diff --git a/.gitignore b/.gitignore
index fdea064..553ded1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-**/.env
+**/.env*
 *~
 
 charts/**/charts
diff --git a/ARCHITECHTURE.md b/ARCHITECHTURE.md
index 51685cd..5d17a71 100644
--- a/ARCHITECHTURE.md
+++ b/ARCHITECHTURE.md
@@ -22,3 +22,5 @@ S3 for media storage
 
 Domain Driven Development
 Test Driven Development
+
+Tested on VKE v1.30.0+1 (PVCs on other versions may not be fulfilled)
diff --git a/Makefile b/Makefile
index dc13ecc..dedcaf3 100644
--- a/Makefile
+++ b/Makefile
@@ -1,41 +1,24 @@
 include .env
 
 
-dev: minikube secrets tilt
-
-all: bootstrap secrets helmsman
-
-crds:
-	kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
-
-cert-manager:
-	kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
+namespaces:
+	./scripts/k8s-namespaces.sh
 
 secrets:
 	./scripts/k8s-secrets.sh
 
 flux:
-	flux bootstrap git --url="ssh://git@gitea.futureporn.net:2222/futureporn/fp" --branch=main --path="clusters/production" --private-key-file=/home/cj/.ssh/fp-flux
-
-cluster:
-	./scripts/kind-with-local-registry.sh
-	./scripts/k8s-namespaces.sh
-	./scripts/k8s-secrets.sh
-	./scripts/k8s-chisel-operator.sh
-
-argo:
-	helmsman --apply -f ./helmsman.argocd.yaml
-
-helmsman:
-	helmsman --apply -f ./helmsman.yaml
-
-deploy: 
-	./scripts/k8s-namespaces.sh
-	./scripts/k8s-secrets.sh
 	./scripts/flux-bootstrap.sh
 
+dev: kind namespaces secrets chisel velero tilt
+
+prod: namespaces secrets velero flux
+
+velero:
+	./scripts/velero-create.sh
+
 tilt:
-	tilt up
+	tilt up -f ./t.wip.tiltfile
 
 
 define _script
@@ -54,9 +37,8 @@ minikube:
 	minikube addons enable csi-hostpath-driver
 	minikube addons enable metrics-server
 
-
 kind:
-	bash -x ./scripts/kind-with-local-registry.sh
+	./scripts/kind-with-local-registry.sh
 
 chisel:
 	./scripts/k8s-chisel-operator.sh
@@ -71,6 +53,7 @@ deps:
 	sudo systemctl start docker
 	usermod -aG docker cj
 	newgrp docker
+	curl -OL 'https://github.com/vmware-tanzu/velero/releases/download/v1.13.2/velero-v1.13.2-linux-amd64.tar.gz'
 
 # A gitea act runner which runs locally
 # https://docs.gitea.com/next/usage/actions/overview
diff --git a/README.md b/README.md
index b4f0ead..6a5542e 100644
--- a/README.md
+++ b/README.md
@@ -3,3 +3,4 @@
 See ./ARCHITECTURE.md for overview
 
