I used to do something very similar to that: Secure, Declarative Key Management with NixOps, Pass, and nix-plugins
I don’t necessarily recommend this anymore. 1) NixOps is unmaintained (or at least on life support) if I understand correctly. 2) It allows all of nixpkgs to access your pass store, which is safe-ish since it’s a pure evaluation environment, plus you presumably have a level of trust in nixpkgs. But it makes me feel uneasy.
These days I’m kind of just of the mind that secrets should be generated on-device on first use, and then their resulting identity should be added to whatever they need to authenticate with through some means. For instance, I’m a big fan of SSH certificate authorities so that all you have to do is sign the public key once and now everything trusts you that needs to. Centralized secrets just leave a bad taste in my mouth in general, and I prefer to think of secrets as a stateful problem rather than a declarative one that you can solve with Nix.