diff --git a/roles/burp-client/defaults/main.yml b/roles/burp-client/defaults/main.yml
new file mode 100644
index 0000000..b171f96
--- /dev/null
+++ b/roles/burp-client/defaults/main.yml
@@ -0,0 +1,6 @@
+burp_server: localhost
+burp_password: abcdefgh
+burp_cname: '{{ ansible_fqdn }}'
+burp_backup: []
+burp_client_conf: {}
+burp_server_cn: '{{ burp_server }}'
diff --git a/roles/burp-client/files/burp-backup.cron b/roles/burp-client/files/burp-backup.cron
new file mode 100644
index 0000000..fab9a80
--- /dev/null
+++ b/roles/burp-client/files/burp-backup.cron
@@ -0,0 +1 @@
+18,48 * * * * root /usr/sbin/burp -a t
diff --git a/roles/burp-client/files/burp-backup.fcron b/roles/burp-client/files/burp-backup.fcron
new file mode 100644
index 0000000..b87d559
--- /dev/null
+++ b/roles/burp-client/files/burp-backup.fcron
@@ -0,0 +1 @@
+@mail(no) 30 /usr/sbin/burp -a t
diff --git a/roles/burp-client/handlers/main.yml b/roles/burp-client/handlers/main.yml
new file mode 100644
index 0000000..1e26cd2
--- /dev/null
+++ b/roles/burp-client/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: reload system crontab
+  command: /usr/libexec/check_system_crontabs -v -i
diff --git a/roles/burp-client/tasks/main.yml b/roles/burp-client/tasks/main.yml
new file mode 100644
index 0000000..3dd366f
--- /dev/null
+++ b/roles/burp-client/tasks/main.yml
@@ -0,0 +1,54 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+  tags:
+  - always
+- name: load burp secrets
+  include_vars: '{{ item }}'
+  with_fileglob: vault/burp/{{ ansible_fqdn }}
+  tags:
+  - always
+
+- name: ensure burp is installed
+  package:
+    name={{ burp_client_packages|join(',') }}
+    state=present
+  tags:
+  - install
+
+- name: ensure burp server is configured for client
+  template:
+    src=server-clientconf.j2
+    dest=/etc/burp/clientconfdir/{{ ansible_fqdn }}
+    mode=0400
+  delegate_to: '{{ burp_server }}'
+
+- name: ensure burp pre-backup script is installed
+  copy:
+    src=scripts/{{ inventory_hostname }}/{{ burp_backup_script_pre|basename }}
+    dest={{ burp_backup_script_pre }}
+    mode=0755
+  when: burp_backup_script_pre is defined
+- name: ensure burp post-backup script is installed
+  copy:
+    src=scripts/{{ inventory_hostname }}/{{ burp_backup_script_post|basename }}
+    dest={{ burp_backup_script_post }}
+    mode=0755
+  when: burp_backup_script_post is defined
+- name: ensure burp client is configured
+  template:
+    src=burp.conf.j2
+    dest=/etc/burp/burp.conf
+    mode=0600
+- name: ensure burp client certificate is available
+  command:
+    burp -c /etc/burp/burp.conf -g
+    creates=/etc/burp/ssl_cert-client.pem
+- name: ensure automatic backup is scheduled
+  copy:
+    src={{ burp_backup_crontab }}
+    dest=/etc/cron.d/burp-backup
+    mode=0644
diff --git a/roles/burp-client/templates/burp.conf.j2 b/roles/burp-client/templates/burp.conf.j2
new file mode 100644
index 0000000..0c472df
--- /dev/null
+++ b/roles/burp-client/templates/burp.conf.j2
@@ -0,0 +1,123 @@
+# This is an example config file for the burp client.
+
+mode = client
+port = 4971
+server = {{ burp_server }}
+password = {{ burp_password }}
+cname = {{ burp_cname }}
+pidfile = /var/run/burp.client.pid
+syslog = 1
+stdout = 0
+progress_counter = 0
+# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
+# ratelimit = 1.5
+# Network timeout defaults to 7200 seconds (2 hours).
+# network_timeout = 7200
+
+# Set server_can_restore to 0 if you do not want the server to be able to
+# initiate a restore.
+server_can_restore = 0
+
+# Set an encryption password if you do not trust the server with your data.
+# Note that this will mean that network deltas will not be possible. Each time
+# a file changes, the whole file will be transferred on the next backup.
+# encryption_password = My^$pAsswIrD%@
+
+# More configuration files can be read, using syntax like the following
+# (without the leading '# ').
+# . path/to/more/conf
+
+# Run as different user/group.