 Code for https://futureporn.net
+
diff --git a/apps/base/temporal/release.yaml b/apps/base/temporal/release.yaml
index 3fea24b..76b6690 100644
--- a/apps/base/temporal/release.yaml
+++ b/apps/base/temporal/release.yaml
@@ -10,7 +10,7 @@ spec:
       chart: temporal
       sourceRef:
         kind: HelmRepository
-        name: temporal
+        name: lemontech
   interval: 50m
   install:
     remediation:
diff --git a/apps/base/temporal/repository.yaml b/apps/base/temporal/repository.yaml
index e699ec5..b5dba68 100644
--- a/apps/base/temporal/repository.yaml
+++ b/apps/base/temporal/repository.yaml
@@ -1,7 +1,7 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
-  name: temporal
+  name: lemontech
   namespace: futureporn
 spec:
   interval: 5m
diff --git a/charts/fp/templates-staging/velero.yaml b/charts/fp/templates-staging/velero.yaml
new file mode 100644
index 0000000..a372b15
--- /dev/null
+++ b/charts/fp/templates-staging/velero.yaml
@@ -0,0 +1,122 @@
+apiVersion: velero.io/v1
+kind: BackupStorageLocation
+metadata:
+  name: futureporn-velero-4
+  namespace: velero
+spec:
+  # Name of the object store plugin to use to connect to this location.
+  #
+  # Required.
+  provider: velero/velero-plugin-for-aws
+  
+  objectStorage:
+    # The bucket in which to store backups.
+    #
+    # Required.
+    bucket: futureporn-db-backup
+    
+    # The prefix within the bucket under which to store backups.
+    #
+    # Optional.
+    prefix: velero
+  
+  # The credentials intended to be used with this location.
+  # optional (if not set, default credentials secret is used)
+  credential:
+    # Key within the secret data which contains the cloud credentials
+    key: cloud
+    # Name of the secret containing the credentials
+    name: velero
+
+  config:
+    # The AWS region where the bucket is located. Queried from the AWS S3 API if not provided.
+    #
+    # Optional if s3ForcePathStyle is false.
+    region: us-west-000
+
+    # Whether to use path-style addressing instead of virtual hosted bucket addressing. Set to "true"
+    # if using a local storage service like MinIO.
+    #
+    # Optional (defaults to "false").
+    s3ForcePathStyle: "true"
+
+    # You can specify the AWS S3 URL here for explicitness, but Velero can already generate it from 
+    # "region" and "bucket". This field is primarily for local storage services like MinIO.
+    #
+    # Optional.
+    # s3Url: "http://minio:9000"
+    s3Url: "https://s3.us-west-000.backblazeb2.com"
+    
+    # If specified, use this instead of "s3Url" when generating download URLs (e.g., for logs). This 
+    # field is primarily for local storage services like MinIO.
+    #
+    # Optional.
+    # publicUrl: "https://minio.mycluster.com"
+
+    # The name of the server-side encryption algorithm to use for uploading objects, e.g. "AES256".
+    # If using SSE-KMS and "kmsKeyId" is specified, this field will automatically be set to "aws:kms"
+    # so does not need to be specified by the user.
+    #
+    # Optional.
+    serverSideEncryption: AES256
+
+    # Specify an AWS KMS key ID (formatted per the example) or alias (formatted as "alias/<KMS-key-alias-name>"), or its full ARN
+    # to enable encryption of the backups stored in S3. Only works with AWS S3 and may require explicitly 
+    # granting key usage rights. 
+    #
+    # Cannot be used in conjunction with customerKeyEncryptionFile.
+    #
+    # Optional.
+    # kmsKeyId: "502b409c-4da1-419f-a16e-eif453b3i49f"
+    
+    # Specify the file that contains the SSE-C customer key to enable customer key encryption of the backups
+    # stored in S3. The referenced file should contain a 32-byte string.
+    #  
+    # The customerKeyEncryptionFile points to a mounted secret within the velero container.
+    # Add the below values to the velero cloud-credentials secret:
+    # customer-key: <your_b64_encoded_32byte_string>
+    # The default value below points to the already mounted secret.
+    # 
+    # Cannot be used in conjunction with kmsKeyId.
+    #
+    # Optional (defaults to "", which means SSE-C is disabled).
+    # customerKeyEncryptionFile: "/credentials/customer-key"
+
+    # Version of the signature algorithm used to create signed URLs that are used by velero CLI to 
+    # download backups or fetch logs. Possible versions are "1" and "4". Usually the default version 
+    # 4 is correct, but some S3-compatible providers like Quobyte only support version 1.
+    #
+    # Optional (defaults to "4").
+    signatureVersion: "1"
+
+    # AWS profile within the credentials file to use for the backup storage location.
+    # 
+    # Optional (defaults to "default").
+    profile: "sex"
+
+    # Set this to "true" if you do not want to verify the TLS certificate when connecting to the 
+    # object store -- like for self-signed certs with MinIO. This is susceptible to man-in-the-middle 
+    # attacks and is not recommended for production.
+    #
+    # Optional (defaults to "false").
+    insecureSkipTLSVerify: "true"
+
+    # Set this to "true" if you want to load the credentials file as a [shared config file](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html).
+    # This will have no effect if credentials are not specific for a BSL.
+    #
+    # Optional (defaults to "false").
+    enableSharedConfig: "true"
+
+    # Tags that need to be placed on AWS S3 objects. 
+    # For example "Key1=Value1&Key2=Value2"
+    #
+    # Optional (defaults to empty "")
+    tagging: ""
+
+    # The checksum algorithm to use for uploading objects to S3.
+    # The Supported values are  "CRC32",  "CRC32C", "SHA1", "SHA256".
+    # If the value is set as empty string "", no checksum will be calculated and attached to 
+    # the request headers.
+    #
+    # Optional (defaults to "CRC32")
+    checksumAlgorithm: "CRC32"
\ No newline at end of file
diff --git a/scripts/k8s-namespaces.sh b/scripts/k8s-namespaces.sh
index 19c95b5..662f3e1 100755
--- a/scripts/k8s-namespaces.sh
+++ b/scripts/k8s-namespaces.sh
@@ -4,3 +4,6 @@ source .env
 
