diff --git a/Architecture.md b/Architecture.md
index f365381..44b24da 100644
--- a/Architecture.md
+++ b/Architecture.md
@@ -48,3 +48,11 @@ Yay! you now have an interface, and an IP address to broadcast on :D
    IP: 10.0.0.55
 3. premhome-eagle-1
    IP: 10.0.0.248
+
+## Deploying secrets
+
+```sh
+kubectl create secret generic 1password-credentials --from-file=1password-credentials.json --namespace 1password-system
+
+kubectl create secret generic 1password-token --namespace 1password-system --from-literal token=<token>
+```
diff --git a/infra/controllers/1password.yaml b/infra/controllers/1password.yaml
index a077c9b..c64b4a1 100644
--- a/infra/controllers/1password.yaml
+++ b/infra/controllers/1password.yaml
@@ -12,21 +12,30 @@ metadata:
 spec:
   interval: 5m0s
   url: https://1password.github.io/connect-helm-charts/
-# ---
-# apiVersion: helm.toolkit.fluxcd.io/v2
-# kind: HelmRelease
-# metadata:
-#   name: 1password
-#   namespace: 1password-system
-# spec:
-#   connect:
-#     serviceType: LoadBalancer
-#     credentials:
-#       secretName: 1password-credentials
-#       secretKey: 1password-credentials.json
-#   operator:
-#     create: true
-#     token:
-#       name: 1password-token
-#       key: token
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: 1password
+  namespace: 1password-system
+spec:
+  chart:
+    spec:
+      chart: connect
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: 1password-repo
+      version: 1.16.x
+  interval: 1m0s
+  values:
+    connect:
+      serviceType: LoadBalancer
+      credentialsName: 1password-credentials
+      credentialsKey: 1password-credentials.json
+    operator:
+      create: true
+      token:
+        name: 1password-token
+        key: token