runner-secrets
Purpose: the cluster-side secrets, split by sensitivity. Not in kustomize build —
delivered out-of-band (SOPS+age) so ArgoCD can sync the platform without decrypting.
Holds (manifests/components/runner-secrets/):
- forgejo-runner-conn — the host runner's connection config (config.yml: org uuid+token,
capacity, labels, job proxy env). Encrypted in git as runner-conn.sops.yaml.
- forgejo-runner-oci-conn — same, for the con-ci-oci runner (template only until applied).
- nextcloud-signing-key — the Nextcloud app-signing key (crown jewel), template only;
runtime-mounted in the signing job, never a Codeberg Actions secret.
Key facts:
- .sops.yaml lives at the repo root (so sops auto-discovers it); rule encrypts only
data/stringData, metadata stays readable.
- The age private key decrypts everything: on-cluster Secret sops-age (con-ci) + operator
copy at ~/.config/sops/age/keys.txt + an offline backup. Never in git.
- Codeberg only holds runner identity (uuid/token); never a deploy/push credential.
Operate:
- Encrypt: sops --encrypt --in-place manifests/components/runner-secrets/<x>.sops.yaml.
- Apply (until ArgoCD KSOPS exists): sops -d <x>.sops.yaml | kubectl -n con-ci apply -f -.
- Verify decrypt: sops -d <x>.sops.yaml >/dev/null && echo OK.
- Full runbook in onboarding.md.
Deferred: ArgoCD KSOPS auto-decrypt (needs the age key in the argocd ns + a repo-server
plugin); Change-2 migration to Vault/ESO (ESO 2.x is already installed cluster-wide).