diff --git a/.drone.jsonnet b/.drone.jsonnet
index 7698e48..28b646f 100644
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -3,6 +3,13 @@ local STAGE = 'staging';
 local VOLUME = { name: 'site', path: '/site' };
 local NIX = 'nix --extra-experimental-features nix-command --extra-experimental-features flakes';
 
+local Secrets(secrets) = {
+  environment: {
+    [secret]: { from_secret: std.asciiLower(secret) }
+    for secret in secrets
+  },
+};
+
 local WhenProd(prod) = if prod then {
   event: ['promote'],
   target: [PROD],
@@ -10,7 +17,7 @@ local WhenProd(prod) = if prod then {
   target: { exclude: [PROD] },
 };
 
-local Step(env, name, cmds) =
+local Step(env, name, cmds, extras={}) =
   local prod = env == PROD;
   {
     name: name + ' ' + env,
@@ -18,7 +25,7 @@ local Step(env, name, cmds) =
     volumes: [VOLUME],
     commands: cmds,
     when: WhenProd(prod),
-  };
+  } + extras;
 
 local NixStep(env) =
   local prod = env == PROD;
@@ -33,8 +40,8 @@ local DeployStep(env) =
   local options = if prod then '--prod' else '--alias staging';
   Step(env, 'netlify deploy', [
     NIX + ' profile install nixpkgs#netlify-cli',
-    'netlify deploy -d /site --auth $NETLIFY_TOKEN --site $NETLIFY_SITE_ID --message "$DRONE_COMMIT_MESSAGE"' + options,
-  ]);
+    'netlify deploy -d /site --auth $NETLIFY_TOKEN --site $NETLIFY_SITE_ID --message "$DRONE_COMMIT_MESSAGE" ' + options,
+  ], Secrets(['NETLIFY_TOKEN', 'NETLIFY_SITE_ID']));
 
 {
   kind: 'pipeline',