Thank you for the latest comments.
Chuck_1010 as far as I am aware such a repo does not exist. That said, our main concern is separating out "Tier 0" (in it's widest sense, so not just Domain Controllers, but also other mahines such as PKI) and the rest. That said, there could be other layers of criticality, so called "Crown Jewells". For one company this could be manufacturing blue prints, for another medical resource data. So those layers will depend a little on the business, I would say. Thanks!
arbarbosa really appreciate you pointing out the Linux case. You've given us an idea for a future blog, so watch this space! As an immediate answer, and not knowing on top of my mind how the secret would be encrypted on Linux (I am sure there are utilities!), I would say deploy a certificate and use the certificate option for the Service Principal. But I have not tested this on Linux.