diff --git a/deployments/backups/pelican-pg-backup-cronjob.yaml b/deployments/backups/pelican-pg-backup-cronjob.yaml
new file mode 100644
index 0000000..47332de
--- /dev/null
+++ b/deployments/backups/pelican-pg-backup-cronjob.yaml
@@ -0,0 +1,59 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: pelican-pg-backup
+  namespace: backups
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: pg-dump
+              image: postgres:16-alpine
+              env:
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: pelican-pg-backup-credentials
+                      key: password
+                - name: PGHOST
+                  value: postgres.pelican.svc.cluster.local
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      name: pelican-pg-backup-credentials
+                      key: username
+                - name: PGDATABASE
+                  value: panel
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  set -e
+                  BACKUP_DIR=/backups/pelican
+                  mkdir -p "$BACKUP_DIR"
+                  FILENAME="$BACKUP_DIR/pelican-$(date +%Y%m%d-%H%M%S).sql.gz"
+                  pg_dump -h "$PGHOST" -U "$PGUSER" -d "$PGDATABASE" | gzip > "$FILENAME"
+                  echo "Backup written: $FILENAME"
+                  find "$BACKUP_DIR" -name '*.sql.gz' -mtime +7 -delete
+                  echo "Retention cleanup done (keeping 7 days)"
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 128Mi
+                limits:
+                  cpu: 500m
+                  memory: 512Mi
+              volumeMounts:
+                - name: backup-storage
+                  mountPath: /backups
+          volumes:
+            - name: backup-storage
+              persistentVolumeClaim:
+                claimName: backup-storage
diff --git a/deployments/backups/pelican-pg-externalsecret.yaml b/deployments/backups/pelican-pg-externalsecret.yaml
new file mode 100644
index 0000000..895c608
--- /dev/null
+++ b/deployments/backups/pelican-pg-externalsecret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: pelican-pg-backup-credentials
+  namespace: backups
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: pelican-pg-backup-credentials
+    creationPolicy: Owner
+  data:
+    - secretKey: username
+      remoteRef:
+        key: Talos Cluster/pelican/panel/db
+        property: DB_USER
+    - secretKey: password
+      remoteRef:
+        key: Talos Cluster/pelican/panel/db
+        property: DB_PASSWORD