Currently we have separate vars.toml and secrets.toml, it's a little clunky.
Might be better to use something like SOPS and encrypt everything, so it's safe to just commit the secrets.

Pros

• Only one var file per directory
• Secrets live with regular vars

Cons

• Would require users to install SOPS
• Would need to change from toml to yaml or json (or find a SOPS alternative that works with toml)