diff --git a/forgejo/.gitattributes b/forgejo/.gitattributes
new file mode 100644
index 0000000..f93d84a
--- /dev/null
+++ b/forgejo/.gitattributes
@@ -0,0 +1 @@
+**/secrets/*.y*ml filter=age diff=age merge=age -text
diff --git a/forgejo/kustomization.yaml b/forgejo/kustomization.yaml
index 7c7e3d8..0fcd180 100644
--- a/forgejo/kustomization.yaml
+++ b/forgejo/kustomization.yaml
@@ -15,8 +15,11 @@ images:
     newTag: "3.4.1"
 
 resources:
+  - resources/secrets/admin-credentials.yaml
+  - resources/secrets/infra-credentials.yaml
   - resources/routes.yaml
   - resources/dragonfly.yml
+  - resources/runners/secrets/runners.yaml
   - resources/runners/act-runner-arm64.yaml
   - resources/runners/act-runner-amd64.yaml
   - resources/runners/cache-pvc.yaml
@@ -41,6 +44,3 @@ helmCharts:
     skipTests: true
     apiVersions:
       - "networking.k8s.io/v1/Ingress"
-
-generators:
-  - ./secret-generator.yaml
\ No newline at end of file
diff --git a/forgejo/resources/admin-credentials.enc.yaml b/forgejo/resources/admin-credentials.enc.yaml
deleted file mode 100644
index 36d4190..0000000
--- a/forgejo/resources/admin-credentials.enc.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: forgejo-admin-credentials
-type: Opaque
-stringData:
-    password: ENC[AES256_GCM,data:c7XwM+a8OHXU7yovRfvX,iv:LX/dP8QxQoRus/MGijpXO0t0PjFeAtB6iTBa2OlIceg=,tag:RJuxiISXnMQdkt44avhL3w==,type:str]
-    username: ENC[AES256_GCM,data:tkl0o85yyf41vPc=,iv:1zdcy3qhMmpFLP8BsNHJ+YBRbtDBWt8xtxSvNAuBMiM=,tag:1Cui9dcneiyAZb8y7zFWCA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N2dUTE8rVVF4SVV0Z2Q5
-            aGZRdkI0QVc3N1BJRnN4dVpWRkxKa3Q1MkNBCmI3V1JiSzhEdk4rYzNNUFp0YklV
-            Y2dCSERmRXNMZGdldUg2emdrdGs0L0kKLS0tIFo1R3F1RFpoQXJ1WXdYMGErSGIv
-            UjBUODZudEVLOHJrbFBRNVJlYXVrb2cKwC13RKJZkF3bFA9AlXARfr03T0cKaCOR
-            RvtRKKHoS1iW095l1l2T+aSoPiAi1BdYBLuaH7fl6RhFW8q6veR64Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBc3JJbVJPVUl4ZklaT2FU
-            RjBUb3NmTEVBTldEd2Q2Q0sxVjcxS1ViSkNzCnloUjB3ZVBmVmJDTmJpQ1JsbHdZ
-            cnpHU2VSTmFETHIyR0oxbUM3ei8wbGcKLS0tIFp6TUJHTzJpQzMydlo3YVoxQVBW
-            RldtRnI1YnBMTGt0SVN3OGt3empNRG8K72vZ0rxA2jUsqiqoWoYZyTWDwcJl+lhV
-            SVvbq6wtz5tMqsPY3zFyfehaLqRR21ADZhbJgWMNvUcqpJ1YJCznhA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-26T20:22:36Z"
-    mac: ENC[AES256_GCM,data:IBwGNRBOlZwXyL/m4NuwbQzh+Pdaitr7JBmJam1hrbGx//yFyrlcthLnCpxHRvxJ6+y05NZdzvSDiUILQeQGZ9kR7wjWxypBRV6tJw1k9kZ5tEiz/MMPLyXvTVr7jcv1lXV70qRzT/ZodMSwWyQz9t0rQchTdyUxA7wOxg6wqfE=,iv:U0hOm2Htxxi6ZZYLHPkgizaGHbPwi0ZMuUwyOmf15fs=,tag:RijQRWYqiEcprayxpVH91w==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1
