Revisiting this nearly 6 months later…
After trying several things I ended up bringing back the substitution in the service script.
I created a custom wpa_supplicant module (based on the current one in nixpkgs) which:
- disables the one builtin in NixOS using the
disabledModulesoption - brings back two things from before the switch:
- final config location in service runtime dir (ie.
/run/wpa_supplicant/wpa_supplicant.conf) - secrets substitution in service script
- final config location in service runtime dir (ie.
I’m not very fond of awk (but yes, that’s because I lack knowledge of it) so I rewrote the substitution part in plain bash. It may not be very optimized but at least I understand the code and it works for my use case.
This is implemented in my repository here.