diff --git a/pillar/role/worker_gitlab.sls b/pillar/role/worker_gitlab.sls
index 80cf079..db44422 100644
--- a/pillar/role/worker_gitlab.sls
+++ b/pillar/role/worker_gitlab.sls
@@ -1,4 +1,6 @@
-{% if salt['grains.get']('include_secrets', True) %}
-include:
-  - secrets.role.saltmaster
-{% endif %}
+sudoers:
+  included_files:
+    /etc/sudoers.d/gitlab-runner_nopasswd_salt_event:
+      users:
+        gitlab-runner:
+          - 'ALL=(root) NOPASSWD:SETENV: /usr/bin/salt-call event.*'
diff --git a/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy b/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
deleted file mode 100644
index 8e2a8b6..0000000
--- a/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
+++ /dev/null
@@ -1,4 +0,0 @@
-# Managed by Salt
-
-{% set deploy_password = salt['pillar.get']('profile:salt:reactor:update_fileserver_deploy_password', '') %}
-gitlab-runner ALL=(ALL) NOPASSWD: /usr/bin/salt-call event.fire_master {{ deploy_password }} salt/fileserver/gitfs/update
diff --git a/salt/profile/gitlab_runner/init.sls b/salt/profile/gitlab_runner/init.sls
index adccde0..0adf664 100644
--- a/salt/profile/gitlab_runner/init.sls
+++ b/salt/profile/gitlab_runner/init.sls
@@ -1,5 +1,11 @@
-/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy:
-  file.managed:
-    - source: salt://profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
-    - template: jinja
-    - mode: 440
+include:
+  - git
+
+gitlab_runner:
+  pkg.installed:
+    - name: gitlab-runner
+  service.running:
+    - name: gitlab-runner
+    - enable: True
+    - watch:
+        - pkg: gitlab-runner