By analyzing the blame information on this pull request, we identified @globin, @rickynils and @nmikhailov to be potential reviewers

The wifi portion runs through wpa_supplicant, does not it?
Could you give the PSKs into wpa_passphrase and henceforth not have plain-text PSKs?
Would that make sense?

@NeQuissimus I have no idea... I've done along the way it's done for the wpa_supplicant module; this one also seems to keep PSKs in plaintext. I glanced over the wpa_passphrase man page, but I can't understand what it does and how it can help. Anyway, there's a warning in the manual, and one's free to skip this feature and fall back to regular nmcli/GUI config.

wpa_passphrase replaces the plain text passphrase.

For example, you would normally have this

network={ 
ssid="MySSID" 
psk="MyPassword" 
}

After running through wpa_passphrase, it would look like this but still work as well:

$ wpa_passphrase MySSID MyPassword
network={ 
  ssid="MySSID" 
  #psk="MyPassword" 
  psk=a66e97b9a1008a97285c78c2b95082bed3541d3dd01165b0128f7f3c18563797 
}

Remove the commented line and everything works just the same, except the PSK is no longer plain-text.

I just started working on a more advanced version of this. Still early wip, but wanted to mention this now. I would probably continue to work on this in ~1-2 weeks if there's interest.

I don't really know anything about "wpa_passphrase", or interactions between wpa_supplicant and NM (I'm actually totally a newbie to NetworkManager itself), thus I'm not planning to add support for it in the PR. If anybody is more knowledgeable in this area (@NeQuissimus?), I suppose they're more than welcome to send another PR.

To make it clear, I want to explain my intention is just to help the project (and future newbies to it) to the extent I'm able to, by sending this PR as an improvement for an issue I had when I tried to install NixOS for the first time (namely, not knowing how to configure a WiFi network in NetworkManager on command line, thus having to research it on the Internet, and wanting to have it done declaratively anyway). As to the interface and implementation, I tried to follow the example set by the wpa_supplicant module, being advised so on the mailing list.

Hi @akavel , I think it's really cool what you did.

Do you know if there is any way to store the passwords encrypted ? I think that with your PR the password would end-up in the /nix/store in clear ^_^

According to https://wiki.debian.org/WiFi/HowToUse#WPA-PSK_and_WPA2-PSK you can just use the encrypted output of wpa_passphrase. If you could try that out and add something to the config/example, I think this should be pretty good.
If I have some time, I can give this a try as well.

@NeQuissimus I've also tried this out in #12307 and it seems to work. Unfortunately I currently don't have much time to work on it.
Still, I think that's kind of a sense of false security, since the PSK really is the 'secret' which would still be world-readable in the nix store. I don't see much advantage to just storing the password.
The only way to avoid that would be using the encrypt primopp (edolstra/nix@6b70036) but that's currently not in nix master.

@NeQuissimus And also, the password will still be readable in plain text in a .drv file, so we don't really win anything.

bump what is the status on this ?

@akavel what's the status of this PR?
@fkz are you going to work on wrapping up #12307?

@kalbasit I dunno. I submitted it as a contribution attempt, and all I can see is that it was apparently ignored by the repo owners. I don't know what more I can do. I don't have energy to pursue a social campaign of pressing people to notice this PR and review it... Also, personally, in the 2.5 years since I submitted this, I scaled back my immediate ambitions and currently paused trying to use NixOS proper; instead, I'm slowly trying to approach it from a Nix+home-manager angle. So this particular PR is not in my immediate sphere of interest as of now; that said, I might try to tweak this if some concrete changes were requested by the repo owners/reviewers as a precondition for merging this.

I'm working on a NixOS module for declarative low-level NetworkManager configuration, i.e. through networking.networkmanager instead of networking.wireless, but allowing to configure all kinds of network connections, i.e. no limit to wireless connections. Once I'm done with that, we could use that as backend for this patch.

@florianjacob cool stuff, ping me when you open your PR. I tend to run some non-standard network configurations so I would be interested in this.

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the
   related code and @ mention them in a comment.
2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
   irc.freenode.net.

Seems like a new PR is in the works.