In all secrets deployment there must be at least one key from which the others can be derived. Find a mechanism by which you can generate that key, and deploy it to the remote, before further keys can be communicated - otherwise you cannot have secure communication to that remote, and therefore you have no way to deploy the other keys without a third party potentially snooping.
sops-nix uses the deployed-to host’s ssh key for this by default, since that one is effectively required for remote deployments, so it must exist in some form already in most cases. You can use ssh to get the remote’s public key with ssh-keyscan, which is probably as convenient as it gets.
gokey is an interesting project that came up during a recent discussion on this topic, but it has no NixOS integration yet. It would probably be pretty good at making you work with fewer keys, but it still requires manual intervention at initial system creation for each deployment - either to share the master secret (bad call), or to deploy the derived secrets for that system.
That said, I’m somewhat hesitant to try it before someone I trust more with cryptography than myself tells me how horrible deriving secrets partially with a known string is.