How do you manage secrets in this setup? Are they injected at build time? Or does it require some manual setup by the user once the system is up and running?
I don't know how OP manages their secrets, but I am running NixOs and am letting 1Password manage all my secrets. 1Password can manage SSH agents, can inject environment variables and manage passwords/keys in the browser. All I need to do when I setup a new machine with NixOS is connect my 1Password to its account manually, after that it's all automated.