Well, from a task-dependency perspective, it is still interesting. It also set DefaultDependencies=no btw, maybe for a similar reason? Anyway, it doesn’t matter, because now my config works 
I also had to adjust other settings, like including kernel modules for the cryptographic coprocessor. I inferred it from the errors I got from wpa_supplicant, but still it required some trials and errors; I couldn’t find any way of detecting this methodically (with some sort of explicit missing module report).
Here is the working config:
boot.initrd = let interface = "wlp2s0"; in
{
# crypto coprocessor and wifi modules
availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];
systemd = {
enable = true;
packages = [ pkgs.wpa_supplicant ];
initrdBin = [ pkgs.wpa_supplicant ];
targets.initrd.wants = [ "wpa_supplicant@${interface}.service" ];
# prevent WPA supplicant from requiring `sysinit.target`.
services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
users.root.shell = "/bin/systemd-tty-ask-password-agent";
network.enable = true;
network.networks."10-wlan" = {
matchConfig.Name = interface;
networkConfig.DHCP = "yes";
};
};
secrets."/etc/wpa_supplicant/wpa_supplicant-${interface}.conf" =
/root/secrets/wpa_supplicant.conf;
network.enable = true;
network.ssh = {
enable = true;
port = 22;
hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
authorizedKeys = default.user.openssh.authorizedKeys.keys;
};
};
Thanks a lot for your time and patience!