diff --git a/apps/gitea/kustomization.yaml b/apps/gitea/kustomization.yaml
index b45d206..3f26ba0 100755
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -10,17 +10,18 @@ resources:
 - restic-sa.yaml
 - restic-role.yaml
 - restic-role-binding.yaml
-- restic-backup-cronjob.yaml
+- restic-cronjob.yaml
 
 
 configMapGenerator:
 - name: restic-backup-script
-  behavior: merge
+  namespace: gitea
   files:
-  - restic-backup.sh
+  - ./restic-backup.sh
 
 generators:
 - secret-generator.yaml
+  # - configmap-generator.yaml
 
 helmCharts:
 - name: gitea
diff --git a/apps/gitea/restic-backup.sh b/apps/gitea/restic-backup.sh
index 1b77597..391ea20 100644
--- a/apps/gitea/restic-backup.sh
+++ b/apps/gitea/restic-backup.sh
@@ -1,7 +1,5 @@
 #!/bin/sh
 
-source .restic.env
-
 # Set up colors
 GREEN='\033[0;32m'
 NC='\033[0m'
@@ -10,11 +8,11 @@ echo -e "\n${GREEN}`date` - Starting backup...${NC}\n"
 
 # Gitea
 echo -e "\n${GREEN}`date` - Backing up Gitea...${NC}\n"
-gitea=$(kubectl get po -n gitea -l app=gitea -o name --no-headers=true)
-kubectl scale --replicas=0 $gitea -n gitea
+gitea=$(kubectl get deploy -n gitea -l app=gitea -o name --no-headers=true)
+kubectl scale -n gitea --replicas=0 $gitea
 restic backup /gitea
 restic backup /pg_backup/postgres_backup.dump
-kubectl scale --replicas=1 $gitea -n gitea
+kubectl scale -n gitea --replicas=1 $gitea
 
 # Forget and prune
 echo -e "\n${GREEN}`date` - Running forget and prune...${NC}\n"
diff --git a/apps/gitea/restic-backup-cronjob.yaml b/apps/gitea/restic-cronjob.yaml
similarity index 65%
rename from apps/gitea/restic-backup-cronjob.yaml
rename to apps/gitea/restic-cronjob.yaml
index 18892c7..b4fd49d 100644
--- a/apps/gitea/restic-backup-cronjob.yaml
+++ b/apps/gitea/restic-cronjob.yaml
@@ -1,4 +1,4 @@
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: restic-backup-cronjob
@@ -10,7 +10,7 @@ spec:
       template:
         spec:
 
-          serviceAccountName: restic-admin-sa
+          serviceAccountName: restic-sa
 
           volumes:
           - name: gitea-data
@@ -21,20 +21,23 @@ spec:
               claimName: data-gitea-postgresql-0
           - name: postgres-backup-vol
             emptyDir: {}
-          - name: backup-script
+          - name: backup-script-vol
             configMap:
               name: restic-backup-script
-          - name: repo-env
-            secret:
-              secretName: repo-env-secret
 
           initContainers:
           - name: postgres-dump-init
             image: bitnami/postgresql:15.3.0-debian-11-r24
             command: ["/bin/sh", "-c"]
-            args: ["pg_dump -U gitea gitea -Fc > /pg_backup/postgres_backup.dump"]
+            args: ["pg_dump -h gitea-postgresql -p 5432 -U gitea gitea -Fc > /pg_backup/postgres_backup.dump"]
+            env:
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-postgresql
+                  key: postgres-password
             volumeMounts:
-            - name: backup-vol
+            - name: postgres-backup-vol
               mountPath: /pg_backup
             - name: postgres-data
               mountPath: /bitnami/postgresql/data
@@ -43,17 +46,16 @@ spec:
           - name: restic-container
             image: git.namesny.com/cluster/restic:latest
             imagePullPolicy: Always
-            command: ["/bin/bash", "/app/restic-backup.sh"]
+            command: ["/bin/sh", "/app/restic-backup.sh"]
+            envFrom:
+            - secretRef:
+                name: restic-secret
             volumeMounts:
-            - name: backup-vol
+            - name: postgres-backup-vol
               mountPath: /pg_backup
             - name: gitea-data
               mountPath: /gitea
-            - name: backup-script
+            - name: backup-script-vol
               mountPath: /app
-              subpath: restic-backup.sh
-            - name: repo-env
-              mountPath: /app
-              subpath: repo.env
 
