific'
diff --git a/roles/baikal/tasks/main.yml b/roles/baikal/tasks/main.yml
new file mode 100644
index 0000000..00ab0b8
--- /dev/null
+++ b/roles/baikal/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/baikal'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/baikal/{{ item }}'
+  loop:
+    - 'Specific'
+    - 'config'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/baikal'
+    state: directory
+    mode: '0755'
+
+- name: Ensure compose file is present
+  ansible.builtin.copy:
+    src: 'compose.yml'
+    dest: '/etc/baikal/compose.yml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  register: res
+
+- name: Ensure stack is deployed
+  ansible.builtin.shell:
+    chdir: '/etc/baikal'
+    cmd: 'docker compose up -d --remove-orphans'
+  when: 'res.changed'
+
+- name: Ensure backup script is present
+  ansible.builtin.copy:
+    src: 'baikal.backup.sh'
+    dest: '/etc/backups/baikal.backup.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
diff --git a/ruby.yml b/ruby.yml
index 16cf460..daca2f5 100644
--- a/ruby.yml
+++ b/ruby.yml
@@ -44,3 +44,10 @@
   roles:
     - miniflux
   tags: miniflux
+
+- name: Ensure Baikal is installed
+  hosts: ruby
+  become: yes
+  roles:
+    - baikal
+  tags: baikal
diff --git a/web.yml b/web.yml
index b80973d..5f0d2a0 100644
--- a/web.yml
+++ b/web.yml
@@ -28,3 +28,9 @@
   roles:
     - matrix-web
   tags: matrix
+
+- hosts: web
+  become: yes
+  roles:
+    - baikal-web
+  tags: baikal