diff --git a/kubernetes/apps/default/homelab/ks.yaml b/kubernetes/apps/default/homelab/ks.yaml
index 4d7abe0e6..bdd86a132 100644
--- a/kubernetes/apps/default/homelab/ks.yaml
+++ b/kubernetes/apps/default/homelab/ks.yaml
@@ -70,3 +70,27 @@ spec:
   postBuild:
     substitute:
       APP: *app
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app homelab-opnsense-backup
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/default/homelab/opnsense/backup
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
diff --git a/kubernetes/apps/default/homelab/opnsense/backup/backup.sh b/kubernetes/apps/default/homelab/opnsense/backup/backup.sh
new file mode 100644
index 000000000..42164a27a
--- /dev/null
+++ b/kubernetes/apps/default/homelab/opnsense/backup/backup.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -o nounset
+set -o errexit
+
+config_filename="$(date "+%Y%m%d-%H%M%S").xml"
+
+http_host=${S3_URL#*//}
+http_host=${http_host%:*}
+http_request_date=$(date -R)
+http_filepath="opnsense/${config_filename}"
+http_signature=$(
+    printf "PUT\n\ntext/xml\n%s\n/%s" "${http_request_date}" "${http_filepath}" \
+        | openssl sha1 -hmac "${AWS_SECRET_ACCESS_KEY}" -binary \
+        | base64
+)
+
+echo "Download Opnsense config file ..."
+curl -fsSL \
+    --user "${OPNSENSE_KEY}:${OPNSENSE_SECRET}" \
+    --output "/tmp/${config_filename}" \
+    "${OPNSENSE_URL}/api/core/backup/download/this"
+
+echo "Upload backup to s3 bucket ..."
+curl -fsSL \
+    -X PUT -T "/tmp/${config_filename}" \
+    -H "Host: ${http_host}" \
+    -H "Date: ${http_request_date}" \
+    -H "Content-Type: text/xml" \
+    -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \
+    "${S3_URL}/${http_filepath}"
diff --git a/kubernetes/apps/default/homelab/opnsense/backup/externalsecret.yaml b/kubernetes/apps/default/homelab/opnsense/backup/externalsecret.yaml
new file mode 100644
index 000000000..9813ccae5
--- /dev/null
+++ b/kubernetes/apps/default/homelab/opnsense/backup/externalsecret.yaml
@@ -0,0 +1,17 @@
+
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: homelab-opnsense-backup
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: homelab-opnsense-backup-secret
+  dataFrom:
+    - extract:
+        # OPNSENSE_KEY, OPNSENSE_SECRET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
+        key: homelab-opnsense
diff --git a/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
new file mode 100644
index 000000000..910005d51
--- /dev/null
+++ b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
@@ -0,0 +1,63 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app homelab-opnsense-backup
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.6.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      homelab-opnsense-backup:
+        type: cronjob
+        cronjob:
+          concurrencyPolicy: Forbid
+          schedule: "@daily"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/auricom/kubectl
+              tag: 1.32.1@sha256:b01d7c1b5d9e900119a7568fc4d08a3a46afb65d430ed66173cdf101b4f211db
+            command:
+              - /bin/bash
+              - /app/backup.sh
+            env:
+              OPNSENSE_URL: "https://opnsense.${SECRET_INTERNAL_DOMAIN}"
+              S3_URL: "https://minio.${SECRET_INTERNAL_DOMAIN}"
+            envFrom:
+              - secretRef:
+                  name: homelab-opnsense-backup-secret
+    service:
+      app:
+        controller: *app
+        enabled: false
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: homelab-opnsense-backup-configmap
+        defaultMode: 0775 # trunk-ignore(yamllint/octal-values)
+        globalMounts:
+          - path: /app/backup.sh
+            subPath: backup.sh
+            readOnly: true
diff --git a/kubernetes/apps/default/homelab/opnsense/backup/kustomization.yaml b/kubernetes/apps/default/homelab/opnsense/backup/kustomization.yaml
new file mode 100644
index 000000000..a763885d5
--- /dev/null
+++ b/kubernetes/apps/default/homelab/opnsense/backup/kustomization.yaml
@@ -0,0 +1,16 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: homelab-opnsense-backup-configmap
+    files:
+      - ./backup.sh
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled