diff --git a/docs/architecture/secrets-management.md b/docs/architecture/secrets-management.md
index b9498a0c..544aa02a 100644
--- a/docs/architecture/secrets-management.md
+++ b/docs/architecture/secrets-management.md
@@ -26,4 +26,66 @@ flowchart TD
   ClusterSecretStore --> ExternalSecret
 ```
 
-TODO: more details on how to use secrets
+## Generate random secret
+
+This is useful when you want to generate random secrets like admin password and store in Vault.
+
+```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
+--8<--
+./platform/vault/files/generate-secrets/config.yaml
+--8<--
+```
+
+## Pulling secrets from Vault to Kubernetes
+
+Commit and push an `ExternalSecret` object, for example:
+
+```yaml hl_lines="4 21-23"
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-admin-secret
+  namespace: gitea
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      key: /gitea/admin
+      property: password
+    secretKey: password
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    template:
+      data:
+        password: '{{ .password }}'
+        username: gitea_admin
+      engineVersion: v2
+```
+
+This will create a corresponding Kubernetes secret:
+
+`kubectl describe secrets -n gitea gitea-admin-secret`
+
+```yaml hl_lines="1 8-11"
+Name:         gitea-admin-secret
+Namespace:    gitea
+Labels:       <none>
+Annotations:  reconcile.external-secrets.io/data-hash: <REDACTED>
+
+Type:  Opaque
+
+Data
+====
+password:  32 bytes
+username:  11 bytes
+```
+
+Please see the official documentation for more information:
+
+- [External Secrets Operator](https://external-secrets.io)
+- [API specification](https://external-secrets.io/latest/spec)
diff --git a/docs/runbooks/dnsmasq.md b/docs/runbooks/dnsmasq.md
index e49ac6ed..5681d651 100644
--- a/docs/runbooks/dnsmasq.md
+++ b/docs/runbooks/dnsmasq.md
@@ -2,7 +2,7 @@
 
 ## Overview
 
-Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning. 
+Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
 
 Proxy mode is enabled by default allowing the use of existing DHCP servers on the network.
 A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq)
diff --git a/platform/vault/files/generate-secrets/config.yaml b/platform/vault/files/generate-secrets/config.yaml
index 32f92abc..4b9b29d7 100644
--- a/platform/vault/files/generate-secrets/config.yaml
+++ b/platform/vault/files/generate-secrets/config.yaml
@@ -4,22 +4,6 @@
     - key: password
       length: 32
       special: true
-# TODO create tokens and put to Vault automatically
-# - gitea/renovate:
-#   - id
-#   - token
-# - gitea/dex:
-#   - client_id
-#   - client_secret
-# TODO import to vault?
-# - metal/ssh:
-#   - private_key  # needs ending new line https://github.com/ansible/awx/issues/9082
-# - external/terraform-cloud:
-#   - token
-# - external/cloudflare:
-#   - email
-#   - api_token
-#   - account_id
 
 # Dex
 - path: dex/grafana
@@ -34,10 +18,3 @@
     - key: password
       length: 32
       special: true
-
-# Matrix
-- path: matrix/bot/alert
-  data:
-    - key: password
-      length: 32
-      special: true