Take a look at agenix: https://github.com/ryantm/agenix
NixOS
NixOS is a Linux distribution built on top of the Nix package manager. Its declarative configuration allows reliable system upgrades via several official channels of stability and size.
This community discusses NixOS, Nix, and everything related.
"Don't store secrets in git" is a pretty good mantra. Use a dedicated secret storage solution instead, and pipe them in during deployments using environment variables.
These aren’t my pgp keys I’m storing using git-crypt. They’re parts of my configuration that I was (until today) completely content to share unencrypted on my git repo. I’ve simply made them very difficult to see to obfuscate parts of my config that could be used to find my vulnerabilities.
Actual PGP keys, api.key, and stuff of that nature is certainly not in that secrets folder.
Good job for doing something. It all boils down to what you are comfortable with, adding security will always add a certain level of inconvenience. Ideally the next step would be to fully automate what you have.
Elaborate does not mean secure, often it's the opposite as adding complexity adds new ways of failure.
If you are talking about this SOPS https://github.com/getsops/sops it doesn't change much you need to store the master key somewhere. It makes it easier to operate, but your trust boundary does not move.