allow to run ./deploy --build-only event if git-crypt is locked

This will allow to test deployments in CI and also for contributors that
are not part of the core infrastructure team.

.github/workflows/nix.yml

@@ -13,3 +13,4 @@ jobs:
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
         # Only needed for private caches
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: ./deploy --build-only

deployment.nix

@@ -1,7 +1,5 @@
 let
-
-  secrets = import ./secrets;
-
+  secrets = import ./secrets.nix;
 in
 {
 

secrets.nix

@@ -0,0 +1,23 @@
+with builtins;
+let
+  # Copied from <nixpkgs/lib>
+  removeSuffix = suffix: str:
+    let
+      sufLen = stringLength suffix;
+      sLen = stringLength str;
+    in
+    if
+      sufLen <= sLen && suffix == substring (sLen - sufLen) sufLen str
+    then
+      substring 0 (sLen - sufLen) str
+    else
+      str;
+
+  # Copied from <nixpkgs/lib>
+  fileContents = file: removeSuffix "\n" (builtins.readFile file);
+
+  readSecret = name: fileContents (./secrets + "/${name}");
+in
+mapAttrs
+  (name: type: if type != "directory" then readSecret name else null)
+  (readDir ./secrets)