The trouble I had with spacemacs was it didn't see programs that were part of the nix-shell path which was incredibly annoying. As an example having a rust development environment, spacemacs couldn't find cargo, but it was clearly in my shells path.
I am most likely explaining this wrong, but because building derivations are isolated from the global environment variables, any way of accessing configuration options seems like a kludge.
We ended up adding a hashicorp vault server to our deployment, but that felt like adding a lot of complexity for a very basic part of the deployment process.
A blessed solution for a common setup that doesn’t involve checking in secrets into the repository would be very useful. Better yet, some first-party support through nixos or nixops.
What's the issue with keys/secrets you've had?