After struggling with this, I managed to do it and wrote a guide.
TLDR: the old approach worked by saving the TOTP secret inside the software and authenticating normally. The new method opens a WebView window, and storing cookies or secrets does not seem to have an effect.
So doing it declaratively seems to be even more impossible.
To avoid duplication, here is the guide:
Thanks for this comment on how to add openconnect support to NetworkManager.
On NixOS, installing the software works simply by doing the following:
services.desktopManager.plasma6.enable = true;
networking.networkmanager.plugins = with pkgs; [
networkmanager-openconnect
];
The new method requires QtWebEngine to open the WebView window for authentication.
The user agent needs to be changed to “AnyConnect” for it to work.