diff --git a/pillar/role/worker_gitlab.sls b/pillar/role/worker_gitlab.sls
index bcb334b..57656f3 100644
--- a/pillar/role/worker_gitlab.sls
+++ b/pillar/role/worker_gitlab.sls
@@ -1,6 +1,2 @@
-sudoers:
-  included_files:
-    /etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy:
-      users:
-        gitlab-runner:
-          - 'ALL=(ALL) NOPASSWD: /usr/bin/salt-call event.fire_master update salt/fileserver/gitfs/update'
+include:
+  - secrets.role.saltmaster
diff --git a/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy b/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
new file mode 100644
index 0000000..8e2a8b6
--- /dev/null
+++ b/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
@@ -0,0 +1,4 @@
+# Managed by Salt
+
+{% set deploy_password = salt['pillar.get']('profile:salt:reactor:update_fileserver_deploy_password', '') %}
+gitlab-runner ALL=(ALL) NOPASSWD: /usr/bin/salt-call event.fire_master {{ deploy_password }} salt/fileserver/gitfs/update
diff --git a/salt/profile/gitlab_runner/init.sls b/salt/profile/gitlab_runner/init.sls
new file mode 100644
index 0000000..adccde0
--- /dev/null
+++ b/salt/profile/gitlab_runner/init.sls
@@ -0,0 +1,5 @@
+/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy:
+  file.managed:
+    - source: salt://profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
+    - template: jinja
+    - mode: 440
diff --git a/salt/role/worker_gitlab.sls b/salt/role/worker_gitlab.sls
index 792d600..5618782 100644
--- a/salt/role/worker_gitlab.sls
+++ b/salt/role/worker_gitlab.sls
@@ -1 +1,2 @@
-#
+include:
+  - profile.gitlab_runner