diff --git a/forgejo/resources/credentials.enc.yaml b/forgejo/resources/credentials.enc.yaml
deleted file mode 100644
index e74f538..0000000
--- a/forgejo/resources/credentials.enc.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: forgejo-credentials
-type: Opaque
-stringData:
-    database: ENC[AES256_GCM,data:kTQSEpMRi0ze+d0nsYerRFfhlS8VzZ7stF6AaXCKg4c=,iv:ZK+l+N2LTmXiJ7eHbNpgq5cQ2geXJJVUwcnhqSvJaTk=,tag:zfK4sXZVg89aXNco2zVYkw==,type:str]
-    attachment: ENC[AES256_GCM,data:1yXF5ynIGQ8gv6F9SkehA+xnwlI0b1BuZAaSpmymNF/nm01rM5St0G2HBRAQp9i9HeJuRL3DitywAXqVyT1Usx5PFZrK3DnN1NoCCKFEOq5E3JFDQcVrisWtqab562y4ucR5GlynZHG+mjWEExTldnCoQc03KM8m/JsHI4Z5lV23/p+yrSMu/GpxERsu,iv:Llsh9nftLztMX5+3HML0u3hnaKoFKADR0Lj8WCDtsaU=,tag:yH65vLuB+/jUL+Rvaxt6CA==,type:str]
-    storage: ENC[AES256_GCM,data:6RyQ4kXlBexGZbHd8/RO7TdZ6jv+I9LC7rqHfZo9949G4FWDS47PdAtMWWV9IG/k2RziB//aBe8E7C5uvFWIpSQF7p4gxNTmdSzRq4/e1HrSdOKZ2+GdDPAzD7PWo7L7GhDN5iuAlUKAVsl/DFJWUkH6vFWPmVf3nJ/sW5MRjpjgzWuAzQAgdJttCxEi,iv:Xoy0TJ4QSoyY/b+EWkFEnx3OlBQSXNLJQL3nwTOv6Tg=,tag:7E2AMs7IkdZkN99cb7gAAg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0lPdlVhQWp0ZlNtdnZn
-            QWREaDF0NGtkVmx4UHhhNXJEbW55SHdtcWlnCisxcFRzR3BzUXk1L05DYXgxRHpU
-            Q2QwbzlLVzdiS2Q4RlpBUnlLTmptbnMKLS0tIGx2OTFiUlRmZkNyRzFVbEhqVFQ0
-            c3NZQkYvbzFDM2hjcmVvbHJ6S3dLUkUK/ye/CGkeP+fyAR4SWzxvHYXfQUv1Trit
-            mW0DaG99PWGF3PuxjPRAVm/nZw7dRNtQkrqx88lSdObkMSq2pMwarw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlb2E3eGpqTFB1VExiNXNm
-            VXpRbjc1RmllaU1LSFdRZnpvWnZoWmR4RDJjCkJIRmdieXNzRGIzNnhuclg3LzRh
-            QU9tRnFzY0JHQWFvNWM3UEI2YmliRW8KLS0tIHNNemVzdmNrektDK0V0MHVSYjl3
-            bHk2WG41aDdPeWVJR0NjRWZOVnVMS2cKLZZt2VNc5XdqW9Cknr2Re7pW2+s5CSYj
-            hQyzCSAPp8hN9mietVqzX3eyFf9ngYJ96TjvBd+2dduxchxAEoi4tQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-07T21:04:47Z"
-    mac: ENC[AES256_GCM,data:+9JzeBV2UT8O+d98Pvmx4+IujahWvuIIQijjW/JYaE6vbNfzcp21L+3jtU4JZb5Yj3KTySLvlaMvHKDxER/xHsIbYKUF0MMm90eJnccxiiJ7YhPKMkHmRhGbNEP60COv01O1bba4RrAqFdS0velAo74PmYFZO0gAX5T0080+4KQ=,iv:9J6QCO1J4scRCQklRtc62rcNSaVxsKfgqHpjsITruZM=,tag:jlUKMcYvSWmG7KpUOhNN5A==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1
diff --git a/forgejo/resources/runners/runner-registrations.enc.yaml b/forgejo/resources/runners/runner-registrations.enc.yaml
deleted file mode 100644
index 4f40c6e..0000000
--- a/forgejo/resources/runners/runner-registrations.enc.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: forgejo-runner-secret
-type: Opaque
-stringData:
-    token: ENC[AES256_GCM,data:WDGyB/Kix8psyBGIa4s+9d92efqe2U8X8cYfauL9aHu0JS6QDqnODQ==,iv:ENvqwwi6Wp6oyVWHBe31EPq+k/NPjyYcW8oKlVzrK70=,tag:azOqnPyUekay1PtFjbf3ZQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eUJYZGNhZ1ZocjBkZkdF
