diff --git a/inventory/group_vars/emma/vault.yml b/inventory/group_vars/emma/vault.yml
index 07fc5df..cfa4428 100644
--- a/inventory/group_vars/emma/vault.yml
+++ b/inventory/group_vars/emma/vault.yml
@@ -1,49 +1,52 @@
 $ANSIBLE_VAULT;1.1;AES256
-65626333343266643235663938663438356638613431393864666264636364363431316436636234
-3065623230376661396633643138633766633563393461380a636664373666646435643235653232
-30313935623961366634656134643834636239623836633864643961376237653531336238363135
-3662316535303637640a363863353263633661343635346238616335353232303261326163323233
-32373237303864353037643966656563323331326161623334636238666237383735643532626566
-64363931363932383263666434393139396137613934663134616430396537616566333835333865
-66653239363539363432363735353930393239333063623339623330666432323635356363376337
-39643938653737343633663665343132613236326666336434613966343134613035343562356133
-64613630613037663638633439306433633261373731306564363133633832326632623733313434
-64376538313634333564343263636436323230663935363964396636666532333331313535323962
-34623764666362643031643339356163366132336239366639333939633965383736383839646261
-30343331626434366662613139306335336231643066356465363763383237636466636162393266
-31613432643835306230386536323438366537313137626361326338363539303031326439303065
-66343634653034643964636333383131333530636330346462653336633435356430663234376539
-33633963616630396134366632613139366134313430363764303738636263623362373332336266
-35616461306635343364636634396664316635383164323933396233613539353436373264616137
-38373335333631303133363730626365643765366462373337386132343361303230626661613431
-32363334636563613333646633323261316534386138616133663539393864353863353431396563
-37386166326133653734666266383932633638333930623835333164303366633432303563386661
-63313032643733643738383731623838623939316330613465653165666166356366646537313431
-35613662363331323530323563613438616362353838616463623963616231653730613264383439
-30386164356537326639313636303636386631613363323863653566363730366664633935376236
-36646539653865383633643733383038313032356433623434343666386231633537646638376436
-61636464353565336131396231643433353063303934326533306565623533303466633631363737
-61636464393931636461343038323434346464363438373039346338666536323363366533636535
-31346336393162653232323766323962373039373236353862383266313238386634343333343461
-64393633656361313635343764373564623039396634626332323664326464626631646562623930
-31396566353366393362623432376635366165353064653830333736373630353563323836346430
-33326132366365616265626137383235353838653634393366313233343033626334383339663535
-39333531353734653235323730633363613938303765633637373765663737633536313237626565
-65336335633233626137643339386362313534393336656637326335643137333330656330386362
-30656265356232343638393761303765396363656437316339396637306264623830373761363962
-37663865303833366165623934343963666633616366376435393239373862646562383462393964
-62373636633436643636346666663339313338646534383135316462346366373462346637313662
-64363433666137643734393338326132393865343135663435323566666530363561343766646435
-63653735623564323661333734643236646534663133633331616565353039626364366337333834
-64366161636662616639613464396563623231386230636561666134383139323431383933613937
-62613838383332343438313939333434646632353435643832376363353539333530306530323165
-39303533393762353138623537363461333138383066383838376663636339626632643534303961
-63646163333533623536663565623833303238623235633239613763653930363065666435376437
-31383030313831643965386531396664363035306439626266353030363738376232366138306436
-30336663313335313233313235653133313866353666336463376264393965636633636436643235
-36653363363533343037353632646439366130396638343362626434376637313533383166356231
-61646161303430396264376433363161313032366265666133333566616463636431643035393763
-63653437353839393665643138663562633864633662343935313634386466366535326361633737
-38363963386334376538626365363362663833376139363163636332313231666565393532646533
-64386230313436316138643834373462643330336366323863336463356265376461346261356464
-35643230353939333830
+33383364343639356334353035346237343135633831643837633539663433313431616130623862
+3638363236326362373564663134383266353634343861370a363239653062656634663139616338