+# user=graham
+# group=nogroup
+
+#cross_filesystem=/home
+cross_all_filesystems=0
+
+# Uncomment the following lines to automatically generate a certificate signing
+# request and send it to the server.
+ca_burp_ca = /usr/sbin/burp_ca
+ca_csr_dir = /etc/burp/CA-client
+
+# SSL certificate authority - same file on both server and client
+ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
+
+# Client SSL certificate
+ssl_cert = /etc/burp/ssl_cert-client.pem
+
+# Client SSL key
+ssl_key = /etc/burp/ssl_cert-client.key
+
+# Client SSL ciphers
+#ssl_ciphers = 
+
+# SSL key password
+#ssl_key_password = password
+
+# Common name in the certificate that the server gives us
+ssl_peer_cn = {{ burp_server_cn }}
+{% if burp_backup_script_pre is defined %}
+
+backup_script_pre = {{ burp_backup_script_pre }}
+{% if burp_backup_script_pre_args is defined %}
+{% for arg in burp_backup_script_pre_args %}
+backup_script_pre_arg = {{ arg }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if burp_backup_script_post is defined %}
+
+backup_script_post = {{ burp_backup_script_post }}
+{% if burp_backup_script_post_args is defined %}
+{% for arg in burp_backup_script_post_args %}
+backup_script_post_arg = {{ arg }}
+{% endfor %}
+{% endif %}
+backup_script_post_run_on_fail = {{ burp_backup_script_post_run_on_fail|d(0) }}
+{% endif %}
+
+# The following options specify exactly what to backup.
+# The server will override them if there is at least one 'include=' line on
+# the server side.
+#include = /home
+#exclude = /home/graham/testdir/librsync-0.9.7/testsuite
+#include = /home/graham/testdir/librsync-0.9.7/testsuite/deep
+#include = /home/graham/xdir
+#exclude = /home/graham/testdir/libr
+# Exclude file names ending in '.vdi' or '.vmdk' (case insensitive)
+#exclude_ext = vdi
+#exclude_ext = vmd
+# Exlude file path matching a regular expression
+# (note that 'include_regex' is not yet implemented)
+#exclude_regex = \.cache
+# Exclude various temporary file systems. You may want to add devfs, devpts,
+# proc, ramfs, etc.
+exclude_fs = sysfs
+exclude_fs = tmpfs
+# Exclude files based on size. Defaults are 0, which means no limit.
+#min_file_size = 0 Mb
+#max_file_size = 0 Mb
+# The content of directories containing a filesystem entry named like this
+# will not be backed up.
+nobackup = .nobackup
+# By default, burp backups up the fifos themselves, rather than reading from
+# them. These two options let you choose a particular fifo to read, or read
+# from all fifos.
+#read_fifo=/path/to/a/fifo
+#read_all_fifos=0
+# The same for block device nodes.
+#read_blockdev=/path/to/a/blockdev
+#read_all_blockdevs=0
+# Exclude files from compression by extension.
+exclude_comp=bz2
+exclude_comp=gz
+# When backing up, whether to enable O_NOATIME when opening files and
+# directories. The default is atime=0, which enables O_NOATIME.
+# atime=1
+
+exclude_regex=lost\+_found
+{% for item in burp_backup %}
+{% for key, value in item|dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}
+{% endfor %}
diff --git a/roles/burp-client/templates/server-clientconf.j2 b/roles/burp-client/templates/server-clientconf.j2
new file mode 100644
index 0000000..8fb4d96
--- /dev/null
+++ b/roles/burp-client/templates/server-clientconf.j2
@@ -0,0 +1,3 @@
+{% for key, value in default_burp_client_conf|combine(burp_client_conf)|dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}
diff --git a/roles/burp-client/vars/RedHat.yml b/roles/burp-client/vars/RedHat.yml
new file mode 100644
index 0000000..50ee691
--- /dev/null
+++ b/roles/burp-client/vars/RedHat.yml
@@ -0,0 +1,4 @@
+burp_client_packages:
+- burp
+- openssl
+burp_backup_crontab: burp-backup.cron
diff --git a/roles/burp-client/vars/defaults.yml b/roles/burp-client/vars/defaults.yml
new file mode 100644
index 0000000..71335ac
--- /dev/null
+++ b/roles/burp-client/vars/defaults.yml
@@ -0,0 +1,3 @@
+burp_client_packages:
+- burp
+burp_backup_crontab: burp-backup.fcron
diff --git a/roles/burp-client/vars/main.yml b/roles/burp-client/vars/main.yml
new file mode 100644
index 0000000..c3a972e
--- /dev/null
+++ b/roles/burp-client/vars/main.yml
@@ -0,0 +1,2 @@
+default_burp_client_conf:
+  password: '{{ burp_password }}'