Figure out how to bring env & secrets to Netlify/Vercel/our hosting platform.

[berekuk]

As I mentioned in #8 (comment), there's an issue with using env variables as a source of configuration: AWS Lambda doesn't allow env larger than 4kb.

The same issue would follow us on Vercel, and their workaround article on this is too hacky.

I'm actually surprised that I couldn't google up tons of blog posts about this, there are some threads on Netlify forum, but I expected "I need to bring my configs to production and don't want to commit them to the public github repo" to be a common use case.

Some solutions I've thought up so far:

1. implement a custom build step on Netlify which would run curl https://my-secret-url/env.production?token=supersecrettoken >.env (I don't like this, exposing secrets via GET request, even with a secret url; is... well, technically it's ok, but feels hacky and risky; also, there's a question of where to host it).
2. the same solution with fetching secrets on build, but with an external secrets provider such as AWS Secrets Manager; this would add an extra dependency.
3. we could move all platform cookies to the database and keep a tiny enough env file; technically only DIGITALOCEAN_POSTGRES could be secret and everything else we could store in the DB or commit to the repo.
4. I think it might also possible to deploy to netlify through the github actions; I don't have any experience with github actions, though, and not sure (my CI/CD experience is on gitlab, which is somewhat different); I expect this to be a viable route, but too complicated compared to the current "netlify pulls everything with zero configuration" approach.

Out of all these, I think (3) is the best route.

Especially since we might like to store cookies in the DB for other reasons anyway. For example, if some platform has some short-lived cookies then we'll want to store login+password in the configuration, and a cookie somewhere else.