refactor: remove CI heredoc — secrets now in encrypted sops files

deploy.sh handles decryption on the server. CI only needs SSH credentials
(SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, DEPLOY_USER, DEPLOY_HOST). All app
secrets removed from GitLab CI variables. Dead ADMIN_PASSWORD removed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitlab-ci.yml

@@ -29,32 +29,4 @@ deploy:
     - chmod 700 ~/.ssh
     - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
   script:
-    - |
-      ssh "$DEPLOY_USER@$DEPLOY_HOST" "cat > /opt/padelnomics/.env" << ENVEOF
-      APP_NAME=$APP_NAME
-      SECRET_KEY=$SECRET_KEY
-      BASE_URL=$BASE_URL
-      DEBUG=false
-      ADMIN_PASSWORD=$ADMIN_PASSWORD
-      DATABASE_PATH=data/app.db
-      MAGIC_LINK_EXPIRY_MINUTES=${MAGIC_LINK_EXPIRY_MINUTES:-15}
-      SESSION_LIFETIME_DAYS=${SESSION_LIFETIME_DAYS:-30}
-      RESEND_API_KEY=$RESEND_API_KEY
-      EMAIL_FROM=${EMAIL_FROM:-hello@notifications.padelnomics.io}
-      ADMIN_EMAILS=${ADMIN_EMAILS:-}
-      LEADS_EMAIL=${LEADS_EMAIL:-}
-      UMAMI_API_URL=${UMAMI_API_URL:-}
-      WAITLIST_MODE=${WAITLIST_MODE:-false}
-      RATE_LIMIT_REQUESTS=${RATE_LIMIT_REQUESTS:-100}
-      RATE_LIMIT_WINDOW=${RATE_LIMIT_WINDOW:-60}
-      PADDLE_API_KEY=${PADDLE_API_KEY:-}
-      PADDLE_WEBHOOK_SECRET=${PADDLE_WEBHOOK_SECRET:-}
-      PADDLE_PRICE_STARTER=${PADDLE_PRICE_STARTER:-}
-      PADDLE_PRICE_PRO=${PADDLE_PRICE_PRO:-}
-      LITESTREAM_R2_BUCKET=$LITESTREAM_R2_BUCKET
-      LITESTREAM_R2_ACCESS_KEY_ID=$LITESTREAM_R2_ACCESS_KEY_ID
-      LITESTREAM_R2_SECRET_ACCESS_KEY=$LITESTREAM_R2_SECRET_ACCESS_KEY
-      LITESTREAM_R2_ENDPOINT=$LITESTREAM_R2_ENDPOINT
-      ENVEOF
-    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "chmod 600 /opt/padelnomics/.env"
     - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/padelnomics && git pull origin master && ./deploy.sh"