diff --git a/.gitignore b/.gitignore
index 4fbdadb..b26a5c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,21 +6,13 @@
 flatcar/flatcar_production_qemu_image.img
 flatcar/flatcar_production_qemu_image.img.fresh
 
-ignition.json
-
-
 terraform.tfstate
 terraform.tfstate.backup
 
-app
-
 config/apps.config
 config/production.tfvars
 config/ssh-keys
 
-restic-env
-restic-password
-
 # generated files
 all-apps/lb/Caddyfile
 all-apps/nextcloud/nextcloud.env
@@ -30,4 +22,8 @@ all-apps/nextcloud/postgres_db
 all-apps/nextcloud/postgres_user
 all-apps/nextcloud/postgres_password
 all-apps/nextcloud/redis_password
-generated.tfvars
\ No newline at end of file
+generated.tfvars
+restic-env
+restic-password
+ignition.json
+app
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 633ce33..b90c3bb 100644
--- a/Makefile
+++ b/Makefile
@@ -66,6 +66,10 @@ apply: ignition.json $(config_dir)$(TERRAFORM_ENV).tfvars generated.tfvars
 destroy: ignition.json $(config_dir)$(TERRAFORM_ENV).tfvars generated.tfvars
 	bash -c "terraform destroy -var-file=<(cat $(config_dir)$(TERRAFORM_ENV).tfvars generated.tfvars)"
 
+.PHONY: restic-init
+restic-init: $(apps_config) restic-password
+	./init-restic.sh $(apps_config)
+
 ## to help me remember the command to run to test the config locally
 testlocalhost:
 	curl -k --resolve localhost:443:146.190.12.129 https://localhost
diff --git a/config/apps.config.tmpl b/config/apps.config.tmpl
index 96672fa..a074e9b 100644
--- a/config/apps.config.tmpl
+++ b/config/apps.config.tmpl
@@ -5,4 +5,8 @@ NEXTCLOUD_ADMIN_PASSWORD=
 NEXTCLOUD_POSTGRES_DB=nextcloud
 NEXTCLOUD_POSTGRES_USER=nextcloud
 NEXTCLOUD_POSTGRES_PASSWORD=
-NEXTCLOUD_REDIS_PASSWORD=
\ No newline at end of file
+NEXTCLOUD_REDIS_PASSWORD=
+BACKBLAZE_KEY_ID=
+BACKBLAZE_APPLICATION_KEY=
+BACKBLAZE_BUCKET_URL=
+RESTIC_PASSWORD=
\ No newline at end of file
diff --git a/init-restic.sh b/init-restic.sh
new file mode 100755
index 0000000..cfc2463
--- /dev/null
+++ b/init-restic.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+. $1 # source the apps.config file with then env vars
+
+mkdir -p emptydir
+docker run --rm --volume $PWD/emptydir:/nassella --volume $PWD/restic-password:/restic-password -e AWS_ACCESS_KEY_ID="$BACKBLAZE_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$BACKBLAZE_APPLICATION_KEY" -i restic/restic:0.18.0 init --repo s3:$BACKBLAZE_BUCKET_URL --password-file /restic-password
+rm -Rf emptydir