diff --git a/apps/authentik/backblaze-secret.yaml b/apps/authentik/backblaze-secret.yaml
new file mode 100644
index 0000000..c80918c
--- /dev/null
+++ b/apps/authentik/backblaze-secret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: backblaze-secret
+  namespace: authentik
+spec:
+  encryptedData:
+    ACCESS_KEY_ID: AgCruRRqYpPLNTkAUH+X/pO1/Zjae1kxe0nF00/HhEvYbTpkrhH9TDwvEhcTMMMWqnj+ujH3xnLl+IlqJRKryqegNgpXpoizGVRKCfjUQwlIdXZK83wIuMLHxynOO7VsOwnEjxEZKX2UvDna0RcaIiI3FD5kKI8/0o4Fwjr0LXKsPG9fhM5H+TjqHwE9tGoG722PPwWCnUiBXJ2p7kQjfmLj+kuwIZ+5nOSYiX8gy+EEt1kyYX11OrNtTGSZVowATp7Ti36UF5zaQXkwaiAZZ7nbyiughitcOraaDzr0+8MrA4kVDK2aV+XIsVx2XeKq1E+Cyj42Vkyumt76F2VYwHMlR8XcY+Uvj+t3wAYPapaKgwWf2xE7tBEB6l4NMTZl6+5czE5Djw091cCk6kR/OFtHG8X35UolEinZBjgMALbyD6wpAg9tzvtjvOEqU5M79CqaiAIfnZWmPSRqU/EN0SgeiYJ4XcEYZ7ZTd4DAes/w+42aDkUXvli0jmKwJF401oxsqSHHTKg61Hd5BhbDFeIlV64EVIC/cIF5Srn3z5Gveu5IUJjOGHUhedQiv/zT8t4Tp7vVVyZvvh+eYsxMkIDWStVneA3xJm0/XnVKPBE/QkqVXVcnv6oikjX4lLl7d0KBIlkIG87vJFFX8PEv/gXgx4Y4R1as4a/gAW9q6gHeMXtAR/Cg59VV+jrcx5E4mzJTLXZjVCVQocFswd4OjRVF26Yvw/Rwjwdb
+    ACCESS_SECRET_KEY: AgCUA+XC9CLv81ur5o+7ONsJf/YUM8I4bhBa6Lzd3Lg9e7q4jXcb6amtyxoSUdWFk8kL+v9P+PKazfxxB8lYiufuk00WAhMspicDncb2tQrhHT8vRNhlMnvkV0eBVYidgQo98OvGCEwR09qrja/KC162ArxrWyfUtPme5Oxit/QpDrMm/PX80fGP2bgGq9gV2jp4N3ktwb/QpwvslDw41IPPfQMzTgUyf+m3dLRnQHs/2xvt9uiok8unCJZoaBwdDYVY7EKvQ+HdEzLJEqZo4Gr9VFepyDdXJ3ZbykaBwqVv3beYs/zIjXnSnNX5hmSITFz0OUlB2UPs9yr7ugJCIckQ9hH2ZBLUAe3Q+AUIveKgOKRjD45JsldIsn8Qx0M6SrbyIlrx4ds2cY1iD2knKVpGcPna7rrLB9oPYr44tJxXv243bKKGlCg4g4kqmUq6r8v3HbVN0A+KlCFNa6FHvBn3X4j4AylHhzWdOgdwRiyGUivqFpLBNx2P71VdizrmhDeA0seobHvmKoPRJPob7QASo6H8nEjc+z2hfqsBhQxHSo5JdXxbuJHbzZEjGeMn/d9iBkvNk8Rg00MfU3b4Dd3TIr97eC3A57ZCx8PiVbIlFhAvGiHB70swRiypGWLmuNmYj29QHFe+YjaiyrbIHeFNi5svL+YBvN15aMsAMx+Vu87Wb3b6vJyPWiX4BIyiJwuJbVv2ADOzQY2dVpfBgLVlWGdr4apThVDxZ4+b2tYJ
+  template:
+    metadata:
+      creationTimestamp: null
+      name: backblaze-secret
+      namespace: authentik
diff --git a/apps/authentik/cluster.yaml b/apps/authentik/cluster.yaml
index 831531a..dab6410 100644
--- a/apps/authentik/cluster.yaml
+++ b/apps/authentik/cluster.yaml
@@ -18,7 +18,36 @@ spec:
       owner: authentik
       secret:
         name: authentik-postgres-credentials
+    recovery:
+      source: clusterBackup
 
   storage:
     size: 8Gi
     storageClass: longhorn-pg
+
+  externalClusters:
+    - name: clusterBackup
+      barmanObjectStore:
+        destinationPath: "s3://mthomson-cnpg-backup@us-west-004/authentik"
+        endpointURL: s3.us-west-004.backblazeb2.com
+        s3Credentials:
+          accessKeyId:
+            name: backblaze-secret
+            key: ACCESS_KEY_ID
+          secretAccessKey:
+            name: backblaze-secret
+            key: ACCESS_SECRET_KEY
+        wal:
+          maxParallel: 8
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://mthomson-cnpg-backup@us-west-004/authentik"
+      endpointURL: s3.us-west-004.backblazeb2.com
+      s3Credentials:
+        accessKeyId:
+          name: backblaze-secret
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: backblaze-secret
+          key: ACCESS_SECRET_KEY
diff --git a/apps/authentik/scheduled-backup.yaml b/apps/authentik/scheduled-backup.yaml
new file mode 100644
index 0000000..ad5e603
--- /dev/null
+++ b/apps/authentik/scheduled-backup.yaml
@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: scheduled-backup
+  namespace: authentik
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  immediate: true
+  cluster:
+    name: authentik-postgres