But I can’t enter a variable for the identity field.
Only some fields support this, it’s meant to keep secrets (PSKs, passwords) protected.
If you’re publishing your configuration and want to hide PII (such as usernames, SSIDs, email addresses, etc.), the standard method is to define these in an external .nix file and import them where needed.
You can even make it a NixOS module that exports your constants as an option, so that you can do identity=${config.stuff.myemail}. Then you either don’t share this file, use git-crypt or the method described here to keep it encrypted and decrypt it on the fly from Nix.
Instead, if you really care about local users not being able to access this information, you can try this:
Define your networks using wpa_supplicant.conf syntax in some networks.conf file
set networking.wireless.allowAuxiliaryImperativeNetworks. This makes wpa_supplicant load /etc/wpa_supplicant.confin addition to the configuration generated by NixOS.
Install networks.conf in /etc/wpa_supplicant.conf` with whatever you use to handle secrets. (It should have permissions 400 and ownership root:root)
You can even make it a NixOS module that exports your constants as an option, so that you can do identity=${config.stuff.myemail}. Then you either don’t share this file, use git-crypt or the method described here to keep it encrypted and decrypt it on the fly from Nix.
Could you provide an example or a link to such a module with pre-defined constants?