diff --git a/roles/restic/defaults/main.yaml b/roles/restic/defaults/main.yaml
index ed1c798..c068136 100644
--- a/roles/restic/defaults/main.yaml
+++ b/roles/restic/defaults/main.yaml
@@ -1,12 +1,34 @@
 ---
-restic_service_name: restic.service
-restic_service_state: started
-restic_service_enabled: yes
+restic_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+
+restic_go_arch: "{{ restic_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+restic_version_regex: ^restic ([\d.]+)
+
+restic_checksum_algo: sha256
+restic_github_rel_path: restic/restic
+restic_github_project_url: "https://github.com/{{ restic_github_rel_path }}"
+restic_release_file: "restic_{{ restic_version }}_{{ ansible_system | lower }}_{{ restic_go_arch }}.bz2"
+restic_release_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_release_file }}"
+restic_checksum_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_checksum_algo | upper }}SUMS"
+restic_download_path: "/tmp/{{ restic_release_file }}"
+restic_unarchive_dest_path: /tmp
+restic_extracted_path: "{{ restic_download_path | replace('.bz2', '') }}"
+restic_binaries:
+ - restic
+
+# restic_arch: amd64
+# restic_version: 0.15.2
+# restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
+# restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
+# restic_bin_path: /usr/local/bin
+# restic_etc_path: /etc/restic
+# restic_path: "{{ restic_bin_path }}/restic"
+# restic_self_update: true
 
-restic_arch: amd64
-restic_version: 0.14.0
-restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
-restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
 restic_bin_path: /usr/local/bin
 restic_etc_path: /etc/restic
 restic_path: "{{ restic_bin_path }}/restic"
diff --git a/roles/restic/files/hooks/gitea.sh b/roles/restic/files/hooks/gitea.sh
index cd6ae6c..ff5ec5b 100644
--- a/roles/restic/files/hooks/gitea.sh
+++ b/roles/restic/files/hooks/gitea.sh
@@ -9,7 +9,7 @@ GITEA_CONFIG=${GITEA_CONFIG:-/etc/gitea/app.ini}
 GITEA_WORK_PATH=${GITEA_WORK_PATH:-/var/lib/gitea}
 GITEA_CUSTOM_PATH=${GITEA_CUSTOM_PATH:-$GITEA_WORK_PATH/custom}
 GITEA_BACKUP_PATH=${GITEA_BACKUP_PATH:-$GITEA_WORK_PATH/backup}
-GITEA_KEEP_DAYS=${GITEA_KEEP_DAYS:-2}
+GITEA_KEEP_HOURS=${GITEA_KEEP_HOURS:-12}
 
 prereq() {
     if ! systemctl list-units --full --all | grep -Fq "gitea.service"; then
@@ -41,7 +41,7 @@ main() {
         find "$GITEA_BACKUP_PATH" \
             -type f \
             -name '*.zip' \
-            -mtime "+$GITEA_KEEP_DAYS" \
+            -mmin +$((GITEA_KEEP_HOURS * 60)) \
             -delete
     fi
 }
diff --git a/roles/restic/files/restic-job.sh b/roles/restic/files/restic-job.sh
index 8393311..c59f1a1 100755
--- a/roles/restic/files/restic-job.sh
+++ b/roles/restic/files/restic-job.sh
@@ -73,6 +73,10 @@ fi
 
 START="$(date +%s)"
 
+if [[ -n "$($RESTIC_PATH list locks -q)" ]]; then
+    error_exit "repo is locked"
+fi
+
 if [ -f "$LOCK" ]; then
     pid=$(cat "$LOCK")
     if ! kill -0 "$pid" 2> /dev/null; then
diff --git a/roles/restic/tasks/install.yaml b/roles/restic/tasks/install.yaml
new file mode 100644
index 0000000..b74ed0b
--- /dev/null
+++ b/roles/restic/tasks/install.yaml
@@ -0,0 +1,25 @@
+---
+- block:
+  - name: download
+    get_url:
+      url: "{{ restic_release_url }}"
+      dest: "{{ restic_download_path }}"
+      checksum: "{{ restic_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract
+    command:
+      cmd: "bunzip2 -f -k {{ restic_download_path }}"
+
+  - name: install binaries
+    copy:
+      src: "{{ restic_extracted_path }}"
+      dest: "{{ restic_path }}"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+  when: restic_version != restic_local_version
diff --git a/roles/restic/tasks/main.yaml b/roles/restic/tasks/main.yaml
index e060a3c..4598d01 100644
--- a/roles/restic/tasks/main.yaml
+++ b/roles/restic/tasks/main.yaml
@@ -23,35 +23,10 @@
       paths:
         - tasks
 
-- name: "download restic {{ restic_version }}"
-  get_url:
-    url: "{{ restic_url }}"
-    checksum: "{{ restic_checksum }}"
-    dest: "{{ restic_path }}.bz2"
-    owner: root
-    group: root
-    mode: 0400
-  register: dl
+- ansible.builtin.include_tasks: pre.yaml
 
-- name: determine if restic exists
-  stat:
-    path: "{{ restic_path }}"
-  register: st
+- ansible.builtin.include_tasks: install.yaml
 
-- name: decompress restic
-  command:
-    cmd: "bunzip2 -k {{ restic_path }}.bz2"
-    creates: "{{ restic_path }}"
-  when: dl.changed or not st.stat.exists
-  #notify:
-  #  - restart restic
-
-- name: manage restic attributes
-  file:
-    path: "{{ restic_path }}"
-    owner: root
-    group: root
-    mode:  0755
 
 - name: create etc tree
   file:
diff --git a/roles/restic/tasks/pre.yaml b/roles/restic/tasks/pre.yaml
new file mode 100644
index 0000000..1234900
--- /dev/null
+++ b/roles/restic/tasks/pre.yaml
@@ -0,0 +1,59 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ restic_bin_path }}/restic"
+  register: st
+
+- name: set restic_installed
+  set_fact:
+    restic_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: "https://api.github.com/repos/{{ restic_github_rel_path }}/releases/latest"
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set restic_version
+    set_fact:
+      restic_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ restic_bin_path }}/restic version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set restic_local_version
+    set_fact:
+      restic_local_version: "{{ _installed_version_string.stdout | regex_search(restic_version_regex, '\\1') | first }}"
+  rescue:
+  - name: set restic_local_version
+    set_fact:
+      restic_local_version: "{{ _installed_version_string.stderr | regex_search(restic_version_regex, '\\1') | first }}"
+  when: restic_installed
+
+- name: set restic_local_version to 0
+  set_fact:
+    restic_local_version: "0"
+  when: not restic_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', restic_checksum_url, wantlist=True) }}"
+
+  - name: debug
+    debug:
+      msg: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+
+  - name: set restic_checksum
+    set_fact:
+      restic_checksum: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "restic_release_file in item"