-            S1JGaFJXd0ErSWtySVcySy93bElLUjNTa1Q4Cko3UmR2bXo4L2RMaWJZQ1B4WTFW
-            QWhOWS9GVnVIa3hyTk1UNG5wVnVpOEEKLS0tIDM4cEZsZjVLR0dtQ1FkRnNPaVV5
-            ejUrMVRLMGROWjFrWUZpd1E5SmtDSzAKAbzU1DcQ6l7mSTLKTxzNFx0y9tMxw+dF
-            KFNKs/3YWpns07tomAdnDeKhXj6EvDsuxhz+wNg6b6/6wAISoYZI3g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVExLZElOS29RQmRySnlV
-            blZ1SFZ5R1NoSlUxZ0JJOVkrL0xLaktraHlvCnQ5dlE0cEVpeW93K1BheWNDcUx1
-            b0lIVTNVaWxoZWhzTUlBQ0YwTDhxdHcKLS0tIFBGVEoyM21tM3BaVlZsNzBNaDgr
-            VnExSnBIcEVCRVNjeFdDbGZNbURLUEkKTZLpcYtYWKgHWISrxkvVeU+x56QHf0lF
-            xxG8xPUiesGm/MBidk19TblX14oWy+VYA65KQrHBtgBIJUmohnNLvw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-21T20:31:49Z"
-    mac: ENC[AES256_GCM,data:XyrEZRhWD6MW37MMpeVOS51wXjr5gtwU+sDXaRM4eETNUKmNniatblykZ8xE8Q1QPgUWnR6Styoexcvwhagljk7yUT1QaWKwLrPfvVdxtiMJe+bpvlhI1ab/lPDZZ0wOcm9VJOrUVu/t81DT2NmZdZ5NSPdOMS1IHi0cLzJbP/I=,iv:N0tsB0opPQ7xkw3nT0ka62wUs1mKcAV5MctsP5ovu/8=,tag:vUACVwv6RaSXN7yX7qh97Q==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1
diff --git a/forgejo/resources/runners/secrets/runners.yaml b/forgejo/resources/runners/secrets/runners.yaml
new file mode 100644
index 0000000..4161ff0
Binary files /dev/null and b/forgejo/resources/runners/secrets/runners.yaml differ
diff --git a/forgejo/resources/secrets/admin-credentials.yaml b/forgejo/resources/secrets/admin-credentials.yaml
new file mode 100644
index 0000000..07618a7
--- /dev/null
+++ b/forgejo/resources/secrets/admin-credentials.yaml
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> X25519 uDV7QKxmEkxayrj61x3RdTMfbA4tMhnU7VawlhhAERY
+VrBnv6RDUduhQI99xRwN5Q3OWV40L7G+rgPsses8pKw
+--- xaguz3upKpwxoczn1A1b/muPJhRKH6w9jb4z0NOfCsQ
+}J—Ä5™”ÒUz0Uµ‘›	Ç±z
+NT%êõÁ­ÀIm\˜jN)ß4„Nb¿½Ídöãó*€8–ìNé©²x+%3M:	g…Fó4U%ÌµgÒê³’fŠÇ³a€ý¾”$VÜ¨c(Zq„È‘".-ôH“Ldl¼Í^~±Òleq¶ŒÙÞ)b9>	Â‰ŠÞÕW×âa–q¦*‚bKò§ûÚ­ž¶}
\ No newline at end of file
diff --git a/forgejo/resources/secrets/infra-credentials.yaml b/forgejo/resources/secrets/infra-credentials.yaml
new file mode 100644
index 0000000..d374b5c
Binary files /dev/null and b/forgejo/resources/secrets/infra-credentials.yaml differ
diff --git a/forgejo/secret-generator.yaml b/forgejo/secret-generator.yaml
deleted file mode 100644
index 4350909..0000000
--- a/forgejo/secret-generator.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  # Specify a name
-  name: hedgedoc-config-secret-generator
-  annotations:
-    config.kubernetes.io/function: |
-        exec:
-          path: ksops
-files:
-  - ./resources/credentials.enc.yaml
-  - ./resources/admin-credentials.enc.yaml
-  - ./resources/runners/runner-registrations.enc.yaml
\ No newline at end of file