Hello Zack, I developed and currently use sops-guix, a reimplementation of sops-nix principles in Guix' terms [0]. Basically secrets never hit the disk in clear text, they are encrypted before including them in the Guix code and get decrypted at activation time, provided the right keys are present on the target machine.
While it is completely based on free software it is not in Guix mainline due to the comolexity of packaging SOPS' dependency graph. As soon as there's a SOPS package in Guix I plan to upstream the sops-secrets-service-type and sops-secret record. HTH, giacomo [0]: https://github.com/fishinthecalculator/sops-guix
