diff --git a/infrastructure/sources/kustomization.yaml b/infrastructure/sources/kustomization.yaml
index ff2e72e..cc6004e 100644
--- a/infrastructure/sources/kustomization.yaml
+++ b/infrastructure/sources/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
 - bitwarden.yaml
 - eso.yaml
 - jetstack.yaml
+- vmware-tanzu.yaml
diff --git a/infrastructure/sources/vmware-tanzu.yaml b/infrastructure/sources/vmware-tanzu.yaml
new file mode 100644
index 0000000..05651c6
--- /dev/null
+++ b/infrastructure/sources/vmware-tanzu.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: vmware-tanzu
+  namespace: flux-system
+spec:
+  interval: 12h
+  url: https://github.com/vmware-tanzu/helm-charts/
diff --git a/infrastructure/velero/helmrelease.yaml b/infrastructure/velero/helmrelease.yaml
new file mode 100644
index 0000000..550366e
--- /dev/null
+++ b/infrastructure/velero/helmrelease.yaml
@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: velero
+  namespace: backups
+spec:
+  interval: 15m
+  releaseName: velero
+  chart:
+    spec:
+      chart: velero
+      version: "*"
+      sourceRef:
+        kind: HelmRepository
+        name: velero
+        namespace: flux-system
+  values:
+    # keep minimal to start
+    replicaCount: 1
diff --git a/infrastructure/velero/values.yaml b/infrastructure/velero/values.yaml
new file mode 100644
index 0000000..5b2823b
--- /dev/null
+++ b/infrastructure/velero/values.yaml
@@ -0,0 +1,13 @@
+#yes
+env:
+  - name: kimaiAdminEmail
+    valueFrom:
+      secretKeyRef:
+        name: kimai-secrets
+        key: kimai-admin-username
+
+  - name: kimaiAdminPassword
+    valueFrom:
+      secretKeyRef:
+        name: kimai-secrets
+        key: kimai-admin-password
diff --git a/secrets/contabosecrets.yaml b/secrets/contabosecrets.yaml
new file mode 100644
index 0000000..73178c4
--- /dev/null
+++ b/secrets/contabosecrets.yaml
@@ -0,0 +1,32 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: contabo-secrets
+  namespace: backups
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    name: contabo-secrets
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+ data:
+    - secretKey: contabo-username
+      remoteRef:
+        key: contabo-username
+
+    - secretKey: contabo-password
+      remoteRef:
+        key: contabo-password
+
+    - secretKey: contabo-client-id
+      remoteRef:
+        key: contabo-client-id
+
+    - secretKey: contabo-client-secret
+      remoteRef:
+        key: contabo-client-secret
diff --git a/secrets/kustomization.yaml b/secrets/kustomization.yaml
index 516abc8..92d736b 100644
--- a/secrets/kustomization.yaml
+++ b/secrets/kustomization.yaml
@@ -3,4 +3,4 @@ kind: Kustomization
 resources:
 - kimaisecrets.yaml
 - namespace.yaml
-- test.yaml
+- contabosecrets.yaml