How to handle configuration secret for deploying NixOS in CICD with flake?

I want to create a cicd workflow which will build the NixOS and deploy it for me when I push any changes to the configuration. This is the configuration I have right now, and I am deploying with a single command deploy now

It is working ok, but I cannot deploy in cicd, because I have hidden my ip in a flake in my local.

How should I deal with this kind of private configuration? I have thought of using .gitignore to ignore those private/secret files inside my current deploy flake, but it won’t work because flake tries to be pure and only takes in files from inputs or something that would be committed to git.

For dealing with runtime secret(like password or secret key), I am using agenix with is working ok. I hope I am explaining myself clearly so that you understand my issue.