diff --git a/deployment.nix b/deployment.nix
index 9671eff..fc39486 100644
--- a/deployment.nix
+++ b/deployment.nix
@@ -1,5 +1,21 @@
+with builtins;
+
 let
   secrets = import ./secrets.nix;
+
+  # Copied from <nixpkgs/lib>
+  removeSuffix = suffix: str:
+    let
+      sufLen = stringLength suffix;
+      sLen = stringLength str;
+    in
+    if
+      sufLen <= sLen && suffix == substring (sLen - sufLen) sufLen str
+    then
+      substring 0 (sLen - sufLen) str
+    else
+      str;
+
 in
 {
 
@@ -15,7 +31,7 @@ in
         deployment.targetHost = "94.130.143.84";
 
         deployment.keys.buildkite-token = {
-          text = secrets.buildkite-token;
+          text = removeSuffix "\n" secrets.buildkite-token;
           user = "buildkite-agent-ci";
           permissions = "0600";
         };
diff --git a/secrets.nix b/secrets.nix
index 23cd55b..5409f8b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,22 +1,6 @@
 with builtins;
 let
-  # Copied from <nixpkgs/lib>
-  removeSuffix = suffix: str:
-    let
-      sufLen = stringLength suffix;
-      sLen = stringLength str;
-    in
-    if
-      sufLen <= sLen && suffix == substring (sLen - sufLen) sufLen str
-    then
-      substring 0 (sLen - sufLen) str
-    else
-      str;
-
-  # Copied from <nixpkgs/lib>
-  fileContents = file: removeSuffix "\n" (builtins.readFile file);
-
-  readSecret = name: fileContents (./secrets + "/${name}");
+  readSecret = name: readFile (./secrets + "/${name}");
 in
 mapAttrs
   (name: type: if type != "directory" then readSecret name else null)