diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml
index fb3368a..1f4fded 100644
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@@ -20,6 +20,7 @@ resources:
   - oneoffs/ariadne-migrate-job.yaml
   - ariadne-service.yaml
   - soteria-deployment.yaml
+  - soteria-restic-init-job.yaml
   - disable-k3s-traefik-daemonset.yaml
   - oneoffs/k3s-traefik-cleanup-job.yaml
   - node-nofile-daemonset.yaml
diff --git a/services/maintenance/soteria-restic-init-job.yaml b/services/maintenance/soteria-restic-init-job.yaml
new file mode 100644
index 0000000..1fec7f5
--- /dev/null
+++ b/services/maintenance/soteria-restic-init-job.yaml
@@ -0,0 +1,75 @@
+# services/maintenance/soteria-restic-init-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: soteria-restic-init
+  namespace: maintenance
+  labels:
+    app: soteria
+    app.kubernetes.io/name: soteria
+    app.kubernetes.io/component: restic-init
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      labels:
+        app: soteria
+        app.kubernetes.io/name: soteria
+        app.kubernetes.io/component: restic-init
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: restic
+          image: restic/restic:0.16.4
+          imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-c"]
+          args:
+            - >
+              set -euo pipefail;
+              if restic snapshots >/dev/null 2>&1; then
+                echo "restic repo already initialized";
+              else
+                restic init;
+              fi
+          env:
+            - name: RESTIC_REPOSITORY
+              valueFrom:
+                configMapKeyRef:
+                  name: soteria
+                  key: SOTERIA_RESTIC_REPOSITORY
+            - name: RESTIC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: soteria-restic
+                  key: RESTIC_PASSWORD
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: soteria-restic
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: soteria-restic
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: RESTIC_S3_ENDPOINT
+              valueFrom:
+                configMapKeyRef:
+                  name: soteria
+                  key: SOTERIA_S3_ENDPOINT
+            - name: AWS_ENDPOINT
+              valueFrom:
+                configMapKeyRef:
+                  name: soteria
+                  key: SOTERIA_S3_ENDPOINT
+            - name: AWS_REGION
+              valueFrom:
+                configMapKeyRef:
+                  name: soteria
+                  key: SOTERIA_S3_REGION
+            - name: AWS_DEFAULT_REGION
+              valueFrom:
+                configMapKeyRef:
+                  name: soteria
+                  key: SOTERIA_S3_REGION