diff --git a/values/niks3/manifests/deployment.yaml b/values/niks3/manifests/deployment.yaml
index 6b1dbe14..527879d9 100644
--- a/values/niks3/manifests/deployment.yaml
+++ b/values/niks3/manifests/deployment.yaml
@@ -40,7 +40,7 @@ spec:
                   name: server
                   key: api-token
             - name: NIKS3_S3_ENDPOINT
-              value: "10.255.241.30:30080"
+              value: "s3.ceph.tos.obx"
             - name: NIKS3_S3_BUCKET
               value: "niks3"
             - name: NIKS3_S3_REGION
diff --git a/values/niks3/manifests/gc-cronjob.yaml b/values/niks3/manifests/gc-cronjob.yaml
new file mode 100644
index 00000000..a42914ab
--- /dev/null
+++ b/values/niks3/manifests/gc-cronjob.yaml
@@ -0,0 +1,49 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: niks3-gc
+  namespace: niks3
+  labels:
+    app: niks3-gc
+spec:
+  # Daily at 03:00. niks3 gc asks the server to drop closures older than
+  # --older-than and clean up stale failed uploads; the server performs the
+  # actual S3 deletions, so this job only needs to reach the in-cluster API.
+  schedule: "0 3 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        metadata:
+          # NOT app: niks3 — that label is the Service selector and would route
+          # cache traffic to this job. Its egress is governed by allow-gc-egress.
+          labels:
+            app: niks3-gc
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: gc
+              image: ghcr.io/mic92/niks3:v1.6.1
+              # Image entrypoint is /bin/niks3-server; override with the client.
+              command: ["/bin/niks3", "gc"]
+              args:
+                - --server-url=http://niks3:5751
+                - --auth-token-path=/secrets/api-token
+                - --older-than=720h
+              volumeMounts:
+                - name: server
+                  mountPath: /secrets
+                  readOnly: true
+              resources:
+                requests:
+                  cpu: 10m
+                  memory: 32Mi
+                limits:
+                  memory: 128Mi
+          volumes:
+            - name: server
+              secret:
+                secretName: server
diff --git a/values/niks3/manifests/policies/allow-gc-egress.yaml b/values/niks3/manifests/policies/allow-gc-egress.yaml
new file mode 100644
index 00000000..ef81bb1b
--- /dev/null
+++ b/values/niks3/manifests/policies/allow-gc-egress.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-gc-egress
+  namespace: niks3
+spec:
+  description: niks3-gc job egress to the in-namespace niks3 server and kube-dns
+  endpointSelector:
+    matchLabels:
+      app: niks3-gc
+  egress:
+    # niks3 server HTTP API (same namespace)
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: niks3
+      toPorts:
+        - ports:
+            - port: "5751"
+              protocol: TCP
+    # DNS resolution
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+          rules:
+            dns:
+              - matchPattern: "*"
+{{- end }}