kay/github-runner: setup github runner age master key

2 files changed, 20 insertions, 8 deletions

diff --git a/os/kay/modules/github-runner.nix b/os/kay/modules/github-runner.nix
index 4462ff2..2b838ae 100644
--- a/os/kay/modules/github-runner.nix
+++ b/os/kay/modules/github-runner.nix
@@ -1,14 +1,24 @@
-{ config, ... }: let
-  secret_path = "misc/nocodb-runner-registration-token";
+{ config, ... }:
+let
   repo = "nocodb/nocodb";
-in {
-  sops.secrets.${secret_path} = {};
+in
+{
+  sops.secrets = {
+    "github-runner/nocodb-registration-token" = { };
+    "github-runner/age-master-key" = { };
+  };
 
   services.github-runners.kay = {
     enable = true;
     noDefaultLabels = true;
     extraLabels = [ "nix" ];
-    tokenFile = config.sops.secrets.${secret_path}.path;
+    tokenFile = config.sops.secrets."github-runner/nocodb-registration-token".path;
     url = "https://github.com/${repo}";
   };
+
+  systemd.services."github-runner-kay" = {
+    environment.SOPS_AGE_KEY_FILE = "%d/age-master-key";
+    serviceConfig.LoadCredential =
+      "age-master-key:${config.sops.secrets."github-runner/age-master-key".path}"; 
+  };
 }
diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml
index 98d6bb8..18e1672 100644
--- a/os/kay/secrets.yaml
+++ b/os/kay/secrets.yaml
@@ -14,9 +14,11 @@ mail.sinanmohd.com:
     dkim_rsa: ENC[AES256_GCM,data:lwdVm4BIUHTipsHAQuJ7rI2TJnWXv6OzBP6komprUCqVjYz7PKlwltqxNvYRnjmOoFg+G4TrHaBCwVtlqlprkr7o7xeQ1omd9xbaYdWmNHhRNvxejGYF9oldK+zVPj9za/PSk2eXkL9b3ByIxyWQKkO9+UXQjs+C33heY+6MIJRvg/+8FX8RnFgjIMIBwvakBAVQSzveJPDB0TL/CF4avijQD1C6ayjqqarhkDu2kQhGO+95DYR9VWL2k3c8YdsQnbah3u7qBHGJpGfbh+r6ZtK4tdvCxg9b/nJo2QfPovsZy8NRIbEe6xiGQL/1Wt+GD/+08b/yq2Q6ao5Dmlqq12Y2KHPJp/EneqOgPKq3qMQOay1mPTnTzV/HP5irOS/gMg3+7ewCX7EuGOCCf4xFmEctbiePvkBbo0J00raUPrbC/tPWZpWSeTo/11jstRmFW593FnaBBcwlvqAm83QNulpWktQZXwM6inabh9XdTcnFga9lRh9XFfkW93wtzsbUNAhrKpSpuhf6fHBm0wZQdUW8K1AGdTVluiSCdrUvSollf8RZQ60zedlq8H3rZnFUnlyaBaguSu4eTSLoA4sXst0xMD5PuWgtiNrKnOdAnbnyEznwxqaJQvOLZN35nfjUIosFqjAZAxSL8FvMPAMikbGvqvnKPI6uI/sC5JymulcpXdSYikco0xvxiszM8E9SHDjHOCEp5mnMv70dk3t/fwwJ8RvQpsef7h5KGFGNEFeWP47s30uJdEXUxNl9pmT5M3C8r8IpThEF2gzpg5IY6/IOnJvaLadsMBpkXp5qlrNBgPJNfwSGoM2tt8DG6wNlae9Yyr6ayt0OASP25XFMTwSbJ/30Gjqf90m/iKIOAsFYXTtqL9FJ9H/X2QKBGGAuA7gsZCJzpW5b8KQh4UO8AgISXaYxxFmnngDRqVLMhWTDJhfwtSXisVE3g3epJe0ZQbjpLGp+HOpUVKskIvuT/f6abNsVGbI+D2k1UPHZH8BhXImfy/lbrcsYUer/RX9D3ifP5RdYcIbzb77pXmPLEsnmMlKO/K9V0M9i/+wByRgHAnQkD6sCL3ZnpL3Q46cEAOwR4vM8yg1CnwGIGYSPTtSbjpUBk5xNVKMUt5nVdaY/nji9h6HS0loQVm/glBZGf/r0hBQ0VmpDXd6NsD0dropF/0nQfqToHQcZmjYsi1Q72vVo492H7b7QYbD5fMPN/iWQIhUyFylYcNxdhllB1OfSdgGAB1XHsXI3x3c/ePTID2q5gBVUWs2EyYU2sxL81xL3I91Xp/IB8hw7hlmJAftWZ3Ol418uQkv5A2+zPkL+T9AcOeZwyPAur/pN145Yv5SxlhFn26jzz2gJC/HxKxG12M2WH5vPwstHWZtefirXgclMRzDAarT8wGWEXBuYNWhPAXSapa5fKi90MJsvMbs38OVz/M9eyAuNgoOqKHF/ZGSiDs050LoTSQCeUGB7EZVlA+GVHeVG2nCAv/MRdu2m5joqxKTUZt6HPMCFMcoT8mmAbDQdWMAxKs1yJ7urogrEzfdneaLGVArlnAv5+XJUDXhZ7JftJitJ0sLkkRP9k46aAfGulmO5YEF9t2jHYkc1Hzi1nGZZ9IiUdRZup5fb5EI6i+I4gawLPZ+JKYHUtKEkkiPvxhAxfG2NIY4/pHJyH0d+Rb6B3DNT+QSoFUI9Ez7lXVFKG3q3QndY9DJsseCde+jFI3v/ENyI2+Ze8FmEvfJKcdPxY9wXJ1xd/E59NbDzdnU+Y3Uph3uojdOOP/N7x9AqhoYGo8xAZIhIFio4zXhHLvLCs7M6CF7N2sVwj31eE8Yo8QeyYPqd99wJPGdnOIOvL7XooLUAEHJ6NB9UjUbAtNpLguw5FpEqq3WyauB2Ex9G7Uqtli930MkjVWHiiheZkWw8UP5tLFHlsXvxR7NAiI6qNZSIDWr8dwudBZKHz91srlxYhD6DN0xC37TC09RbBUd6mzF5DaOJASD3YOXGA4KAx5Rb/CcCnxxLpna35lJmJjGAd0b8S+f1jzAtoqpYAk/FYlhlX4crKhrqiw9l+EsokYNxKuHFuIKwz4KrdzadT9sUOMJOzU+5SLPNplqmqJBfrp6L0lt/ylPANOO0TiT5IqavjFMPMObP04AQuK30RPrZ1crz06aGo2RK0hYEYYDjoygKFkU+iZYTUcgByKM5bpUlqnNSf3Jq1FEU/nEK6caOHiQ76F1thsm/e1FTvAYg+mOUPYz9/nl0vVFJrtr5cMXtqxh9E/f/ujczI+A=,iv:dPnpNUPSDiq5C14YzDM2K4mFHNRFgc6p+X3Zu33OH60=,tag:MhgfV3z1wcbAfpwZmVWczw==,type:str]
     dkim_ed25519: ENC[AES256_GCM,data:bberg3vGG9M3iPH1aLA+wIU6KNnxHRZxpGU5zT5Gqo9lohQa1wBDXCwsP0JaSfg56dhh9ZxF5HFd4V0nUzL6QMIeiExGkZmtdluaqki3fwFCssILch9pWOuM71Q1d7vi1eIN5PrAuX+6m8bmQBd1JIR+Kbz8dQ==,iv:C7wEFU7/xCh8LzyKXHSzgTX/L9OkmGWTnl5A94GLogw=,tag:j+sYtzzGN9guWa6T+ZUzbw==,type:str]
     password: ENC[AES256_GCM,data:w8kc2CJwab7qTFQeejXCjUBkfHSKhec9YTpCPjT8,iv:lj634vQoWcrJlc+lh9GL+Co/T+QPln8NHOZoT3ky3EU=,tag:gAeD4EjE4uQFCRM4I5ZakQ==,type:str]
