When you do not have your pubkeys in your `secrets.nix` verbatim as
string but read them from file like this: `desktop1 = builtins.readFile
./desktop1.pub;`, you will end up with empty newlines in the resulting
list of keys, which will add `--recipient=''` arguments to your age
call, failing the call.
I had first used `printf` for outputting the data,
but that breaks if the secret itself contains null bytes.
One could fix this by using e.g. `cat`, but looking a bit more at the code
I realized that in the -d case we never need to `mktemp` at all and can
just ask `age` to write directly to stdout by not setting -o.
* use mkDerivation
* separate shell code in own file
* use shellcheck to lint shell code
* remove rage version check since rage is greater than 0.5.0 on all
maintained nixpkgs