Encrypt/Decrypt one field in your JSON/YAML/INI file using (Age, KMS, GPG, Vault)
ie
db:
user: ENC[AES256_GCM,data:CwE4O1s=,iv:2k=,aad:o=,tag:w==]
password: ENC[AES256_GCM,data:p673w==,iv:YY=,aad:UQ=,tag:A=]
And decrypt as:
db:
user: foo
password: bar
Means with modetc we could store A in /nix/store/HASH-app/cfg.yml, configure app to run reading /nix/store/HASH-app/cfg.yml, but when app reads, it reads from /run/secrets/decrypted/app/cfg.yml