diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index fcc0402cf5c184d1cacd2d68ac55ad6a6ee4e25f..ed793b3e5d8921875d7bd58db621032eeef36783 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -115,6 +115,18 @@ include:
     - if: '$CI_COMMIT_MESSAGE =~ /TRIGGER_JOBS=.*enable-single-sign-on/'
     - if: '$CI_COMMIT_BRANCH == "main"'
 
+.velero_rules:
+  rules:
+    - changes:
+        - flux2/apps/$RESOURCE/*.yaml
+        - flux2/cluster/optional/$RESOURCE/*.yaml
+        - flux2/core/base/sources/vmware-tanzu.yaml
+        - install/install-app.sh
+        - install/flux-version-check.sh
+    - if: '$TRIGGER_JOBS =~ /enable-velero/'
+    - if: '$CI_COMMIT_MESSAGE =~ /TRIGGER_JOBS=.*enable-velero/'
+    - if: '$CI_COMMIT_BRANCH == "main"'
+
 .wekan_rules:
   rules:
     - changes:
@@ -366,7 +378,7 @@ install-stackspin:
     - kubectl apply -k ${CLUSTER_DIR}
     # Add an override so cert-manager uses the SSL.com ClusterIssuer
     - kubectl create namespace cert-manager
-    - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
+    - kubectl apply -f ./install/overrides/stackspin-cert-manager-override.yaml
     # Install flux and general, non-app specific secrets
     - bash ./install/install-stackspin.sh
   extends:
@@ -374,6 +386,7 @@ install-stackspin:
     - .general_rules
   interruptible: true
 
+
 .enable_app_template:
   stage: install-stackspin
   needs:
@@ -383,7 +396,7 @@ install-stackspin:
     # Add optional override values we need for the CI pipeline only
     - >
       [ -f ./install/overrides/stackspin-${RESOURCE}-override.yaml ] &&
-        kubectl apply -n stackspin-apps -f ./install/overrides/stackspin-${RESOURCE}-override.yaml
+        kubectl apply -f ./install/overrides/stackspin-${RESOURCE}-override.yaml
     - bash ./install/install-app.sh ${RESOURCE}
   interruptible: true
 
@@ -401,6 +414,13 @@ enable-nextcloud:
     - .enable_app_template
     - .nextcloud_rules
 
+enable-velero:
+  variables:
+    RESOURCE: "velero"
+  extends:
+    - .enable_app_template
+    - .velero_rules
+
 enable-wekan:
   variables:
     RESOURCE: "wekan"
@@ -551,6 +571,16 @@ nextcloud-kustomization-ready:
     - .app-kustomization-ready
     - .nextcloud_rules
 
+velero-kustomization-ready:
+  needs:
+    - job: install-stackspin
+    - job: enable-velero
+  variables:
+    RESOURCE: "velero"
+  extends:
+    - .app-kustomization-ready
+    - .velero_rules
+
 wekan-kustomization-ready:
   needs:
     - job: install-stackspin
diff --git a/.gitlab/commit_template.txt b/.gitlab/commit_template.txt
index f87d232ce6dc7be34f585b3a324685abe0943e14..7be36274504f7e9647df7789c265196b5c239c59 100644
--- a/.gitlab/commit_template.txt
+++ b/.gitlab/commit_template.txt
@@ -9,7 +9,7 @@
 # TRIGGER_JOBS=enable-nextcloud
 #
 # or trigger all jobs:
-# TRIGGER_JOBS=enable-monitoring,enable-nextcloud,enable-wekan,enable-wordpress,enable-zulip
+# TRIGGER_JOBS=enable-monitoring,enable-nextcloud,enable-velero,enable-wekan,enable-wordpress,enable-zulip
 #
 # Reference issue number with one of:
 #
diff --git a/docs/design.md b/docs/design.md
index 9d5739043005db6e99108261b275fcb9e22ca7c2..c7b5f27ac70fc68b505712f9fa9c131c834bef7a 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -115,7 +115,8 @@ that is responsible for these updates.
 
 Flux 2 tracks all the files in the `flux2` directory of the [Stackspin code
 repository](https://open.greenhost.net/stackspin/stackspin). Once changes
-are pushd the branch that Flux tracks, the changes are applied to the cluster.
+are pushed to the branch that Flux tracks, the changes are applied to the
+cluster.
 
 We use Flux 2 in "read only" mode, which means that your Stackspin cluster
 does not push changes to our Git repository. You can read more about Flux 2 and
diff --git a/install/overrides/stackspin-cert-manager-override.yaml b/install/overrides/stackspin-cert-manager-override.yaml
index baef69951d3d4f28f579b3ae07d7dc4dd73d069c..f468f2d055c3205755b17e4f990aa5e7c5e1d416 100644
--- a/install/overrides/stackspin-cert-manager-override.yaml
+++ b/install/overrides/stackspin-cert-manager-override.yaml
@@ -2,6 +2,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
+  namespace: cert-manager
   name: stackspin-cert-manager-override
 data:
   values.yaml: |
diff --git a/install/overrides/stackspin-nextcloud-override.yaml b/install/overrides/stackspin-nextcloud-override.yaml
index 0a33526ff1a947bdd9aa27ea7bb237d0d7414f5a..b3ab3fa01dabaff2248b033a9ce3cf32ea22afc9 100644
--- a/install/overrides/stackspin-nextcloud-override.yaml
+++ b/install/overrides/stackspin-nextcloud-override.yaml
@@ -2,6 +2,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
+  namespace: stackspin-apps
   name: stackspin-nextcloud-override
 data:
   values.yaml: |
diff --git a/install/overrides/stackspin-velero-override.yaml b/install/overrides/stackspin-velero-override.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d687dff0135110a9721b7e90fd577d2ef0ac09b1
--- /dev/null
+++ b/install/overrides/stackspin-velero-override.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: velero
+  name: stackspin-velero-override
+data:
+  values.yaml: |
+    # Do not create backups automatically in CI.
+    # Note: setting this to `{}` doesn't override the stackspin default due to
+    # helm merging the dictionaries, not replacing one by the other.
+    schedules: null