diff --git a/app/mastodon/kube/dumper.jsonnet b/app/mastodon/kube/dumper.jsonnet
new file mode 100644
index 00000000..1b055686
--- /dev/null
+++ b/app/mastodon/kube/dumper.jsonnet
@@ -0,0 +1,24 @@
+# mildly cursed
+# run manually, change filename (but don't commit it)
+local mastodon = import "prod.jsonnet";
+local kube = import "../../../kube/kube.libsonnet";
+
+local filename = error "change me";
+
+mastodon.namespace.Contain(kube.Job("mastodon-backup-dumper")) {
+    spec+: {
+        template+: {
+            spec+: {
+                containers_: {
+                    default: kube.Container("dumper") {
+                        image: "nixery.dev/shell/postgresql_13/zstd/rclone",
+                        env_: mastodon.env,
+                        args: ["bash", "-c",
+                          "pg_dump -d postgres://$DB_USER:$DB_PASS@$DB_HOST/mastodon?sslmode=disable -v -c -C --if-exists   | zstd -10 | rclone --s3-provider=Ceph --s3-env-auth=true --s3-endpoint=$S3_ENDPOINT rcat :s3:$S3_BUCKET/%s.sql.zstd" % filename
+                        ]
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/app/mastodon/kube/mastodon.libsonnet b/app/mastodon/kube/mastodon.libsonnet
index 6261323f..eac66fd1 100644
--- a/app/mastodon/kube/mastodon.libsonnet
+++ b/app/mastodon/kube/mastodon.libsonnet
@@ -15,7 +15,7 @@ local redis = import "../../../kube/redis.libsonnet";
         # /.well-known/webfinger to webDomain.
         webDomain: cfg.localDomain,
         images: {
-            mastodon: "tootsuite/mastodon:v4.0.6@sha256:472c355da5a27b91005dc78c0b5cf75d6baaf1c561c29db1c49ce9168c5de0a9",
+            mastodon: "tootsuite/mastodon:v4.1.9@sha256:525032827b5438c47670f44194e4adaed9f2c46f39c28cb37e9feb54b93b9ebf",
         },
         passwords: {
             # generate however you like
@@ -153,7 +153,12 @@ local redis = import "../../../kube/redis.libsonnet";
                         migrate: kube.Container("migrate") {
                             image: cfg.images.mastodon,
                             env_: app.env {
-                                SKIP_POST_DEPLOYMENT_MIGRATIONS: "true",
+                                //That's confusing one - all the random "how to mastodon in docker" tutorials
+                                //say you need to set it. However, with this set, the web dashboard was sad
+                                //about unfinished migrations.
+                                //I can't obviously tell if we'd ever want this to be enabled though.
+                                //Leaving it commented out here for now.
+                                //SKIP_POST_DEPLOYMENT_MIGRATIONS: "true",
                             },
                             command: [
                                 "bundle", "exec",
@@ -280,6 +285,7 @@ local redis = import "../../../kube/redis.libsonnet";
 
 
     ingress: ns.Contain(kube.Ingress("mastodon")) {
+    // TODO(https://issues.hackerspace.pl/issues/74): mastodon's docs say we should enable CSP. Figure it out.
         metadata+: {
             annotations+: {
                 "kubernetes.io/tls-acme": "true",