/run/wpa_supplicant/wpa_supplicant.conf seems to get wiped after I suspend.
That’s correct, that file is generated from the NixOS configuration and spliced with your secrets whenever you restart the wpa_supplicant daemon.
The question is where this is implemented so I can stop it.
You can’t, unless you rewrite the networking.wireless module. However, if you want to preserve the networks you added at runtime, there’s networking.wireless.allowAuxiliaryImperativeNetworks.
With this enabled you can put extra networks in /etc/wpa_supplicant.conf (either manually or using wpa_cli), which will be read in addition to /run/wpa_supplicant/wpa_supplicant.conf.