           restartPolicy: OnFailure
diff --git a/apps/gitea/restic-role.yaml b/apps/gitea/restic-role.yaml
index 615c195..83e2e4f 100644
--- a/apps/gitea/restic-role.yaml
+++ b/apps/gitea/restic-role.yaml
@@ -4,6 +4,6 @@ metadata:
   name: restic-role
   namespace: gitea
 rules:
-- apiGroups: [""]
-  resources: ["deployments", "pods"]
-  verbs: ["get", "list", "update", "patch"]
\ No newline at end of file
+- apiGroups: ["apps"]
+  resources: ["deployments", "deployments/scale"]
+  verbs: ["get", "list", "update", "patch"]
diff --git a/apps/gitea/restic-sa.yaml b/apps/gitea/restic-sa.yaml
index b935d5a..9b0c685 100644
--- a/apps/gitea/restic-sa.yaml
+++ b/apps/gitea/restic-sa.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: restic-sa
-  namespace: gitea
\ No newline at end of file
+  namespace: gitea
diff --git a/apps/gitea/restic-secret.enc.yaml b/apps/gitea/restic-secret.enc.yaml
new file mode 100644
index 0000000..2e9af40
--- /dev/null
+++ b/apps/gitea/restic-secret.enc.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: restic-secret
+    namespace: gitea
+stringData:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:IjDw3i+8BIvA816obn5BpQBTkzo=,iv:A/CrhyIm5kljCwvneQziux36O6+SWG5Z9mOlV+mRIXQ=,tag:XVh4X8Xf587nmbDCtgazAg==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:WdfHxdXnPOLvIOecN+WFONAEDr2Sc/r6bKQ/H9KS1BT2C9cj,iv:GCY6MaSEhu9WEsVA23hWN30Ix7x6dz/umNRsQ0jsb8I=,tag:8Qa0dvU3bq+J2S6trBDFDw==,type:str]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:FZCqro3fpgQ7NJc+4ORVC2yWdqMNCLd4AjCwdolXgu5uJXq0IQ==,iv:nWttNrSvFpcj1HMOFwZNfJqVUy0esR7fVXlvidp3MlY=,tag:T0HzAZ/w83IFrvap8Gx3gg==,type:str]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:PjSE4FejVPW8e8e/PDtoSCsuskI=,iv:MTUMYim3obMHaYBEoEJBMEj9GMbaqdbdVV09o3ep/fw=,tag:pQ6vakVWHUdk4F/PwqpgAw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTlocERzUmtUdnhsNHJk
+            SkNXZFpVdmM5Y1hnQlQzcUg1OUxNYkRiaEFZCi82MW9TbkI2VCtjMDVKYTlWTVBs
+            QVZMekVoT1JSQWRZV3F3SHgxOGR3a2sKLS0tIGJCd21aY05jS0xva2RmclBlQWdl
+            UVZSNm9pRUM3YmFFSWl3NGNUdnZOOGsKIuepNrrdgoNoOMZQ77cIrtwPTL8acahG
+            paE+K2EKa8pqXnAVkxORTkUYRlorKRLjiyalxrDZYsMAbCSrrtfx/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-30T17:21:08Z"
+    mac: ENC[AES256_GCM,data:mR4vi8WLLiuUY5i7NgIYHfAZcBsQ3u2Cg9TtXcFtwtDAuyy9Xzx07yeR1HC0D+YhiAu+mYAJPmk6jHZsCE2OX26sLTyvEULqDQc71sCgM8dsyl50hoZ2BsbY7o6g8D9Yks+2szuKmlxZ0nN5aHxcf+67+gotzjlBfcmLx+E1TfA=,iv:+9Kv7ZwGoMU0QBTvCgq232nHo+tjoeHTJBdOuOiqpPk=,tag:9VrOFmUFbdiPKSWnt+8z7w==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1
diff --git a/apps/gitea/secret-generator.yaml b/apps/gitea/secret-generator.yaml
index bf81b2e..96462e1 100644
--- a/apps/gitea/secret-generator.yaml
+++ b/apps/gitea/secret-generator.yaml
@@ -10,3 +10,5 @@ files:
 - ./gitea-admin-secret.enc.yaml
 - ./renovate-bot-secret.enc.yaml
 - ./runner-secret.enc.yaml
+- ./restic-secret.enc.yaml
+