This is pretty cool. It’s similar (but better than) what I do.
My solution is built on nixos-rebuild which can deploy to remote machines using the --target-host flag.
I have a repository with a bunch of different configuration.nix files named after the host they are supposed to be deployed to, and a script that essentially loops through the list calling NIXOS_CONFIG="$host.nix" nixos-rebuild $command --target-host $host. I do have some hacked on health checks mechanism, and can specify particular hosts to build rather than all of them. And it pins them all to the same channel. I use git-crypt for secrets, and the script copies them across.
It includes a bunch of utility functions like scraping hosts hardware.nix, upgrading the pinned channel and so-on.
The good part of nixos-rebuild is that it is well documented, and you get rollback/test/switch for free.
My primary gripe with using nixos-rebuild is that the configuration of all the hosts is very independent. I’d like to create modules that understand the network as a whole. Like, automatically add wireguard peers for all the machines in the network to the VPN server, adding extraHosts entries for all the machines, etc. Would something like that be possible with morph?