diff --git a/apps/gitea/kustomization.yaml b/apps/gitea/kustomization.yaml
index 8026993..b45d206 100755
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -7,6 +7,17 @@ resources:
 - gitea-ingress.yaml
 - runner-pvc.yaml
 - runner-deployment.yaml
+- restic-sa.yaml
+- restic-role.yaml
+- restic-role-binding.yaml
+- restic-backup-cronjob.yaml
+
+
+configMapGenerator:
+- name: restic-backup-script
+  behavior: merge
+  files:
+  - restic-backup.sh
 
 generators:
 - secret-generator.yaml
diff --git a/apps/gitea/restic-backup-cj.yaml b/apps/gitea/restic-backup-cronjob.yaml
similarity index 50%
rename from apps/gitea/restic-backup-cj.yaml
rename to apps/gitea/restic-backup-cronjob.yaml
index fe75a89..18892c7 100644
--- a/apps/gitea/restic-backup-cj.yaml
+++ b/apps/gitea/restic-backup-cronjob.yaml
@@ -9,45 +9,51 @@ spec:
     spec:
       template:
         spec:
+
+          serviceAccountName: restic-admin-sa
+
           volumes:
           - name: gitea-data
-            emptyDir: {}
-          - name: backup-vol
-            emptyDir: {}
+            persistentVolumeClaim:
+              claimName: gitea-shared-storage
           - name: postgres-data
             persistentVolumeClaim:
               claimName: data-gitea-postgresql-0
+          - name: postgres-backup-vol
+            emptyDir: {}
+          - name: backup-script
+            configMap:
+              name: restic-backup-script
+          - name: repo-env
+            secret:
+              secretName: repo-env-secret
 
           initContainers:
           - name: postgres-dump-init
             image: bitnami/postgresql:15.3.0-debian-11-r24
             command: ["/bin/sh", "-c"]
-            args: ["pg_dump -U gitea gitea -Fc > /backup-vol/postgres_backup.dump"]
-            env:
-            - name: PGPASSWORD
-              value: "<password>"
+            args: ["pg_dump -U gitea gitea -Fc > /pg_backup/postgres_backup.dump"]
             volumeMounts:
             - name: backup-vol
-              mountPath: /backup-vol
+              mountPath: /pg_backup
             - name: postgres-data
               mountPath: /bitnami/postgresql/data
 
-          - name: gitea-dump-init
-            image: gitea-image:tag
-            command: ["/bin/sh", "-c"]
-            args: ["cp /path/to/backup.zip /backup-vol/backup.zip"]
-            volumeMounts:
-            - name: gitea-data
-              mountPath: /path/to/backup
-            - name: backup-vol
-              mountPath: /backup-vol
-
           containers:
           - name: restic-container
-            image: git.namesny.com/cluster/restic:0.16.2-r0
-            command: ["/bin/bash", "/path/to/backup.sh"]
+            image: git.namesny.com/cluster/restic:latest
+            imagePullPolicy: Always
+            command: ["/bin/bash", "/app/restic-backup.sh"]
             volumeMounts:
             - name: backup-vol
-              mountPath: /backup-vol
+              mountPath: /pg_backup
+            - name: gitea-data
+              mountPath: /gitea
+            - name: backup-script
+              mountPath: /app
+              subpath: restic-backup.sh
+            - name: repo-env
+              mountPath: /app
+              subpath: repo.env
 
           restartPolicy: OnFailure
diff --git a/apps/gitea/restic-backup.sh b/apps/gitea/restic-backup.sh
new file mode 100644
index 0000000..1b77597
--- /dev/null
+++ b/apps/gitea/restic-backup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+source .restic.env
+
+# Set up colors
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+echo -e "\n${GREEN}`date` - Starting backup...${NC}\n"
+
+# Gitea
+echo -e "\n${GREEN}`date` - Backing up Gitea...${NC}\n"
+gitea=$(kubectl get po -n gitea -l app=gitea -o name --no-headers=true)
+kubectl scale --replicas=0 $gitea -n gitea
+restic backup /gitea
+restic backup /pg_backup/postgres_backup.dump
+kubectl scale --replicas=1 $gitea -n gitea
+
+# Forget and prune
+echo -e "\n${GREEN}`date` - Running forget and prune...${NC}\n"
+restic forget --prune --keep-daily 7 --keep-weekly 2
+echo -e "\n${GREEN}`date` - Backup finished.${NC}\n"
diff --git a/apps/gitea/restic-role-binding.yaml b/apps/gitea/restic-role-binding.yaml
new file mode 100644
index 0000000..f1a0a5d
--- /dev/null
+++ b/apps/gitea/restic-role-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: restic-role-binding
+  namespace: gitea
+subjects:
+- kind: ServiceAccount
+  name: restic-sa
+  namespace: gitea
+roleRef:
+  kind: Role
+  name: restic-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/apps/gitea/restic-role.yaml b/apps/gitea/restic-role.yaml
new file mode 100644
index 0000000..615c195
--- /dev/null
+++ b/apps/gitea/restic-role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: restic-role
+  namespace: gitea
+rules:
+- apiGroups: [""]
+  resources: ["deployments", "pods"]
+  verbs: ["get", "list", "update", "patch"]
\ No newline at end of file
diff --git a/apps/gitea/restic-sa.yaml b/apps/gitea/restic-sa.yaml
new file mode 100644
index 0000000..b935d5a
--- /dev/null
+++ b/apps/gitea/restic-sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: restic-sa
+  namespace: gitea
\ No newline at end of file