diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 53f0ec6..ca659b0 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -105,7 +105,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v4
         with:
-          version: v3.16.2
+          version: v4.1.4
 
       - name: Deploy via Helm
         run: |
@@ -113,4 +113,4 @@ jobs:
             -f ./deploy/values_override.yaml \
             --set image.tag=${{ github.ref_name }} \
             -n ${{ env.NAMESPACE }} \
-            --wait --timeout 5m
+            --rollback-on-failure --timeout 5m
diff --git a/Dockerfile b/Dockerfile
index d99d1ed..246f9d7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,8 @@ RUN pnpm run check
 RUN pnpm run build
 
 # --- Backend Build ---
-FROM rust:1.95-slim-bookworm AS backend-builder
+FROM rust:1.95-alpine3.23 AS backend-builder
+RUN apk add --no-cache cmake g++ perl nasm sqlite-dev
 WORKDIR /app/backend
 COPY backend/Cargo.toml backend/Cargo.lock ./
 RUN mkdir src && echo "fn main() {}" > src/main.rs && cargo build --release && rm -rf src
@@ -20,9 +21,9 @@ COPY backend/demo ./demo
 RUN touch src/main.rs && cargo build --release
 
 # --- Runtime ---
-FROM debian:trixie-slim
-RUN apt-get update && apt-get install -y ca-certificates curl && rm -rf /var/lib/apt/lists/*
-RUN useradd -u 1000 -m app
+FROM alpine:3.23
+RUN apk add --no-cache ca-certificates curl sqlite-libs
+RUN adduser -D -u 1000 app
 WORKDIR /app
 COPY --from=backend-builder /app/backend/target/release/tutortool ./server
 COPY --from=backend-builder /app/backend/demo                       ./backend/demo
diff --git a/deploy/templates/cronjob-backup.yaml b/deploy/templates/cronjob-backup.yaml
index 8aa0444..e64b73e 100644
--- a/deploy/templates/cronjob-backup.yaml
+++ b/deploy/templates/cronjob-backup.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.backup.enabled }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -25,7 +26,7 @@ spec:
                   topologyKey: kubernetes.io/hostname
           containers:
             - name: backup
-              image: alpine:latest
+              image: alpine:3.23
               command:
                 - /bin/sh
                 - -c
@@ -40,3 +41,4 @@ spec:
             - name: data
               persistentVolumeClaim:
                 claimName: {{ include "tutortool.fullname" . }}-data
+{{- end }}
diff --git a/deploy/values.yaml b/deploy/values.yaml
index 83fcffe..c7febb4 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -48,6 +48,9 @@ httpRoute:
 # Do not set jwtSecretValue in committed values — provision via kubectl manually.
 jwtSecretName: tutortool-jwt
 
+backup:
+  enabled: true
+
 env:
   DATABASE_URL: sqlite:/data/attendance.db
   STATIC_DIR: /app/frontend/build
diff --git a/deploy/values_override.yaml b/deploy/values_override.yaml
index f3587bf..80c0c71 100644
--- a/deploy/values_override.yaml
+++ b/deploy/values_override.yaml
@@ -7,3 +7,6 @@ image:
 
 env:
   extra: {}
+
+backup:
+  enabled: false