diff --git a/apps/gitea/backups.yaml b/apps/gitea/backups.yaml
index d4bbf33..63d7741 100644
--- a/apps/gitea/backups.yaml
+++ b/apps/gitea/backups.yaml
@@ -7,17 +7,17 @@ spec:
   backend:
     # Manually adding secrets for now
     repoPasswordSecretRef:
-      name: restic-repo
+      name: gitea-backup-restic
       key: password
     s3:
       endpoint: https://s3.eu-central-003.backblazeb2.com
       bucket: lumpiasty-backups
       accessKeyIDSecretRef:
-        name: backblaze
-        key: keyid
+        name: gitea-backup-backblaze
+        key: aws_access_key_id
       secretAccessKeySecretRef:
-        name: backblaze
-        key: secret
+        name: gitea-backup-backblaze
+        key: aws_secret_access_key
   backup:
     schedule: "@daily-random"
     failedJobsHistoryLimit: 2
diff --git a/apps/gitea/kustomization.yaml b/apps/gitea/kustomization.yaml
index 2eb512f..bad871b 100644
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -4,4 +4,5 @@ resources:
   - namespace.yaml
   - postgres-cluster.yaml
   - release.yaml
+  - secret.yaml
   - backups.yaml
diff --git a/apps/gitea/secret.yaml b/apps/gitea/secret.yaml
new file mode 100644
index 0000000..f331e49
--- /dev/null
+++ b/apps/gitea/secret.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backup
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: backup
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: backup
+    serviceAccount: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-restic
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: restic
+
+  destination:
+    create: true
+    name: gitea-backup-restic
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-backblaze
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: backblaze
+
+  destination:
+    create: true
+    name: gitea-backup-backblaze
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup
diff --git a/vault/kubernetes-roles/backup.yaml b/vault/kubernetes-roles/backup.yaml
new file mode 100644
index 0000000..e8ac17d
--- /dev/null
+++ b/vault/kubernetes-roles/backup.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - backup
+bound_service_account_namespaces:
+  - gitea
+token_policies:
+  - backup
diff --git a/vault/policy/backup.hcl b/vault/policy/backup.hcl
new file mode 100644
index 0000000..baff8e4
--- /dev/null
+++ b/vault/policy/backup.hcl
@@ -0,0 +1,7 @@
+path "secret/data/restic" {
+    capabilities = ["read"]
+}
+
+path "secret/data/backblaze" {
+    capabilities = ["read"]
+}