kay/github-runner: setup github runner age master key

1 files changed, 15 insertions, 5 deletions

diff --git a/os/kay/modules/github-runner.nix b/os/kay/modules/github-runner.nix
index 4462ff2..2b838ae 100644
--- a/os/kay/modules/github-runner.nix
+++ b/os/kay/modules/github-runner.nix
@@ -1,14 +1,24 @@
-{ config, ... }: let
-  secret_path = "misc/nocodb-runner-registration-token";
+{ config, ... }:
+let
   repo = "nocodb/nocodb";
-in {
-  sops.secrets.${secret_path} = {};
+in
+{
+  sops.secrets = {
+    "github-runner/nocodb-registration-token" = { };
+    "github-runner/age-master-key" = { };
+  };
 
   services.github-runners.kay = {
     enable = true;
     noDefaultLabels = true;
     extraLabels = [ "nix" ];
-    tokenFile = config.sops.secrets.${secret_path}.path;
+    tokenFile = config.sops.secrets."github-runner/nocodb-registration-token".path;
     url = "https://github.com/${repo}";
   };
+
+  systemd.services."github-runner-kay" = {
+    environment.SOPS_AGE_KEY_FILE = "%d/age-master-key";
+    serviceConfig.LoadCredential =
+      "age-master-key:${config.sops.secrets."github-runner/age-master-key".path}"; 
+  };
 }