Anything that is built by the nix daemon ends up world readable. I believe there is a github issue open for that with some suggestions, but as far as I understand, nothing that will be ready soon.
There are basically two ways to get around this:
- Let the system generate the secret itself (let’s encrypt certificates are a good example for this).
- Inject the secret through different means, for example a script that creates /var/lib/mysecrets and copies the necessary files. Nixops is doing pretty much exactly that, with the option that the keys are only stored in RAM (requires a redploy after reboot) or on disk (allows unattended reboots).
What you choose depends a lot on your intentions