At first I thought: Ok, I would have two files ".secrets" and ".secrets.dev" where only the latter is commited to my git repo. Now, sure I need the ".secrets" file to exist in my production server... how do I upload it there? Perhaps using sftp is enough as part of my "deploy" script? It would upload the ".secrets" file from my machine to my production server.
I also thought about commiting ".secrets" to my git repo: every secret in that file would be encrypted with PGP though (perhaps I could encrypt the whole file)... but then my production server would need my GPG private key to decrypt the secrets. I would need to upload my private key from my machine to my production server as well... I don't see much of a difference with the previous approach.
I have heard about Vault and similar tools, but honestly these tools seem a bit "too much" for me: I'm a solo developer building a monolithic service. How do developers in the same circumstances handle secrets?
When you deploy your project, you 1) setup your host if necessary 2) install your software 3) install your config.
I recommend ansible for automating some of this. Check out a tutorial for ansible for setting up mysql or something similar, and you should get the gist of it. In this case, mysql is install from an RPM or .deb (or maybe in a docker container) rather than from a git project, but the abstraction is the same.
As a two person "start-up", ansible has been super helpful in general and well worth the time investment.