chore: update

feat: added iwd modules

flake.lock

@@ -8,14 +8,15 @@
         ],
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1703260116,
-        "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=",
+        "lastModified": 1703433843,
+        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "d0d4ad5be611da43da04321f49684ad72d705c7e",
+        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
         "type": "github"
       },
       "original": {
@@ -242,11 +243,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
@@ -262,7 +263,7 @@
           "agenix-rekey",
           "nixpkgs"
         ],
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1695195896,
@@ -307,7 +308,7 @@
           "nixos-extra-modules",
           "nixpkgs"
         ],
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1701787589,
@@ -330,11 +331,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703162528,
-        "narHash": "sha256-pQ41wN6JlStkZOhRTIHEpuwVywLdh+xzZQW1+FzdjVs=",
+        "lastModified": 1703532766,
+        "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "a050895e4eb06e0738680021a701ea05dc8dbfc9",
+        "rev": "1b191113874dee97796749bb21eac3d84735c70a",
         "type": "github"
       },
       "original": {
@@ -519,7 +520,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -537,7 +538,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -555,7 +556,7 @@
     },
     "flake-utils_4": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -573,7 +574,7 @@
     },
     "flake-utils_5": {
       "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_7"
       },
       "locked": {
         "lastModified": 1685518550,
@@ -591,7 +592,7 @@
     },
     "flake-utils_6": {
       "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_8"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -609,7 +610,7 @@
     },
     "flake-utils_7": {
       "inputs": {
-        "systems": "systems_8"
+        "systems": "systems_9"
       },
       "locked": {
         "lastModified": 1685518550,
@@ -627,7 +628,7 @@
     },
     "flake-utils_8": {
       "inputs": {
-        "systems": "systems_9"
+        "systems": "systems_10"
       },
       "locked": {
         "lastModified": 1685518550,
@@ -791,11 +792,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703178811,
-        "narHash": "sha256-Orbqa8DvszYZ38XGWAs43hVs++czt2N6/Y0sFRLhJms=",
+        "lastModified": 1703527373,
+        "narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fb5ac0c870a1b3ffea70e02ab1720d991ce812ae",
+        "rev": "80679ea5074ab7190c4cce478c600057cfb5edae",
         "type": "github"
       },
       "original": {
@@ -827,11 +828,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1702984171,
-        "narHash": "sha256-reIUBrUXibohXmvXRsgpvtlCE0QQSvWSA+qQCKohgR0=",
+        "lastModified": 1703562375,
+        "narHash": "sha256-T46GgRVnSUo0DrCVAHreLNMgeCYmFvo469qj1Z6dYDQ=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "123e94200f63952639492796b8878e588a4a2851",
+        "rev": "8d16ac97980b3641078dd7c11337bfaa77b45789",
         "type": "github"
       },
       "original": {
@@ -873,11 +874,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1702814943,
-        "narHash": "sha256-tNKSDbtoEDfCTs30dyW0Fcj4KJpjzTRASL6f2BbuSKE=",
+        "lastModified": 1703419730,
+        "narHash": "sha256-ZRqj/irxTzRoGne2eWmuNaSO1/rz22S1EGj+MJXINeo=",
         "owner": "nix-community",
         "repo": "lib-aggregate",
-        "rev": "ac8b1c4cfb2f9111e709aaf503511df354e86733",
+        "rev": "7deb8249793fd2e9244c4e652c18d95351eb1111",
         "type": "github"
       },
       "original": {
@@ -894,11 +895,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1702815315,
-        "narHash": "sha256-LEpv7kvB7KPj/6BoNYWMcVjRezTJe6FNmg5kCKZQxMk=",
+        "lastModified": 1703466376,
+        "narHash": "sha256-Wy8iF8u5KSzrTxg1hStTBmUjzzKdKyCyMOg8b/eTvVQ=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "3c6e1234af3aa26fc60d0969619cf6806ec51639",
+        "rev": "64104a3c55593c903af78af86a4c9d2e5487a2d7",
         "type": "github"
       },
       "original": {
@@ -936,11 +937,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702864432,
-        "narHash": "sha256-xR5Igg2hnm979W3YgMDrSjErHFhHo4rbMboF6DC0mbc=",
+        "lastModified": 1703387252,
+        "narHash": "sha256-XKJqGj0BaEn/zyctEnkgVIh6Ba1rgTRc+UBi9EU8Y54=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "4605ccd764fac78b9e4b5b058698cb9f04430b91",
+        "rev": "f4340c1a42c38d79293ba69bfd839fbd6268a538",
