diff --git a/backup/Dockerfile b/backup/Dockerfile
new file mode 100644
index 0000000..e9c1eae
--- /dev/null
+++ b/backup/Dockerfile
@@ -0,0 +1,16 @@
+FROM alpine:3.20
+
+RUN apk add --no-cache \
+      postgresql16-client \
+      aws-cli \
+      gzip \
+      tzdata \
+      bash \
+      coreutils
+
+WORKDIR /app
+COPY backup_db.sh /app/backup_db.sh
+COPY entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/backup_db.sh /app/entrypoint.sh
+
+ENTRYPOINT ["/app/entrypoint.sh"]
diff --git a/backup/backup_db.sh b/backup/backup_db.sh
new file mode 100755
index 0000000..7a724ce
--- /dev/null
+++ b/backup/backup_db.sh
@@ -0,0 +1,58 @@
+#!/bin/sh
+# Nightly pg_dump → rustfs (S3-compatible).
+# Required env: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB,
+#               RUSTFS_ENDPOINT, RUSTFS_ACCESS_KEY, RUSTFS_SECRET_KEY, RUSTFS_BUCKET.
+# Optional:     BACKUP_KEEP_DAYS (default 30), PGHOST (default timescale_db).
+
+set -eu
+
+: "${POSTGRES_USER:?}"
+: "${POSTGRES_PASSWORD:?}"
+: "${POSTGRES_DB:?}"
+: "${RUSTFS_ENDPOINT:?}"
+: "${RUSTFS_ACCESS_KEY:?}"
+: "${RUSTFS_SECRET_KEY:?}"
+: "${RUSTFS_BUCKET:?}"
+
+PGHOST="${PGHOST:-timescale_db}"
+PGPORT="${PGPORT:-5432}"
+KEEP_DAYS="${BACKUP_KEEP_DAYS:-30}"
+
+TS="$(date -u +%Y%m%d_%H%M%SZ)"
+FILE="${POSTGRES_DB}_${TS}.sql.gz"
+TMP="/tmp/${FILE}"
+
+export AWS_ACCESS_KEY_ID="$RUSTFS_ACCESS_KEY"
+export AWS_SECRET_ACCESS_KEY="$RUSTFS_SECRET_KEY"
+export AWS_DEFAULT_REGION="${RUSTFS_REGION:-us-east-1}"
+export PGPASSWORD="$POSTGRES_PASSWORD"
+
+echo "[$(date -u +%FT%TZ)] pg_dump ${POSTGRES_DB}@${PGHOST} -> ${FILE}"
+pg_dump -h "$PGHOST" -p "$PGPORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" \
+        --no-owner --no-privileges --format=plain \
+  | gzip -9 > "$TMP"
+
+SIZE=$(wc -c < "$TMP")
+echo "[$(date -u +%FT%TZ)] dump size: ${SIZE} bytes"
+
+KEY="daily/${FILE}"
+echo "[$(date -u +%FT%TZ)] uploading s3://${RUSTFS_BUCKET}/${KEY}"
+aws --endpoint-url "$RUSTFS_ENDPOINT" s3 cp "$TMP" "s3://${RUSTFS_BUCKET}/${KEY}"
+
+rm -f "$TMP"
+
+# Prune anything older than KEEP_DAYS.
+CUTOFF="$(date -u -d "-${KEEP_DAYS} days" +%Y%m%d 2>/dev/null || date -u -v -"${KEEP_DAYS}"d +%Y%m%d)"
+aws --endpoint-url "$RUSTFS_ENDPOINT" s3 ls "s3://${RUSTFS_BUCKET}/daily/" \
+  | awk '{print $4}' \
+  | while read -r OBJ; do
+      [ -z "$OBJ" ] && continue
+      OBJ_DATE=$(echo "$OBJ" | sed -n 's/.*_\([0-9]\{8\}\)_.*/\1/p')
+      [ -z "$OBJ_DATE" ] && continue
+      if [ "$OBJ_DATE" -lt "$CUTOFF" ]; then
+        echo "[$(date -u +%FT%TZ)] prune s3://${RUSTFS_BUCKET}/daily/${OBJ}"
+        aws --endpoint-url "$RUSTFS_ENDPOINT" s3 rm "s3://${RUSTFS_BUCKET}/daily/${OBJ}"
+      fi
+    done
+
+echo "[$(date -u +%FT%TZ)] backup complete"
diff --git a/backup/entrypoint.sh b/backup/entrypoint.sh
new file mode 100755
index 0000000..d107577
--- /dev/null
+++ b/backup/entrypoint.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Loops forever: sleeps until the next BACKUP_HOUR:BACKUP_MINUTE UTC, then runs backup_db.sh.
+# Defaults: 02:30 UTC nightly.
+
+set -eu
+
+HOUR="${BACKUP_HOUR:-2}"
+MINUTE="${BACKUP_MINUTE:-30}"
+
+if [ "${BACKUP_RUN_ON_START:-0}" = "1" ]; then
+  echo "[$(date -u +%FT%TZ)] BACKUP_RUN_ON_START=1 — running backup immediately"
+  /app/backup_db.sh || echo "[$(date -u +%FT%TZ)] initial backup failed (continuing)"
+fi
+
+while true; do
+  NOW_EPOCH=$(date -u +%s)
+  TARGET=$(date -u -d "today ${HOUR}:${MINUTE}:00" +%s 2>/dev/null \
+           || date -u -j -f "%H:%M:%S" "${HOUR}:${MINUTE}:00" +%s)
+  if [ "$TARGET" -le "$NOW_EPOCH" ]; then
+    TARGET=$((TARGET + 86400))
+  fi
+  SLEEP=$((TARGET - NOW_EPOCH))
+  echo "[$(date -u +%FT%TZ)] next backup in ${SLEEP}s (at $(date -u -d "@${TARGET}" +%FT%TZ 2>/dev/null || date -u -r "${TARGET}" +%FT%TZ))"
+  sleep "$SLEEP"
+  /app/backup_db.sh || echo "[$(date -u +%FT%TZ)] backup failed (will retry tomorrow)"
+done
diff --git a/docker-compose.yaml b/docker-compose.yaml
index df4b87d..b14559c 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -76,6 +76,26 @@ services:
     # You will set the actual URL in the Coolify UI,
     # but the service needs to expose port 3000 internally.
 
+  db_backup:
+    build:
+      context: ./backup
+      dockerfile: Dockerfile
+    restart: always
+    depends_on:
+      timescale_db:
+        condition: service_healthy
+    env_file: .env
+    environment:
+      # Nightly pg_dump → rustfs. Credentials from .env (RUSTFS_*).
+      - BACKUP_HOUR=${BACKUP_HOUR:-2}
+      - BACKUP_MINUTE=${BACKUP_MINUTE:-30}
+      - BACKUP_KEEP_DAYS=${BACKUP_KEEP_DAYS:-30}
+      - BACKUP_RUN_ON_START=${BACKUP_RUN_ON_START:-0}
+      - RUSTFS_ENDPOINT=${RUSTFS_ENDPOINT}
+      - RUSTFS_ACCESS_KEY=${RUSTFS_ACCESS_KEY}
+      - RUSTFS_SECRET_KEY=${RUSTFS_SECRET_KEY}
+      - RUSTFS_BUCKET=${RUSTFS_BUCKET:-fleet-db}
+
 volumes:
   timescale-data:
     name: timescale-data