I believe Nix actually picks a volume so that it can be encrypted, and it uses one of the many ways to run a script before login (some of which still happen to work) to decrypt it?
I read that thread a couple weeks back (was doing some firmlink research and stumbled upon it) and I seem to recall someone there finding something that ran pretty early. Perhaps I'm misremembering? I am sure there is at least one way to get this done, but I'll have to go look into what it is.