         "type": "github"
       },
       "original": {
@@ -1010,11 +1011,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1702453208,
-        "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=",
+        "lastModified": 1703545041,
+        "narHash": "sha256-nvQA+k1rSszrf4kA4eK2i/SGbzoXyoKHzzyzq/Jca1w=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6",
+        "rev": "a15b6e525f5737a47b4ce28445c836996fb2ea8c",
         "type": "github"
       },
       "original": {
@@ -1025,11 +1026,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703013332,
-        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "lastModified": 1703255338,
+        "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
         "type": "github"
       },
       "original": {
@@ -1041,11 +1042,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1702774034,
-        "narHash": "sha256-M0IsUA89EKHL8IDx9bf+e2W2l1kMRpaZ4h08navMXig=",
+        "lastModified": 1703378839,
+        "narHash": "sha256-wJDrJji9XNMgAsO+Ah34BaraG8bAw9GF7poJQPE0TqU=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "9b4f1493009b8d2f55a525a01de10addc9a0a752",
+        "rev": "9b3a550ca7d42f5ceb3acc13f95dae1a69e6de56",
         "type": "github"
       },
       "original": {
@@ -1144,11 +1145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703261986,
-        "narHash": "sha256-+OPGb6fOF1wpiCNnpnDHvLkwnhbcAx6785FyNdYupkI=",
+        "lastModified": 1703502790,
+        "narHash": "sha256-BMwU2OD7PB0ikWABs58c6kRkzxznIF/G8tacr9pENmE=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "e977dcdee6b4c944b6309cd7973fd27f73efa842",
+        "rev": "95c67444c1886ed3cddd54da947237682c211c39",
         "type": "github"
       },
       "original": {
@@ -1159,11 +1160,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1702539185,
-        "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
+        "lastModified": 1703134684,
+        "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
+        "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
         "type": "github"
       },
       "original": {
@@ -1249,11 +1250,11 @@
         "pre-commit-hooks": "pre-commit-hooks_3"
       },
       "locked": {
-        "lastModified": 1703260550,
-        "narHash": "sha256-wPe+0oCgzvf9Ixscme+NUS4iRX0n/alJvt3msnu9vPA=",
+        "lastModified": 1703435563,
+        "narHash": "sha256-BDnoVc9Kvc9wo9lt8GC0kkqwLedP7lnBBdh1UHl4cPw=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "e0521dde87825e4ed16e1ac5b6df9f1b7e60af05",
+        "rev": "c11158c73e9a488d803356127a54af8101fc0051",
         "type": "github"
       },
       "original": {
@@ -1387,11 +1388,11 @@
         "nixpkgs-stable": "nixpkgs-stable_5"
       },
       "locked": {
-        "lastModified": 1702456155,
-        "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
+        "lastModified": 1703426812,
+        "narHash": "sha256-aODSOH8Og8ne4JylPJn+hZ6lyv6K7vE5jFo4KAGIebM=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc",
+        "rev": "7f35ec30d16b38fe0eed8005933f418d1a4693ee",
         "type": "github"
       },
       "original": {
@@ -1421,7 +1422,7 @@
         "pre-commit-hooks": "pre-commit-hooks_4",
         "spicetify-nix": "spicetify-nix",
         "stylix": "stylix",
-        "systems": "systems_10",
+        "systems": "systems_11",
         "templates": "templates",
         "wired-notify": "wired-notify"
       }
@@ -1485,11 +1486,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1703004037,
-        "narHash": "sha256-ceYPl/ML0kQBCUaOw0gG2TxHHEl4k9xivFpsdlKidIQ=",
+        "lastModified": 1703528325,
+        "narHash": "sha256-ajoMmEPbLhp9xsReDDQFaY7xX+ayIqwfMlZNg8YxHnw=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "d14ac4912a9ab02f8b49b761e9e4b9ae836171af",
+        "rev": "7ccd1293a48f01eace7d0ce8d82af51919105b76",
         "type": "github"
       },
       "original": {
@@ -1528,6 +1529,21 @@
         "type": "github"
       }
     },
+    "systems_11": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "systems_2": {
       "locked": {
         "lastModified": 1681028828,
@@ -1672,11 +1688,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702461037,
-        "narHash": "sha256-ssyGxfGHRuuLHuMex+vV6RMOt7nAo07nwufg9L5GkLg=",
+        "lastModified": 1702979157,
+        "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "d06b70e5163a903f19009c3f97770014787a080f",
+        "rev": "2961375283668d867e64129c22af532de8e77734",
         "type": "github"
       },
       "original": {

