That’s usually done with NixOps, not NixOS itself. NixOps has a
send-keys command, and copies the keys after every restart done with the
nixops tooling. So you’re not in much danger putting your keys in a tmpfs (and usually desirable to prevent theft of your secrets along with server hardware, for example
[Edit]: Sorry, I should clarify.
Putting keys in that directory is usually done with NixOps. NixOS itself defaults that directory to a ramfs. I just checked again for usages in modules, and it’s apparently all over the place!
We should probably do some cleanup to make people either aware that this will be wiped on reboot, or that they should definitely have them backed up. Most of the usage right now is as examples in modules, but it seems like there are also some that default to it. If one is unaware that it’s a ramfs, it might cause quite some headaches.