diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml
index 4afc031..29190e9 100644
--- a/group_vars/nas/vars.yml
+++ b/group_vars/nas/vars.yml
@@ -1,2 +1,6 @@
 raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
 lambroek_password: "{{ vault_lambroek_password }}"
+s3_access_key_id: "{{ vault_s3_access_key_id }}"
+s3_secret_access_key: "{{ vault_s3_secret_access_key }}"
+rclone_photos_obf_pass: "{{ vault_rclone_photos_obf_pass }}"
+rclone_photos_obf_pass2: "{{ vault_rclone_photos_obf_pass2 }}"
diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml
index 547b0e2..a06f383 100644
--- a/group_vars/nas/vault.yml
+++ b/group_vars/nas/vault.yml
@@ -1,7 +1,30 @@
 $ANSIBLE_VAULT;1.1;AES256
-63336531383736643438396339366463383265373633373666623566616538316666323136626537
-3462346135616462383838613531343537313165653962370a343965613330636566393363633733
-35313039626430346264373361306464343532316532353232666166656531346237613033383662
-3563663536616362620a626563666631336537373961636232386430366139396262666466626633
-30653138633830636130663139373462663266643332303234303564353162333031383331396562
-6136386164613435633835336462663834376130383362666561
+37323336656133626339366437393062613937366232613334643034363635623832333136313063
+3738353666646636323431663339623234306439323138650a373063376634333161666366303831
+34373963366334636238623134613863303464663133653262333064613863643362633531653061
+3934363435316636390a626531333463396137303132313363636163306464386138653538353633
+32663836316665376233346364383461323065383461623762323933316635336661363032333637
+30323831316239386365323266376439623761316330663063326539306339666362646138653537
+33663964353632613232653130653164303963386233626233313037653737663436373934303832
+66336466363465613839306662623631646531303865366536383030616139356539623730633033
+66353666396162316132663364373137646637353333623738393464366234643264303030393465
+38643734636336336563646361336165363133323738646531633835646262663637363964336134
+31346432643336613534396436353064373938386233353435386631373434633766363135653962
+35393230363735336436633033303465616362653734356235343261313464316138316539386238
+65346531613566643365336538663538353961333632623465636265613764373637333035623133
+62313564356534393338346631386365643736336138346532643638333737653835303862383863
+37336534646364643366376339656636613762323632613836323936326234663261386339333836
+36326334306136663638323738396337653663326539623936646437393537653538313439356636
+34366133353165346534366339306564323861386237333262633535646166343463663435396233
+35306533326234633133653336346161343735633364303662303637303534376337383539353165
+34313434323433363936623531393464303762616632666661323834303137383535303961333462
+64363635653039396464366663343661353665643534636464373333643438646536323330626366
+35636336626532663732393064626139306261306530653433633365326438396535333665616234
+33323566653634623364323663623833313063326438343766376436386430323834663031643135
+31326561353761396364343232386530356631636637643838376562346330303334626162646532
+35666132363939356263313834653836313033346439323765633364636236366234666333323663
+61323633666661316437643732383231303138666536313665373833383334383263613065666365
+32373536376461303762396535353733373630313966343431616337633334346565386263376666
+37633536363336373465383432656465373535393837623962303066366631643730326562626266
+38333337353062343562303534656166366136646232346364343134363436633436656165616538
+3236
diff --git a/nas.yml b/nas.yml
index d7c40d3..9cbb433 100644
--- a/nas.yml
+++ b/nas.yml
@@ -34,3 +34,10 @@
   roles:
     - caddy
   tags: caddy
+
+- name: Set up photo sync using Rclone
+  hosts: nas
+  become: yes
+  roles:
+    - rclone
+  tags: rclone
diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml
new file mode 100644
index 0000000..1cbbbd4
--- /dev/null
+++ b/roles/rclone/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: Ensure Rclone is installed
+  ansible.builtin.apt:
+    name: rclone
+    state: present
+
+- name: Ensure Rclone configuration file is present
+  ansible.builtin.template:
+    src: 'rclone.conf.j2'
+    dest: /etc/rclone.conf
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2
new file mode 100644
index 0000000..679b602
--- /dev/null
+++ b/roles/rclone/templates/rclone.conf.j2
@@ -0,0 +1,20 @@
+# Copy the config entry below in your rclone configuration file.
+[ovh-s3]
+type = s3
+provider = Other
+env_auth = false
+access_key_id = {{ s3_access_key_id }}
+secret_access_key = {{ s3_secret_access_key }}
+acl = private
+region = gra
+location_constraint = gra
+# API endpoint
+# S3 standard endpoint
+endpoint = https://s3.gra.io.cloud.ovh.net/
+
+[photos-crypt]
+type = crypt
+remote = ovh-s3:pi-s3/photos
+password = {{ rclone_photos_obf_pass }}
+password2 = {{ rclone_photos_obf_pass2 }}
+