diff --git a/clusters/cl01tl/platform/gitea/templates/external-secret.yaml b/clusters/cl01tl/platform/gitea/templates/external-secret.yaml
index 0997d490f..f7e49dd6b 100644
--- a/clusters/cl01tl/platform/gitea/templates/external-secret.yaml
+++ b/clusters/cl01tl/platform/gitea/templates/external-secret.yaml
@@ -86,51 +86,62 @@ spec:
         metadataPolicy: None
         property: token
 
-# ---
-# apiVersion: external-secrets.io/v1beta1
-# kind: ExternalSecret
-# metadata:
-#   name: gitea-backup-s3
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: gitea-backup-s3
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/version: {{ .Chart.AppVersion }}
-#     app.kubernetes.io/component: backup
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   secretStoreRef:
-#     kind: ClusterSecretStore
-#     name: vault
-#   data:
-#     - secretKey: AWS_ACCESS_KEY_ID
-#       remoteRef:
-#         conversionStrategy: Default
-#         decodingStrategy: None
-#         key: /digital-ocean/home-infra/gitea-backup
-#         metadataPolicy: None
-#         property: AWS_ACCESS_KEY_ID
-#     - secretKey: AWS_DEFAULT_REGION
-#       remoteRef:
-#         conversionStrategy: Default
-#         decodingStrategy: None
-#         key: /digital-ocean/home-infra/gitea-backup
-#         metadataPolicy: None
-#         property: AWS_DEFAULT_REGION
-#     - secretKey: AWS_ENDPOINT_URL
-#       remoteRef:
-#         conversionStrategy: Default
-#         decodingStrategy: None
-#         key: /digital-ocean/home-infra/gitea-backup
-#         metadataPolicy: None
-#         property: AWS_ENDPOINT_URL
-#     - secretKey: AWS_SECRET_ACCESS_KEY
-#       remoteRef:
-#         conversionStrategy: Default
-#         decodingStrategy: None
-#         key: /digital-ocean/home-infra/gitea-backup
-#         metadataPolicy: None
-#         property: AWS_SECRET_ACCESS_KEY
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-backup-s3
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-backup-s3
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/gitea-backup
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/gitea-backup
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-s3cmd-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-s3cmd-s3
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/backup
+        metadataPolicy: None
+        property: s3cfg
 
 ---
 apiVersion: external-secrets.io/v1beta1
diff --git a/clusters/cl01tl/platform/gitea/values.yaml b/clusters/cl01tl/platform/gitea/values.yaml
index dd40f148a..f47f8f3d2 100644
--- a/clusters/cl01tl/platform/gitea/values.yaml
+++ b/clusters/cl01tl/platform/gitea/values.yaml
@@ -118,7 +118,7 @@ backup:
         failedJobsHistory: 3
         backoffLimit: 3
         parallelism: 1
-      containers:
+      initContainers:
         backup:
           image:
             repository: bitnami/kubectl
@@ -135,18 +135,18 @@ backup:
             requests:
               cpu: 100m
               memory: 128Mi
+      containers:
         s3:
           image:
-            repository: amazon/aws-cli
-            tag: 2.24.0
+            repository: d3fk/s3cmd
+            tag: latest@sha256:ae12ef40440ee069dac63d98a3590da0e02acc56ea4f60e9e4c5353d585a9140
             pullPolicy: IfNotPresent
           command:
             - /bin/sh
           args:
             - -ec
             - |
-              until [ -f /opt/backup/gitea-backup.zip ]; do sleep 5; done;
-              aws s3 cp /opt/backup/gitea-backup.zip s3://cl01tl-gitea-backups/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
+              s3cmd put --no-check-md5 --no-check-certificate /opt/backup/gitea-backup.zip s3://gitea-backups-8ba8dae3674a2f53354c600e/cl01tl/cl01tl-gitea-backups/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
               mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
           envFrom:
             - secretRef:
@@ -165,6 +165,17 @@ backup:
           s3:
             - path: /opt/backup
               readOnly: false
+    s3cmd-config:
+      enabled: true
+      type: secret
+      name: gitea-s3cmd-config
+      advancedMounts:
+        backup:
+          s3:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
 postgres-17-cluster:
   mode: recovery
   cluster:
@@ -177,6 +188,7 @@ postgres-17-cluster:
   recovery:
     endpointURL: https://nyc3.digitaloceanspaces.com
     destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
+    endpointCredentials: gitea-postgresql-17-cluster-backup-secret
     recoveryIndex: 1
   backup:
     enabled: false