diff --git a/.gitea/workflows/app-continous-deploy.yaml b/.gitea/workflows/app-continous-deploy.yaml
index 933388c..959ffbc 100644
--- a/.gitea/workflows/app-continous-deploy.yaml
+++ b/.gitea/workflows/app-continous-deploy.yaml
@@ -32,3 +32,58 @@ jobs:
           kube_ca_base64: ${{ secrets.HOSTING_KUBE_CA_BASE64 }}
           kube_token: ${{ secrets.HOSTING_KUBE_TOKEN }}
 
+      - name: Deploy
+        env:
+          # cron jobs env
+          CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY }}
+          CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD }}
+          CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT }}
+          CRONJOBS_BACKUPS_SECRETS_BORG_REPO: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_REPO }}
+          CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE }}
+          CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER }}
+          CRONJOBS_BACKUPS_SECRETS_ID_RSA: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_ID_RSA }}
+          CRONJOBS_BACKUPS_SECRETS_BORG_KEY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_KEY }}
+
+          # helm chart values
+          APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD: ${{ secrets.APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME }}
+          APP_HELM_VALUE_GITEA_ADMIN_USERNAME: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_USERNAME }}
+          APP_HELM_VALUE_GITEA_ADMIN_PASSWORD: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_PASSWORD }}
+          APP_HELM_VALUE_GITEA_ADMIN_EMAIL: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_EMAIL }}
+          APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET }}
+          APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO }}
+          APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET }}
+
+        run: |
+          #!/bin/bash
+          set -euo pipefail
+
+          # ensure cleanup always runs
+          trap 'rm -f \
+                    /deploy/app/cronjobs/backups/.env.d/secrets \
+                    /deploy/app/cronjobs/backups/.env.d/id_rsa \
+                    /deploy/app/cronjobs/backups/.env.d/borg_key' EXIT
+
+          # setup env for cronjobs backups
+          mkdir -p /deploy/app/cronjobs/backups/.env.d
+          echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> /deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> /deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> /deploy/app/cronjobs/backups/.env.d/secrets
+          echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> /deploy/app/cronjobs/backups/.env.d/secrets
+          echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> /deploy/app/cronjobs/backups/.env.d/secrets
+          echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> /deploy/app/cronjobs/backups/.env.d/secrets
+ 
+          # enforce security
+          chmod 600 /deploy/app/cronjobs/backups/.env.d/secrets
+          chmod 600 /deploy/app/cronjobs/backups/.env.d/id_rsa
+          chmod 600 /deploy/app/cronjobs/backups/.env.d/borg_key
+
+          # invoke deploy script
+          deploy/apply-app.sh
diff --git a/deploy/apply-app.sh b/deploy/apply-app.sh
index 923f7e8..f332a8e 100755
--- a/deploy/apply-app.sh
+++ b/deploy/apply-app.sh
@@ -10,27 +10,27 @@ if [ -f "deploy/helm/.env" ]; then
 fi
 
 
-if [ -n "${GITEA_ADMIN_USERNAME:-}" ]; then
+if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
   echo "Executing helm deploy."
 
     helm repo add gitea-charts https://dl.gitea.com/charts/
     helm repo update
     helm upgrade --install gitea gitea-charts/gitea \
     --values deploy/helm/values.yaml \
-    --set valkey.global.valkey.password=${VALKEY_GLOBAL_PASSWORD} \
-    --set postgresql.global.postgresql.auth.postgresPassword=${POSTGRESQL_AUTH_POSTGRESPASSWORD} \
-    --set postgresql.global.postgresql.auth.password=${POSTGRESQL_AUTH_PASSWORD} \
-    --set postgresql.global.postgresql.auth.database=${POSTGRESQL_AUTH_DATABASE} \
-    --set postgresql.global.postgresql.auth.username=${POSTGRESQL_AUTH_USERNAME} \
-    --set gitea.admin.username=${GITEA_ADMIN_USERNAME} \
-    --set gitea.admin.password=${GITEA_ADMIN_PASSWORD} \
-    --set gitea.admin.email=${GITEA_ADMIN_EMAIL} \
-    --set gitea.config.oauth2.JWT_SECRET=${GITEA_CONFIG_OAUTH2_JWT_SECRET} \
-    --set gitea.config.server.LFS_JWT_SECRET=${GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
-    --set gitea.config.security.SECRET_KEY=${GITEA_CONFIG_SECURITY_SECRET_KEY} \
-    --set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
-    --set gitea.config.security.INTERNAL_TOKEN=${GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
-    --set gitea.config.security.PASSWORD_HASH_ALGO=${GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
-    --set gitea.config.service.oauth2.JWT_SECRET=${GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
+    --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \
+    --set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \
+    --set postgresql.global.postgresql.auth.password=${APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD} \
+    --set postgresql.global.postgresql.auth.database=${APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE} \
+    --set postgresql.global.postgresql.auth.username=${APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME} \
+    --set gitea.admin.username=${APP_HELM_VALUE_GITEA_ADMIN_USERNAME} \
+    --set gitea.admin.password=${APP_HELM_VALUE_GITEA_ADMIN_PASSWORD} \
+    --set gitea.admin.email=${APP_HELM_VALUE_GITEA_ADMIN_EMAIL} \
+    --set gitea.config.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET} \
+    --set gitea.config.server.LFS_JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
+    --set gitea.config.security.SECRET_KEY=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY} \
+    --set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
+    --set gitea.config.security.INTERNAL_TOKEN=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
+    --set gitea.config.security.PASSWORD_HASH_ALGO=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
+    --set gitea.config.service.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
     --namespace=git-limbosolutions-com
 fi
\ No newline at end of file
diff --git a/deploy/helm/.env.example b/deploy/helm/.env.example
index 384e1ac..ec75a0f 100644
--- a/deploy/helm/.env.example
+++ b/deploy/helm/.env.example
@@ -1,15 +1,15 @@
-VALKEY_GLOBAL_PASSWORD="????"
-POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
-POSTGRESQL_AUTH_PASSWORD="????"
-POSTGRESQL_AUTH_DATABASE="????"
-POSTGRESQL_AUTH_USERNAME="????"
-GITEA_ADMIN_USERNAME=m"????"
-GITEA_ADMIN_PASSWORD="????"
-GITEA_ADMIN_EMAIL="????"
-GITEA_CONFIG_OAUTH2_JWT_SECRET=i"????"
-GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
-GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
-GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
-GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
-GITEA_CONFIG_SECURITY_SECRET_KEY="????"
-GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"
+APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME="????"
+APP_HELM_VALUE_GITEA_ADMIN_USERNAME="????"
+APP_HELM_VALUE_GITEA_ADMIN_PASSWORD="????"
+APP_HELM_VALUE_GITEA_ADMIN_EMAIL="????"
+APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET="????"
+APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
+APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"