I am a nix-os (Darwin) user and have a work project flake that I’d like to share with some colleagues, who are not using NixOS but have the nix package manager installed. We are going to be using the flake to specify a devShell with the necessary OS dependencies to run our Python project with the secrets needed to access various APIs. I’d like to keep some secrets hidden from the nix store, but I am not sure of the best way to do this in my situation since not everyone is using Nix OS.
I’ve been looking into sops-nix and agenix, and the thread here https://discourse.nixos.org/t/flakes-secret-configs/14638, but as I would be sharing the flake with non NixOS users, I am not sure if they are appropriate.
What solution would you advise? So far, the only (bad) option I can think of for my situation is to encrypt the files using sops, add the encrypted files to gitignore and then forcefully add them to the git tree. Then, use a shellHook to decrypt them at runtime using sops…