diff --git a/.gitignore b/.gitignore
index 14be3e6..7ebc135 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 result
-secrets/
\ No newline at end of file
+/secrets/
+test/
\ No newline at end of file
diff --git a/kubernetes/secrets/cloundativepg/s3-backup-creds.nix b/kubernetes/secrets/cloundativepg/s3-backup-creds.nix
new file mode 100644
index 0000000..1330e42
--- /dev/null
+++ b/kubernetes/secrets/cloundativepg/s3-backup-creds.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  sops.templates."omni-etcd-key.yaml" = {
+    mode = "0444";
+    content = ''
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: s3-backup-creds
+        namespace: cloudnativepg
+      type: Opaque
+      spec:
+        s3AccessKey: fmRuq5b96EKqQOGR1prs
+        s3SecretKey: ${config.sops.placeholder.cnpg_s3_backup_key}
+    '';
+    path = "/var/lib/rancher/k3s/server/manifests/secrets/cnpg-s3-backup-creds.yaml";
+  };
+}
\ No newline at end of file
diff --git a/kubernetes/secrets/default.nix b/kubernetes/secrets/default.nix
new file mode 100644
index 0000000..320994f
--- /dev/null
+++ b/kubernetes/secrets/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./omni/omni-etcd-key.nix
+  ];
+}
\ No newline at end of file
diff --git a/security/sops_nix.yaml b/security/sops_nix.yaml
index 7812f83..52ee88e 100644
--- a/security/sops_nix.yaml
+++ b/security/sops_nix.yaml
@@ -1,5 +1,6 @@
 pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str]
 pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
+cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str]
 sops:
     age:
         - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -11,7 +12,7 @@ sops:
             Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
             F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-23T01:50:31Z"
-    mac: ENC[AES256_GCM,data:wSnhBZDBKDEEFcb8YwBjiopnMEuaVYfeH5Oi1mrlq6sSpvrznUu2saI3l+ktNIK94lw8OyJaj7Nh9AuCouAKeJXbzmBlV/6pTr8Ud08K7UXbd0jqGMku2de3OvMIwrEdhe1H/yxVOFVuRNAgOKmkWB/6Hs+gD0v2FG0ymHacN84=,iv:g8GWfogEPPeGf0cO7PdMLsnffb5GQE1VVuO9s4Ls1Ew=,tag:pBlrcIthHJ1hPtvNbt37SQ==,type:str]
+    lastmodified: "2026-03-17T16:34:22Z"
+    mac: ENC[AES256_GCM,data:41TNxYgscdIZbbNxczTXzmPotyT4/ZsxspRihNf9NAj2c4PdQXNPeIMzS9meuH9LD4CTo9ws/pP7SBpPKnx4PzqdDekPvhdj9qIKdLjpKkJd+N0WfFXEgGEj7nAyc0lR2z6oSPuMB15xk8hIKT1prL9lDjjYRH3aKlhjaqP53LQ=,iv:RZpDhBWkbLL/pgwIuoPYUZd1Pmu0n7zt165DO7+uMHM=,tag:DQhFTgaFCgCV62QLCjozUg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
\ No newline at end of file
+    version: 3.11.0