What about sops-nix, or some other mechanism for deploying state that’s possibly encrypted locally? Probably most deployment systems for nix like NixOps, morph, krops have use some mechanism for deploying secrets that don’t land in the nix store. Dysnomia would be only for deploying any state. You can also simply rsync secrets to some directory on the server and encrypt them locally e.g. with git-crypt next to your nixos config. At the server, you certainly need the unencrypted key somewhere to fetch the repo.
Edit: Here’s an interesting thread: Comparison of different key/secret managing schemes