Well i think this approach is far better than imperatively copying some .php files to some mutable web root like you suggested.
Often times php apps require the configuration file inside their web root. In these cases i think it can be accepted that building the package with a different configuration takes up some harddisk space.
I don’t see any credentials in my example. It was intentionally left simple ($cfg['Servers'][1]['auth_type'] = 'http'; means you authenticate directly with your mysql credentials via http basic auth).
But you could probably include a php file with restrictive permissions (like from the nixops keys service: NixOps User's Guide) from inside config.inc.php or pass in credentials via the environment like in restic.nix.
My module is just to provide a (working) example of how to do it with some web server. In my case this was apache. I don’t think it would be hard to adapt it to nginx or caddy.
The principle is always the same: set the web root to the store path of your app: this way you have an immutable web root, which in itself is a nice security bonus.