This uses a native plugin (pkgs.nix-plugins) to avoid using --impure,
other options involving secret files are too limited for my use case as
I need eval-time access to secrets. Moving it to a private flake is
another option, but Nix flakes are poorly suited for non-monorepos.
Previously I just renamed .git to .git.bak to make sure Nix pulls the
"private" subdir into store as well, but this new system may be more
robust and can be extended to way be more secure in the future (e.g.
right now I copy the secret .nix files to store, but in general there's
no need to do that).
Of course the main drawback is that now I require a plugin for this
flake to work.
chayleaf