 kubectl create namespace cert-manager
 kubectl create namespace futureporn
+kubectl create namespace velero
+
+exit 0 # important to keep the Makefile chain going even if namespaces already existed and kubectl returned non-zero
\ No newline at end of file
diff --git a/scripts/k8s-secrets.sh b/scripts/k8s-secrets.sh
index e701337..8aeb2ad 100755
--- a/scripts/k8s-secrets.sh
+++ b/scripts/k8s-secrets.sh
@@ -3,6 +3,27 @@
 source .env
 
 
+
+kubectl --namespace=velero delete secret velero --ignore-not-found
+## we do this so helm can adopt our pre-made secret @see https://github.com/helm/helm/pull/7649
+cat <<EOF | kubectl --namespace=velero create -f-
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: velero
+  namespace: velero
+  annotations:
+    meta.helm.sh/release-namespace: futureporn
+  labels:
+    app.kubernetes.io/managed-by: Helm
+type: Opaque
+data:
+  aws_access_key_id: $(echo -n $VELERO_S3_KEY_ID | base64)
+  aws_secret_access_key: $(echo -n $VELERO_S3_ACCESS_KEY | base64)
+EOF
+
+
 kubectl --namespace futureporn delete secret frp --ignore-not-found
 kubectl --namespace futureporn create secret generic frp \
 --from-literal=token=${FRP_TOKEN}
diff --git a/scripts/velero-create.sh b/scripts/velero-create.sh
new file mode 100755
index 0000000..1a7a52e
--- /dev/null
+++ b/scripts/velero-create.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+
+velero install \
+    --provider aws \
+    --bucket futureporn-db-backup \
+    --plugins velero/velero-plugin-for-aws:v1.10.0 \
+    --namespace=futureporn \
+    --secret-file=.env.velero \
+    --use-volume-snapshots=false \
+    --backup-location-config region=us-west-000,s3ForcePathStyle="true",s3Url=https://s3.us-west-000.backblazeb2.com
\ No newline at end of file
diff --git a/t.wip.tiltfile b/t.wip.tiltfile
index f78b20c..f65a299 100644
--- a/t.wip.tiltfile
+++ b/t.wip.tiltfile
@@ -38,6 +38,35 @@ load('ext://helm_remote', 'helm_remote')
 #     ],
 # )
 
+# helm_remote(
+#     'velero',
+#     repo_name='velero',
+#     repo_url='https://vmware-tanzu.github.io/helm-charts',
+#     namespace='futureporn',
+#     version='6.6.0',
+#     set=[
+#         'configuration.backupStorageLocation[0].name=dev',
+#         'configuration.backupStorageLocation[0].provider=aws',
+#         'configuration.backupStorageLocation[0].bucket=futureporn-db-backup-dev',
+#         'configuration.backupStorageLocation[0].config.region=us-west-000',
+#         'configuration.backupStorageLocation[0].config.s3ForcePathStyle=true',
+#         'configuration.backupStorageLocation[0].config.s3Url=https://s3.us-west-000.backblazeb2.com',
+#         'credentials.secretContents=cloud\n[default]\naws_access_key_id=AAAA\naws_secret_access_key=BBBB',
+#         'snapshotsEnabled=false',
+# # --set configuration.backupStorageLocation[0].name=<BACKUP STORAGE LOCATION NAME> \
+# # --set configuration.backupStorageLocation[0].provider=<PROVIDER NAME> \
+# # --set configuration.backupStorageLocation[0].bucket=<BUCKET NAME> \
+# # --set configuration.backupStorageLocation[0].config.region=<REGION> \
+# # --set configuration.volumeSnapshotLocation[0].name=<VOLUME SNAPSHOT LOCATION NAME> \
+# # --set configuration.volumeSnapshotLocation[0].provider=<PROVIDER NAME> \
+# # --set configuration.volumeSnapshotLocation[0].config.region=<REGION> \
+# # --set initContainers[0].name=velero-plugin-for-<PROVIDER NAME> \
+# # --set initContainers[0].image=velero/velero-plugin-for-<PROVIDER NAME>:<PROVIDER PLUGIN TAG> \
+# # --set initContainers[0].volumeMounts[0].mountPath=/target \
+# # --set initContainers[0].volumeMounts[0].name=plugins
+#     ]
+# )
+
 helm_remote(
     'temporal',
     repo_name='temporal',