+32653965643465316364633161343264323763363066303833656661303464623866643437303664
+3465663461663361370a353835653064343433356463333231643831643139303562656435653436
+64303735613233386137363765393935396666343362616638306263643732623763613462303535
+30633364656562666534316233306462373139316631613931396430313631623131313365383033
+33356637653038636261326264653866313432363233646636653762386366323838353164313438
+33316664363038346466653566636633303461633433633461353533643633323661353536623937
+33623461623562343831333166306337393538373032353133303935666161613839303766343332
+64353632666265363134386563343237353361333435363539626663363531663835363033353438
+38363332663063393832353866303562643435646637663339653031643563396165613939323164
+33356631666330643861373534343432313636663764636265663939663965376532356230653763
+33306530386234643434613130393838616138306461386539343333643739343165633234316263
+36303566613365653662363434643963656366663730643831346637336461623165343834373938
+32646539346135326536363939353232396239643630326564396463336537613639393961663064
+63376663303364616162393031346662303731336334626634396535323933373864373861326331
+63343235663338363731343936313963636234326639633631323438656363626637363131653932
+34643239646263383130336632343166396636646433363061366639333439343961306134633765
+33643064356331646334316537346566626531653537336530653037333665303439663936356166
+31316130336363386637656330313437316339626365386266356137616435613334306233306236
+33383534663730396530353035626136633762316565336133366663616337323465646338323936
+34656466316462633037626133303237363638323961363134303434646636613063353832356632
+38353866396331383832666565303438323965396565356631353761653839356332363132643438
+31356139633165663033626465623531396234396634393764616536346136323036663133303630
+34653835363436356236303362333635623031663563323634343732646631383133666235623366
+38656334373365363837343933313935663533303263346134316463393530303830663536323739
+61303632613836353965663461623064636562653035323330653034623732303961343665666264
+63373935373361363731626237353066663038346564613066323631376462373630303931306463
+65363866646439393730383562376637386262646665646564386332356539343264333464303735
+39393932653566363463616436313335656534303433656132643333633434313966313739333061
+39643730326536666530333735373766373566663731346531653439346434623133613336383363
+62626165653335643934653463653765636661323562313363333866393361366466343833653536
+66376532306331373861393234356234363834326266353532663736353462333038353531346538
+61626633303838303962336134376230626635616237303438636235393338623563373038376362
+37333061313231643036303833373333336265313233326230373139626364663234313534623537
+64623661366338323638656135613333353361353634643533393030393532363032313961393632
+62356561353064663234396335383737613963386566613064393136313364303338346133353565
+39633737663164636665626534346265633831613835343862316230653530346533346133326435
+38323462666564666435633331353436373434313834613266656638343161623339656464306232
+32616464623537366264363839383034346333323034663665326434343738306562303537363932
+36346333373333316334336131386436633562656136353134656563663137316665656639646463
+39353564366539636531303066623138613931323130306130363433323162313237346238323464
+39633235313335353734323738356231613636643661343165616136343633333065643765633466
+37363161653933646536343131656561313966306436336334313962376630373039373938303535
+65343735613164656639383331623265656466656534663163383937303763626639373233646461
+63393665653132316364363562316136383633343365623630613536653536326138376334396562
+63613432356531386230393363383861323663353832373265303765616435303436356361393365
+65386132333938333939353561303362346235343231383035313761366330363532623337386463
+35623937303533613364383831343764653631333936313361386234323634383664356262313137
+33643130343961396335623033346434373735303663376331346534613338386130633436346462
+303936363639633134386435653639656334
diff --git a/inventory/group_vars/nas/vars.yml b/inventory/group_vars/nas/vars.yml
index ac66459..dbca481 100644
--- a/inventory/group_vars/nas/vars.yml
+++ b/inventory/group_vars/nas/vars.yml
@@ -10,8 +10,6 @@ rclone_obf_pass2: "{{ vault_rclone_obf_pass2 }}"
 lander_commit_sha: 'e438bd045ca2ee64e3d9ab98f416027b5417c3f6'
 lander_api_key: "{{ vault_lander_api_key }}"
 
