diff --git a/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml b/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml
index c2b60a65a..cad0baf92 100644
--- a/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml
+++ b/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml
@@ -14,5 +14,5 @@ spec:
   data:
     - secretKey: api-key
       remoteRef:
-        key: /unifi/auth/cl01tl
+        key: /unifi/users/cl01tl
         property: api-key
diff --git a/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml b/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml
index 1def4cbf6..feb38c70c 100644
--- a/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml
+++ b/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml
@@ -22,5 +22,5 @@ spec:
         property: user
     - secretKey: password
       remoteRef:
-        key: /cl01tl/jellystat/cconfig
+        key: /cl01tl/jellystat/config
         property: password
diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml
index 99c8388aa..fd8d809cd 100644
--- a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml
+++ b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml
@@ -14,5 +14,5 @@ spec:
   data:
     - secretKey: ntfy_password
       remoteRef:
-        key: / cl01tl/ntfy/users/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: password
diff --git a/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml b/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml
index a3823e12a..11c7e2762 100644
--- a/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml
+++ b/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml
@@ -51,7 +51,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   key: key
-                  name: ollama-key
+                  name: open-webui-key
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml
index da10c8289..211ae34e0 100644
--- a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml
+++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml
@@ -14,5 +14,5 @@ spec:
   data:
     - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS
       remoteRef:
-        key: /authentik/oidc/paperless-ngx
+        key: /cl01tl/authentik/oidc/paperless-ngx
         property: PAPERLESS_SOCIALACCOUNT_PROVIDERS
diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml
index 53439fa12..ea8c470ac 100644
--- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml
+++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml
@@ -14,11 +14,11 @@ spec:
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: token
     - secretKey: NTFY_ENDPOINT
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: endpoint
     - secretKey: NTFY_TOPIC
       remoteRef:
diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml
new file mode 100644
index 000000000..0ab1a6c88
--- /dev/null
+++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-token
+  namespace: vault
+  labels:
+    app.kubernetes.io/name: vault-token
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/part-of: vault
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: token
+      remoteRef:
+        key: /cl01tl/vault/role/snapshot
+        property: root
diff --git a/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml b/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml
index eaffaddd8..29ff99e12 100644
--- a/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml
+++ b/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml
@@ -15,4 +15,4 @@ spec:
     - secretKey: SECRET
       remoteRef:
         key: /cl01tl/yamtrack/config
-        property: SECRET
+        property: secret