hosts/patricknix/net.nix

@@ -1,7 +1,33 @@
 {config, ...}: {
+  age.secrets.eduroam = {
+    rekeyFile = ./secrets/iwd/eduroam.8021x.age;
+    path = "/var/lib/iwd/eduroam.8021x";
+  };
+  age.secrets.simonWlan = {
+    rekeyFile = ./. + "/secrets/iwd/=467269747a21426f78373539302048616e7373656e.psk.age";
+    path = "/var/lib/=467269747a21426f78373539302048616e7373656e.psk";
+  };
+  age.secrets = {
+    devoloog-psk.rekeyFile = ./secrets/iwd/devoloog-psk.age;
+    devoloog-pass.rekeyFile = ./secrets/iwd/devoloog-pass.age;
+    devoloog-sae19.rekeyFile = ./secrets/iwd/devoloog-sae19.age;
+    devoloog-sae20.rekeyFile = ./secrets/iwd/devoloog-sae20.age;
+  };
   networking = {
     inherit (config.secrets.secrets.local.networking) hostId;
-    wireless.iwd.enable = true;
+    wireless.iwd = {
+      enable = true;
+      networks = {
+        devoloog.settings = {
+          Security = {
+            PreSharedKey = config.age.secrets.devoloog-psk.path;
+            Passphrase = config.age.secrets.devoloog-pass.path;
+            SAE-PT-Group19 = config.age.secrets.devoloog-sae19.path;
+            SAE-PT-Group20 = config.age.secrets.devoloog-sae20.path;
+          };
+        };
+      };
+    };
     # Add the VPN based route to my paperless instance to
     # etc/hosts
     extraHosts = ''
@@ -45,16 +71,4 @@
       dhcpV6Config.RouteMetric = 40;
     };
   };
-  age.secrets.eduroam = {
-    rekeyFile = ./secrets/iwd/eduroam.8021x.age;
-    path = "/var/lib/iwd/eduroam.8021x";
-  };
-  age.secrets.devoloog = {
-    rekeyFile = ./secrets/iwd/devolo-og.psk.age;
-    path = "/var/lib/iwd/devolo-og.psk";
-  };
-  age.secrets.simonWlan = {
-    rekeyFile = ./. + "/secrets/iwd/=467269747a21426f78373539302048616e7373656e.psk.age";
-    path = "/var/lib/=467269747a21426f78373539302048616e7373656e.psk";
-  };
 }

hosts/patricknix/secrets/iwd/devoloog-pass.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 Yu9I8MMeSOj0o/GgDHavd/h+nFBLg+HgynBS4CwPu2E
+c4ZFdXhiZteLlJ2p5bwqYqxert3Tu77G4k+7wVskkDY
+-> piv-p256 XTQkUA ApCLcyq6V/ViY/CPEv/xNE94dr4rMacDYQaVbm3XiRh0
+sy28bqGANVFogK167Ug6UxlhCtu7VduqJRNf2JJy+3s
+-> piv-p256 ZFgiIw A7MTWlpv3dxm3RqSvEYHolVR0Q9JVP+dlkf3PqwjtniY
+jduMm3dHT/OZuvMTQ9mprd7mWU9cyiTkM557gOE6fz4
+-> piv-p256 ZFgiIw AyNVo9CHra3CEkgHvzv4AfoAWgVXcoU4KmTYoc9XCydE
+by2yKqbQ4VQl074EXRJsntYDc+pTF3s/aZjTHUxcOc8
+-> 3h.^Qx$-grease [u;j} P`
+02iOKQ
+--- SxO9fHMpuwq7OtQW9oHce6yHT2HYz1dFb51IdfAirsE
+šÌvµœÆ^k,Z5í‚Yã×L<06>µÝ<05>?&Ë»ÀÄ<C380>²m-va„äÙ#hšiÁ—Ô

hosts/patricknix/secrets/iwd/devoloog-sae19.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> X25519 wtUBa6q5pJMUovFqGuAc1DgpxNNRcgPthhZVk/bJACY
+TMyIvn5VGVxkTZYlxC6THUx2Yt88O1RxA/PVLrLEYmg
+-> piv-p256 XTQkUA A5OxSdYZQqYkmarOpN6+lMA5z0thAwm5i1meR4baWVCg
+ElbvdOqrb/gBlT/GRu7S8W1oIc3gHjbg8qh4aYCafkk
+-> piv-p256 ZFgiIw AiaHGpxO8gsff4IIivHv6DsVQttjo1xAXu5DPv7ySTmM
+cwiyq2nldnuyjv8RCu0LdK6CozWJhKyT3KOYZdNOX2o
+-> piv-p256 ZFgiIw A+jEsJv/aasqc0pS9/YQVD8r9r7zE7TN1RQ4x3O9MGRH
+muRbzTO5YKPV3SNxWlJmaYM/zaJ4Vibrw2rll9nhzcQ
+-> `8G"-grease ^~S m9}+NyN! 0gUY%;m-
++C2Dt3GcIaS/w1u7wT0i2ImeFHLFuPZ8MLB2MIEWF0sMQauWc2XFN+dXxeUPCYl1
+ZSbY0u9KYqom9YsB5g
+--- 661TNgwiETit9dGIYNyOJv/4FQzpMOZ5WFrkz79TvcI
+«Täé_<EFBFBD>$A£XàöáóH•zkwx'[z/*yò Ô¤~T4à§Ä—üd7!v5\¿¯¦Až¬Îž0OèËSµi¤j+Ô£&É×äy¶Ò¨¯ÃGEÇ/üj12MÏC‘Ä?щ+ßP)Èâ<¸›BßÇMÍp:6ç…|·Þ<L<>{þਙƒ	3=)QéQ<>f½-G”µÂPÅrD5Ô‹eìÈš

hosts/patricknix/secrets/iwd/devoloog-sae20.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> X25519 Ro0Os6I8MZwpIM1Od486oz5tlrCuXB8GGcIrPV8S1CQ
+jVaINyZ0hZBoJn5iSpThaCH5SPLK5c2xL2pr4KXXrmM
+-> piv-p256 XTQkUA AxMy20+EpCAgIyS6vp+qKDOju69nv3oua4swBnias6Jl
+JRjc0UM3RdZ/VTj5lD5yIfGpVfiXKrIRAPJMghshHFk
+-> piv-p256 ZFgiIw A35QGD5lRwczOKg2K/ZdgTRvyLdtNH57HKw6AoODkU8C
+MBMOrxxWsL8xpUPskSCZkesB7htVexF1yGAUDDn0pK8
+-> piv-p256 ZFgiIw ApYHmHpIDyTgem54u7WRU35tJNgGZjA8aFd0UtMpkmXE
+K7XdZit5Gkz2/D6UzMFUpobfnZXh1JWbV+/D0tNNrGw
+-> jY-grease JDpeU' .3$h
+lxaZZDyTUPhkis3ib33jT5GSOZa+EaheyHb7
+--- kL8WcOpKnQnZmww5ruBhlnHkryfirjgP7D3970gC3kQ
+ì&èô¨~Žƒúhªª‹¸Uþ-‘	úˆ€ü–š
»±Ýqáx-|{zG ¶É¶y¾¯å–4À@Ý<‡¢¯<M¶,`q¯¾¢îÜml–½¬R¯  “ª\"†ÒíEঌŒ¡GÉ <20>?Xø>tß
+îƒyä<EFBFBD>¦ˆÛxZ«XÆÖJ^4Ý{PœhŨË"ÑCO¤Š½RÅ´7! Âoiï"øW¼<57>t<‰·I燮šMÒ>tITAno®Bƒ·{‡k­ç‘ž$ÁhI
¤I¥¡cÓtX?¼ê²	ýüj

modules/config/default.nix

@@ -22,6 +22,7 @@
     ../meta.nix
     ../smb-mounts.nix
     ../deterministic-ids.nix
+    ../optional/iwd.nix
     ./impermanence
 
     inputs.home-manager.nixosModules.default

modules/optional/iwd.nix

@@ -0,0 +1,110 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  options.networking.wireless.iwd = let
+    inherit
+      (lib)
+      mkOption
+      literalExample
+      types
+      hasAttrByPath
+      ;
+  in {
+    networks = mkOption {
+      default = {};
+      example = literalExample ''
+        { "karlsruhe.freifunk.net" = {};
+        };
+      '';
+
+      description = ''
+        Declarative configuration of wifi networks for
+        <citerefentry><refentrytitle>iwd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+
+        All networks will be stored in
+        <literal>/var/lib/iwd/&lt;name&gt;.&lt;type&gt;</literal>.
+
+        Since each network is stored in its own file, declarative networks can be used in an
+        environment with imperatively added networks via
+        <citerefentry><refentrytitle>iwctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+      '';
+
+      type = types.attrsOf (types.submodule ({config, ...}: {
+        config.kind =
+          if (hasAttrByPath ["Security" "Passphrase"] config.settings)
+          then "psk"
+          else if !(hasAttrByPath ["Security"] config.settings)
+          then "open"
+          else "8021x";
+
+        options = {
+          kind = mkOption {
+            type = types.enum ["open" "psk" "8021x"];
+            description = "The type of network. This will determine the file ending. The module will try to determine this automatically so this should only be set when the heuristics fail.";
+          };
+          settings = mkOption {
+            type = with types; (attrsOf (attrsOf str));
+            description = ''
+              Contents of the iwd config file for this network
+              If a file named like this exists the content will be read from file, else the raw string will be used.
+            '';
+            default = {};
+          };
+        };
+      }));
+    };
+  };
+
+  config = let
+    inherit
+      (lib)
+      mkIf
+      flip
+      mapAttrsToList
+      concatStringsSep
+      hasPrefix
+      ;
+    cfg = config.networking.wireless.iwd;
+
+    encoder = pkgs.writeScriptBin "encoder" ''
+      #! ${pkgs.runtimeShell} -e
+
+      # Extract file-ext from network names
+      ext="$(sed -re 's/.*\.(8021x|open|psk)$/\1/' <<< "$*")"
+      to_enc="$(sed -re "s/(.*)\.$ext/\1/g" <<< "$*")"
+
+      # Encode ssid (excluding file-extensio) as base64 if needed
+      [[ "$to_enc" =~ ^[[:alnum:]]+$ ]] && { echo "$to_enc.$ext"; exit 0; }
+      echo "=$(printf "$to_enc" | ${pkgs.unixtools.xxd}/bin/xxd -pu).$ext"
+    '';
+  in
+    mkIf cfg.enable {
+      systemd.services.iwd = mkIf (cfg.networks != {}) {
+        path = [encoder];
+        preStart = let
+          dataDir = "/var/lib/iwd";
+        in ''
+          # Create config files for declaratively defined networks in the NixOS config.
+          ${concatStringsSep "\n" (flip mapAttrsToList cfg.networks (network: config: ''
+            filename=${dataDir}/"$(encoder '${network}.${config.kind}')"
+            touch "$filename"
+            cat >$filename <<EOF
+            ${concatStringsSep "\n" (flip mapAttrsToList config.settings (toplevel: config: ''
+              [${toplevel}]
+              ${concatStringsSep "\n" (flip mapAttrsToList config (name: value: ''
+                ${name}=${
+                  if hasPrefix "/" value
+                  then "$(<${value})"
+                  else value
+                }
+              ''))}
+            ''))}
+            EOF
+          ''))}
+        '';
+      };
+    };
+}