-restic_rest_version: '0.12.1'
-
 ntfy_user_pi_pass: "{{ vault_ntfy_user_pi_pass }}"
 
 nefarious_admin_user: "{{ vault_nefarious_admin_user }}"
diff --git a/roles/any.software.restic-rest/handlers/main.yml b/roles/any.software.restic-rest/handlers/main.yml
new file mode 100644
index 0000000..ed845f1
--- /dev/null
+++ b/roles/any.software.restic-rest/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: 'restart restic-rest-server'
+  ansible.builtin.service:
+    name: 'restic-rest-server'
+    state: 'restarted'
+
+    daemon_reload: true
diff --git a/roles/any.software.restic-rest/tasks/main.yml b/roles/any.software.restic-rest/tasks/main.yml
new file mode 100644
index 0000000..111dff6
--- /dev/null
+++ b/roles/any.software.restic-rest/tasks/main.yml
@@ -0,0 +1,58 @@
+- name: Ensure download directory is present
+  ansible.builtin.file:
+    path: "/opt/restic-rest-{{ restic_rest_version }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure binary is downloaded
+  ansible.builtin.unarchive:
+    src: "https://github.com/restic/rest-server/releases/download/v{{ restic_rest_version }}/rest-server_{{ restic_rest_version }}_linux_amd64.tar.gz"
+    remote_src: true
+    dest: "opt/restic-rest-{{ restic_rest_version }}"
+    creates: "opt/restic-rest-{{ restic_rest_version }}/rest-server_{{ restic_rest_version }}_linux_amd64/rest-server"
+    include:
+      - "rest-server_{{ restic_rest_version }}_linux_amd64/rest-server"
+  register: res
+
+- name: Ensure binary is copied to correct location
+  ansible.builtin.copy:
+    src: "/opt/restic-rest-{{ restic_rest_version }}/rest-server_{{ restic_rest_version }}_linux_amd64/rest-server"
+    remote_src: true
+    dest: '/usr/local/bin/restic-rest-server'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: 'res.changed'
+  notify: 'restart restic-rest-server'
+
+- name: Ensure system group exists
+  ansible.builtin.group:
+    name: 'restic'
+    gid: 202
+    system: true
+    state: present
+
+- name: Ensure system user exists
+  ansible.builtin.user:
+    name: 'restic'
+    group: 'restic'
+    uid: 202
+    system: true
+    create_home: false
+
+- name: Ensure data subvolume permissions are correct
+  ansible.builtin.file:
+    path: '{{ restic_rest_data_dir }}'
+    state: directory
+    mode: '0755'
+    owner: 'restic'
+    group: 'restic'
+
+- name: Ensure service file is present
+  ansible.builtin.template:
+    src: 'restic-rest-server.service.j2'
+    dest: '/lib/systemd/system/restic-rest-server.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: 'restart restic-rest-server'
diff --git a/roles/any.software.restic-rest/templates/restic-rest-server.service.j2 b/roles/any.software.restic-rest/templates/restic-rest-server.service.j2
new file mode 100644
index 0000000..11f88ee
--- /dev/null
+++ b/roles/any.software.restic-rest/templates/restic-rest-server.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restic REST server
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=exec
+User=restic
+Group=restic
+ExecStart=/usr/local/bin/restic-rest-server --path {{ restic_rest_data_dir }} --no-auth --prometheus
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/any.tools.restic/tasks/main.yml b/roles/any.tools.restic/tasks/main.yml
index f2c90d5..c66b949 100644
--- a/roles/any.tools.restic/tasks/main.yml
+++ b/roles/any.tools.restic/tasks/main.yml
@@ -7,13 +7,14 @@
 
 - name: Ensure compressed binary is downloaded
   ansible.builtin.get_url:
-    url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_arm64.bz2"
+    url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_amd64.bz2"
     dest: "/opt/restic/{{ restic_version }}/restic-{{ restic_version }}.bz2"
   register: res
 
 - name: Ensure binary is decompressed
   ansible.builtin.shell:
     cmd: "bunzip2 -k /opt/restic/{{ restic_version }}/restic-{{ restic_version }}.bz2"
+    creates: "/opt/restic/{{ restic_version }}/restic-{{ restic_version }}"
   when: 'res.changed'
 
 - name: Ensure binary is copied to correct location
diff --git a/roles/restic/tasks/main.yml b/roles/restic/tasks/main.yml
index 4c0ae1d..2e3b2fa 100644
--- a/roles/restic/tasks/main.yml
+++ b/roles/restic/tasks/main.yml
@@ -1,24 +1,24 @@
 ---
 - name: Ensure download directory is present
   ansible.builtin.file:
-    path: "/home/debian/restic-{{ restic_version }}"
+    path: "/opt/restic-{{ restic_version }}"
     state: directory
     mode: '0755'
 
 - name: Ensure compressed binary is downloaded
   ansible.builtin.get_url:
     url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_arm64.bz2"
-    dest: "/home/debian/restic-{{ restic_version }}/restic-{{ restic_version }}.bz2"
+    dest: "/opt/restic-{{ restic_version }}/restic-{{ restic_version }}.bz2"
   register: res
 
 - name: Ensure binary is decompressed
   ansible.builtin.shell:
-    cmd: "bunzip2 -k /home/debian/restic-{{ restic_version }}/restic-{{ restic_version }}.bz2"
+    cmd: "bunzip2 -k /opt/restic-{{ restic_version }}/restic-{{ restic_version }}.bz2"
   when: 'res.changed'
 
 - name: Ensure binary is copied to correct location
   ansible.builtin.copy:
-    src: "/home/debian/restic-{{ restic_version }}/restic-{{ restic_version }}"
+    src: "/opt/restic-{{ restic_version }}/restic-{{ restic_version }}"
     remote_src: true
     dest: '/usr/local/bin/restic'
     owner: 'root'