diff --git a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
index 57e717133..51a984b5b 100644
--- a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
@@ -1,51 +1,66 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: slskd-config-secret
+  name: airvpn-wireguard-conf
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: slskd-config-secret
+    app.kubernetes.io/name: airvpn-wireguard-conf
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
-    - secretKey: slskd.yml
+    - secretKey: conf
       remoteRef:
-        key: /cl01tl/slskd/config
-
-        property: slskd.yml
+        key: /airvpn/config
+        property: conf
+    - secretKey: private-key
+      remoteRef:
+        key: /airvpn/config
+        property: private-key
+    - secretKey: preshared-key
+      remoteRef:
+        key: /airvpn/config
+        property: preshared-key
+    - secretKey: addresses
+      remoteRef:
+        key: /airvpn/config
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        key: /airvpn/config
+        property: input-ports
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: slskd-wireguard-conf
+  name: protonvpn-wireguard-conf
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: slskd-wireguard-conf
+    app.kubernetes.io/name: protonvpn-wireguard-conf
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
+    - secretKey: conf
+      remoteRef:
+        key: /protonvpn/config
+        property: conf
+    - secretKey: email
+      remoteRef:
+        key: /protonvpn/config
+        property: email
+    - secretKey: password
+      remoteRef:
+        key: /protonvpn/config
+        property: password
     - secretKey: private-key
       remoteRef:
-        key: /airvpn/conf/cl01tl
+        key: /protonvpn/config
         property: private-key
-    - secretKey: preshared-key
-      remoteRef:
-        key: /airvpn/conf/cl01tl
-        property: preshared-key
-    - secretKey: addresses
-      remoteRef:
-        key: /airvpn/conf/cl01tl
-        property: addresses
-    - secretKey: input-ports
-      remoteRef:
-        key: /airvpn/conf/cl01tl
-        property: input-ports
diff --git a/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml
new file mode 100644
index 000000000..ad87f8ccb
--- /dev/null
+++ b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: slskd-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: slskd-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  provider: openbao
+  parameters:
+    roleName: reader
+    objects: |
+      - objectName: slskd-config-secret
+        fileName: slskd.yml
+        secretPath: cl01tl/slskd/config
+        secretKey: slskd.yml
diff --git a/clusters/cl01tl/helm/slskd/values.yaml b/clusters/cl01tl/helm/slskd/values.yaml
index 985a62cd5..164b34124 100644
--- a/clusters/cl01tl/helm/slskd/values.yaml
+++ b/clusters/cl01tl/helm/slskd/values.yaml
@@ -60,29 +60,14 @@ slskd:
                 command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
           env:
             - name: VPN_SERVICE_PROVIDER
-              value: airvpn
+              value: protonvpn
             - name: VPN_TYPE
               value: wireguard
             - name: WIREGUARD_PRIVATE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: slskd-wireguard-conf
+                  name: protonvpn-wireguard-conf
                   key: private-key
-            - name: WIREGUARD_PRESHARED_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: slskd-wireguard-conf
-                  key: preshared-key
-            - name: WIREGUARD_ADDRESSES
-              valueFrom:
-                secretKeyRef:
-                  name: slskd-wireguard-conf
-                  key: addresses
-            - name: FIREWALL_VPN_INPUT_PORTS
-              valueFrom:
-                secretKeyRef:
-                  name: slskd-wireguard-conf
-                  key: input-ports
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
@@ -159,9 +144,13 @@ slskd:
                 value: /
   persistence:
     slskd-config:
-      enabled: true
-      type: secret
-      name: slskd-config-secret
+      type: custom
+      volumeSpec:
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: slskd-config-secret
       advancedMounts:
         main:
           main: