diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
index f34a9f287..d7c6de96c 100644
--- a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
@@ -30,7 +30,7 @@ kube-prometheus-stack:
               http_config:
                 basic_auth:
                   username: ntfy-alertmanager
-                  password_file: /etc/alertmanager/secrets/alertmanager-config-secret/ntfy_password
+                  password_file: /etc/alertmanager/secrets/alertmanager-config-config/ntfy_password
     route:
       main:
         enabled: true
diff --git a/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl b/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl
index 838a01f34..3f3fc2a08 100644
--- a/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl
@@ -14,7 +14,7 @@ app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-NFS names
+ServiceAccount names
 */}}
 {{- define "custom.serviceAccountName" -}}
 matrix-synapse
diff --git a/clusters/cl01tl/helm/roundcube/values.yaml b/clusters/cl01tl/helm/roundcube/values.yaml
index 88b25cd51..283d611a0 100644
--- a/clusters/cl01tl/helm/roundcube/values.yaml
+++ b/clusters/cl01tl/helm/roundcube/values.yaml
@@ -103,7 +103,7 @@ roundcube:
             - name: ROUNDCUBEMAIL_DES_KEY
               valueFrom:
                 secretKeyRef:
-                  name: roundcube-key-secret
+                  name: roundcube-key
                   key: DES_KEY
             - name: ROUNDCUBEMAIL_DEFAULT_HOST
               value: tls://stalwart.stalwart
diff --git a/clusters/cl01tl/helm/talos/templates/_helpers.tpl b/clusters/cl01tl/helm/talos/templates/_helpers.tpl
index 10688fcef..fd712bb52 100644
--- a/clusters/cl01tl/helm/talos/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/talos/templates/_helpers.tpl
@@ -12,3 +12,10 @@ Selector labels
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+ServiceAccount names
+*/}}
+{{- define "custom.serviceAccountName" -}}
+talos-backup-secrets
+{{- end -}}
diff --git a/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml
index f3d7c0ca0..2f839bc05 100644
--- a/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml
+++ b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml
@@ -10,7 +10,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: {{ include "custom.serviceAccountName" . }}
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -30,7 +30,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: {{ include "custom.serviceAccountName" . }}
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -50,7 +50,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: {{ include "custom.serviceAccountName" . }}
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -70,7 +70,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: {{ include "custom.serviceAccountName" . }}
     objects: |
       - objectName: config
         fileName: config
diff --git a/clusters/cl01tl/helm/talos/templates/service-account.yaml b/clusters/cl01tl/helm/talos/templates/service-account.yaml
index 605a45acd..1096b3700 100644
--- a/clusters/cl01tl/helm/talos/templates/service-account.yaml
+++ b/clusters/cl01tl/helm/talos/templates/service-account.yaml
@@ -1,10 +1,10 @@
 apiVersion: talos.dev/v1alpha1
 kind: ServiceAccount
 metadata:
-  name: talos-backup-secrets
+  name: {{ include "custom.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: talos-backup-secrets
+    app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   roles:
diff --git a/clusters/cl01tl/helm/vault/templates/_helpers.tpl b/clusters/cl01tl/helm/vault/templates/_helpers.tpl
index 10688fcef..9505d8172 100644
--- a/clusters/cl01tl/helm/vault/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/vault/templates/_helpers.tpl
@@ -12,3 +12,10 @@ Selector labels
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+ServiceAccount names
+*/}}
+{{- define "custom.serviceAccountName" -}}
+vault
+{{- end -}}
diff --git a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml
index 97627ac01..c6dd28bd9 100644
--- a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml
+++ b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml
@@ -10,7 +10,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: vault
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -30,7 +30,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: vault
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -50,7 +50,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: slskd
+    roleName: vault
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
diff --git a/clusters/cl01tl/helm/vault/templates/service-account.yaml b/clusters/cl01tl/helm/vault/templates/service-account.yaml
new file mode 100644
index 000000000..5db759b3e
--- /dev/null
+++ b/clusters/cl01tl/helm/vault/templates/service-account.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "custom.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
+    {{- include "custom.labels" . | nindent 4 }}
diff --git a/clusters/cl01tl/helm/vault/values.yaml b/clusters/cl01tl/helm/vault/values.yaml
index 41cbb085d..d3957852a 100644
--- a/clusters/cl01tl/helm/vault/values.yaml
+++ b/clusters/cl01tl/helm/vault/values.yaml
@@ -107,6 +107,8 @@ snapshot:
         schedule: 0 4 * * *
         backoffLimit: 3
         parallelism: 1
+      serviceAccount:
+        name: vault
       initContainers:
         snapshot:
           image: