Both agenix and sops-nix have Home Manager modules. The simple way would be to add a programs.telegram-cli.configPath option and skip JSON config generation if it's specified. A more robust and idiomatic approach would be for the program to use a separate credential file. Whether or not the default chat ID should be encrypted is a question worth exploring. The ability to configure secrets without encryption shall be preserved for backwards compatibility and to allow for deliberate footshooting.
Both agenix and sops-nix have Home Manager modules. The simple way would be to add a
programs.telegram-cli.configPathoption and skip JSON config generation if it's specified. A more robust and idiomatic approach would be for the program to use a separate credential file. Whether or not the default chat ID should be encrypted is a question worth exploring. The ability to configure secrets without encryption shall be preserved for backwards compatibility and to allow for deliberate footshooting.