Every module that configures a service should let me configure many instances of the service, unless it structurally must be a singleton. Right now running multiple services on a single machine often ends with “oh jeez they both want to use postgres”, and having to go figure out if everyone is okay sharing, because upstream assumes you’re using kubernetes and of course you’ll have a dedicated DB instance.
In a perfect world that wouldn’t be needed, but the world’s not perfect and “oh no I need two nginxes and I can’t” always harshes my mellow. I use NixOS containers heavily as a workaround for this, but it’s a mediocre workaround IMO.
Better NixOS containers, because sometimes I really do want containers. Right now their integration with flakes is super wonky (I spent an unpleasant couple hours to figure out a horrible hack that injects flakes into the container definition), and I can’t shake the feeling that I’m the only user and living on borrowed time. Or rip them out entirely and tell me to run VMs, that’s okay too.
Declarative management of ZFS datasets. Right now I’ve handcrafted something that’s a bit brittle (super easy to drop a server into emergency.target and have to do the walk of shame to rollback). disko seems to be going in that direction.
State of the art system integrity. Continue down the path that Lanzaboote laid out, but go further: seamless dm-crypt and dm-integrity support with TPM-sealed keys that are only available during initrd, so the chain of trust is maintained into the main OS. Use systemd’s TPM-bound credential storage for services where applicable. Measure NixOS state into PCRs and give me a way to precalculate the expected PCRs for a particular system closure, so that remote attestation of the entire OS configuration becomes possible. And so on.
With the caveat that this should all fall back to non-TPM based things if one isn’t available (mostly for older machines, since windows 11 mandates a TPM for new devices), or for folks who don’t want it for whatever reason.
Linux in general is behind the curve on system integrity compared to macOS and Windows. systemd has been closing the low-level tooling gap, but I’d like the OS to go the rest of the way.
Security fixes that ship rapidly. Unfortunately this probably requires a bunch of work to implement something like guix’s grafts, so that fixes aren’t stuck behind world rebuilds. But NixOS’s security story for vulnerability remediation is significantly worse than other distros right now.
Better underlying Nix, which 
Lix will deliver: more intelligible errors, more debuggable errors, faster eval of whole-system derivations, faster nix-copy-closure, better cache and build services that mortals can run with minimal effort.