+github-runner:
+    nocodb-registration-token: ENC[AES256_GCM,data:AKXoTMXsyuH+wQMsBvqjy6AdsbzVrFPe0KcSVfQ=,iv:h+rj8K2EswZlmd+AHnQ6aJ3sdy4Ku8y1EuVngE1Ifu0=,tag:Z66amJwbv61SBKUzLVrgxg==,type:str]
+    age-master-key: ENC[AES256_GCM,data:X9hF4Tlu/iki2VrkquYXyNZ22E+CJBN9oFXgzuZtzEMePnIHDON7XVmKvIm4FcPdRIUo7b085+QTSA5RKcslVMbix4BSyWwNLzA=,iv:r51gdhvXmVLGbZ3w0C+kGfRb3DqZaWH3AN6F8c9g+Po=,tag:EzJv7GHuHZofqpMF0ZlqIA==,type:str]
 misc:
     wireguard: ENC[AES256_GCM,data:kbUtxJv3xSmikJWgtu87TSo5N8tUb2BiH3dH3oOV36waYyXI3bp2aBeAl1k=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:BDSD9SfQuQppKT4+6Cu65w==,type:str]
-    nocodb-runner-registration-token: ENC[AES256_GCM,data:y0uIMS8Vi0nvicfKPtb1dY97Q0R6DrXNzogz5LM=,iv:OTcJO3CM2fj8xziOfrcOGrcKvQuFEhOc3fp7vYh2c/0=,tag:JjWHPwPE+IiTPVo9HJ3O5A==,type:str]
     nixbin.sinanmohd.com: ENC[AES256_GCM,data:WQDzDzOozWa73Bitex6BpE7D7KdVcgIKD1Yx92RbCoNzSa8+b33YtY92Vetu7OlH1Zw4tneKBH/hAjz4ytK1SHoFfKj9wvfdzR5L+8gRKYEwxnvcHyc5gekmAaeQr2bWyUS9PBYRRWTRLiL/5A==,iv:3hlqF2CvpnXS5oDpbW9RIERbDHPLMrgQ+TJ+q9EyrZM=,tag:U4E3b2oBqjMFXEONbz8eKw==,type:str]
 sops:
     kms: []
@@ -42,8 +44,8 @@ sops:
             OXgwSml4bkc1dnloNUFsRGFFcXFHc2cK26l2eiKbZUkogmAXoha6HTUs3YFKixYz
             bTkpKKyOAIIin3YM975wwvkCuWNG4tbnHBHQFh5JGK2OEyLDXuV7Pg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-18T02:13:01Z"
-    mac: ENC[AES256_GCM,data:YqIMf4B3l/dXmm9d5CMID48TPlq+uUz/g5/4rIWW+TDug/V3DDLSk5YBIBr8DJNcgRKEm7yR4/1Wj2qp9obeVq/McqU7FNfUx4ciA3a/gcSplKwhas3xtkV1AGR2by5AP7CPCABGU9kTROwBRVS+4aX67D1qbGxXMoiM9d+/6yM=,iv:M7rM7Q4tyrhwgMVue1MXIQfwp2956EwoszItxdEDjpM=,tag:D4TktCjnZcAqaIqZjzrc5g==,type:str]
+    lastmodified: "2025-03-01T09:24:06Z"
+    mac: ENC[AES256_GCM,data:KHkuNuqmA0XrLgwZqqGQLTgswL+0FSrBFu9yQwbYjx7Y50RNVmvk/f0A4t8GpKgBJBwyreCKWh+E2AWNQMmul+9GMrcyRYiIoP3Q8JmbIs2fH6FfIIqLy9ozks9UPOgru/XNiiFd1wi7X8CM6jK7JUsw0lZZFdcTp3C/qOS22BY=,iv:L1iMnqqAP5oLwYMGM3txwybpV+jc7yyhkNdo4hGChP8=,tag:hEK8/o1CBVe25NSht2mWAg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.3