diff --git a/helmfile.d/atlantis.yaml.gotmpl b/helmfile.d/atlantis.yaml.gotmpl
index 48c3f2fe..b7e24a4e 100644
--- a/helmfile.d/atlantis.yaml.gotmpl
+++ b/helmfile.d/atlantis.yaml.gotmpl
@@ -3,11 +3,7 @@ bases:
 
 repositories:
 - name: oceanbox
-  {{- if env "MANIFESTS_ACCESS_TOKEN" }}
-  url: "git+https://git:{{ requiredEnv "MANIFESTS_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- else }}
-  url: "git+https://gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- end }}
+  url: "git+https://git:{{ requiredEnv "HELM_GIT_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
 
 commonLabels:
   tier: system
diff --git a/helmfile.d/sorcerer.yaml.gotmpl b/helmfile.d/sorcerer.yaml.gotmpl
index 9e8bc95d..c179723d 100644
--- a/helmfile.d/sorcerer.yaml.gotmpl
+++ b/helmfile.d/sorcerer.yaml.gotmpl
@@ -3,11 +3,7 @@ bases:
 
 repositories:
 - name: oceanbox
-  {{- if env "MANIFESTS_ACCESS_TOKEN" }}
-  url: "git+https://git:{{ requiredEnv "MANIFESTS_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- else }}
-  url: "git+https://gitlab.com/oceanbox/manifests@charts?ref=main"
-  {{- end }}
+  url: "git+https://git:{{ requiredEnv "HELM_GIT_ACCESS_TOKEN" }}@gitlab.com/oceanbox/manifests@charts?ref=main"
 
 commonLabels:
   tier: system
diff --git a/shell.nix b/shell.nix
index e2ad885a..4cf65763 100644
--- a/shell.nix
+++ b/shell.nix
@@ -37,5 +37,5 @@ pkgs.mkShellNoCC {
   ];
 
   ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
-  MANIFESTS_ACCESS_TOKEN = "glpat-xxx";
+  HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 }
diff --git a/values/argo/values/argocd.yaml.gotmpl b/values/argo/values/argocd.yaml.gotmpl
index d68597e6..006d8a05 100644
--- a/values/argo/values/argocd.yaml.gotmpl
+++ b/values/argo/values/argocd.yaml.gotmpl
@@ -178,6 +178,13 @@ repoServer:
   - command:
     - /var/run/argocd/argocd-cmp-server
     image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+    env:
+    - name: HELM_GIT_ACCESS_TOKEN
+      valueFrom:
+        secretKeyRef:
+          key: password
+          name: oceanbox-gitops-repo
+          optional: false
     imagePullPolicy: Always
     name: helmfile-cmp
     securityContext: