after a lot of trial and error, I have gotten sops-nix to work. I understand that using builtins.readFile on a sops.secrets.my_secret.path would end up leaking the secret to the world.
I would use it, but I’m not an expert, if your concern is that the system will be multi-user, just ensure that the files can only be read by root. If you want to upload your configuration to a public git repo, you have to trust the encription used.
If this is not really required for your use-case, you can configure those secrets in a separate flake that is not public, or just keep the network manager connections as state outside of NixOS configuration.
With sops you can also set user permissions. So it does not have to be root that reads a secret but for example only one user or a service that runs as a system user.
for example like this
No, you were right, I’m concerned of the secrets being included in the nix store, any other user on the machine would know the secrets anyways; but at the same, time, as you said, I want to be able to upload to a public repo.