diff --git a/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml b/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
index b5916382d..35f5f5e54 100644
--- a/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
@@ -13,5 +13,5 @@ spec:
   data:
     - secretKey: api-key
       remoteRef:
-        key: /unifi/auth/cl01tl
+        key: /unifi/users/cl01tl
         property: api-key
diff --git a/clusters/cl01tl/helm/jellystat/templates/external-secret.yaml b/clusters/cl01tl/helm/jellystat/templates/external-secret.yaml
index 276ff1e8d..92cc3ea66 100644
--- a/clusters/cl01tl/helm/jellystat/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/jellystat/templates/external-secret.yaml
@@ -21,5 +21,5 @@ spec:
         property: user
     - secretKey: password
       remoteRef:
-        key: /cl01tl/jellystat/cconfig
+        key: /cl01tl/jellystat/config
         property: password
diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
index 8530381a4..de30e08a7 100644
--- a/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
@@ -13,7 +13,7 @@ spec:
   data:
     - secretKey: ntfy_password
       remoteRef:
-        key: / cl01tl/ntfy/users/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: password
 
 ---
diff --git a/clusters/cl01tl/helm/vault/templates/external-secret.yaml b/clusters/cl01tl/helm/vault/templates/external-secret.yaml
index 7f133691e..edb91b254 100644
--- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/vault/templates/external-secret.yaml
@@ -1,5 +1,24 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
+metadata:
+  name: vault-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-token
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: token
+      remoteRef:
+        key: /cl01tl/vault/role/snapshot
+        property: root
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
 metadata:
   name: vault-snapshot-agent-role
   namespace: {{ .Release.Namespace }}