The nginx configs allow you to include, so you can put all the sensitivity data in a separate file and add it to .gitignore, and you can store the rest in the git (but it’s better not to github, but your own). The standard cycling method for configs is to do cp config.cfg config.cfg-yymmdd
before changing config.cfg .

the correct answer is not to store configs with secrets in the version control system.
you can make the config from the git provide the so-called. "sensible defaults", and all secrets will be overridden by the second config, which will be provided by the deployment system.
It's about your applications.
about managing the configurations of nodes (contuers, that is), it is kosher to use configuration management systems - ansible, salt, etc.
There is etckeeper from the kneeler , for example

Any modern developed version control system
git, mercurrial ...
As you rightly noted, keep keys and passwords separately from configs.

In addition to the above, read about 12-factor applications, where it is recommended to configure keys and passwords through environment variables. 12factor.net/config
Accordingly, the configurations themselves can be stored in the version control system.

VCS is our everything :) You choose the type according to your taste - centralized, distributed... The only thing, as you rightly noted, is not to store keys, passwords, any such information.

The configuration must be stored in the VCS, for example, on the same github or gitlab. Personally, I would recommend GitHub if your project is not a state secret or a nuclear reactor control system. In other cases, the code can be stored on GitHub. Even Microsoft keeps their code on it.
For storing keys, etc. you need to use solutions like Vault .