pip and venv are working, but packages that require compiling or ship binaries by itself usually won't work out of the box. They depend on gcc or libopenssl to be globally available: the whole gist of Nix not doing ๐
I've found devenv.sh to be most convenient way to handle such projects. You can define the dependencies for a project. It has explicit python/venv/requirements.txt/poetry support. It works for NixOS, but also other distros and MacOS. Very convenient to share and lock development tools and libraries across a team.
I also had been contenplating this for a while. The solution I implemented recently is:
The system itself is a RPI on NixOS. The system can be reproduced from the NixOS configuration. The NixOS configuration is stored on GitHub. Since I can reproduce the sdcard image (and full system) from the configuration I opted to not do any backup of the sdcard/system itself.
I've also opted to not use raid, as I can replace/add a RPI without too much hassle.
The real backups for me are for photos. Those are stored on a M.2 storage. A second (similar) RPI is placed at my dad's place. The rpis run tailscale and syncthing. Syncthing syncs using staggered mode (stores 1 version for the last day/week/year) and the RPI at my dad is untrusted, so the backup files are sent/stored encrypted there.
This setup hasn't run very long yet, so I won't recommend it, but it seems to check quite a lot of boxes for me. Maybe it gives some ideas. I'm also interested what alternative solutions others came up with.