Flake build copies git source?

I’d like to post my dotfiles publicly but I’d like to exclude my extraHosts from git. I tried doing

networking.extraHosts = if builtins.pathExists ./extraHosts.conf then builtins.readFile ./extraHosts.conf else "";

and then

sudo nixos-rebuild build --flake /etc/nixos

but that doesn’t work. It turns out the evaluation is happening on a copy of my configuration in the nix store, and the gitignored files aren’t being copied along.

When I specify the full path, I get

error: access to path '/etc/nixos/extraHosts.conf' is forbidden in restricted mode

Is it possible to exclude files from git but use them in evaluation? For me, the initial copy is not necessary or it should include my extra files.

You can use --flake path:/etc/nixos which will copy everything. Though you can’t use self.rev or other niceties of the git flakes then anymore.

An alternative approach that already has been discussed was to use a local flake with “secrets” which doesn’t get pushed.

And of course you have tools like git-crypt, nix-sops, and age-nix.