{
  pkgs,
  lib,
  ...
}:
let
  importScript = pkgs.writers.writePython3 "install-wifi-import" {
    libraries = [ pkgs.python3Packages.pyaml ];
  } (builtins.readFile ./import.py);
  applyScript = pkgs.writers.writePython3 "install-wifi-apply" { } (builtins.readFile ./apply.py);
in
{
  environment.systemPackages = [
    (pkgs.writeShellApplication {
      name = "install-wifi";
      runtimeInputs = with pkgs; [
        wpa_supplicant
        diffutils
      ];
      text = ''
        temp="$(mktemp --directory --suffix="-install-wifi")"
        cd "$temp"

        bus_get() {
            sudo busctl -j get-property "fi.w1.wpa_supplicant1" "$@"
        }

        network_config() {
            bus_get "$1" "fi.w1.wpa_supplicant1.Network" Properties | jq '.data | keys[] as $k | "\($k)=\(.[$k] | .data)"' -r | sort
        }

        # Temporarily create a new network to get defaults
        default_id="$(wpa_cli add_network | tail -n1)"
        network_config "/fi/w1/wpa_supplicant1/Interfaces/0/Networks/$default_id" > default.conf
        wpa_cli remove_network "$default_id"

        networks_config() {
            # List all interfaces
            bus_get "/fi/w1/wpa_supplicant1" "fi.w1.wpa_supplicant1" Interfaces | jq '.data[]' -r | while read -r interface
            do
                # List all networks
                bus_get "$interface" "fi.w1.wpa_supplicant1.Interface" Networks | jq '.data[]' -r | while read -r network
                do
                    # Show configuration
                    echo "[$network]"
                    network_config "$network" > current.conf
                    comm -23 current.conf default.conf
                    rm current.conf
                    echo
                done
            done
        }

        # Save config for diffing later
        networks_config > old.conf

        # Export Wi-Fi config from pass
        ${importScript}

        # Save on persistent storage for boot
        sudo chown root:root wireless_networks.json
        sudo chmod "u=r" wireless_networks.json
        sudo mkdir -p /etc/keys
        sudo mv -f wireless_networks.json /etc/keys

        # Apply configuration
        sudo ${applyScript}

        # Diff the config
        networks_config > new.conf
        diff --color=auto -U 5 old.conf new.conf

        rm default.conf old.conf new.conf
        cd /
        rmdir "$temp"
      '';
      # This relies on pass password store with wifi/${name} entries,
      # containing wpa_supplicant networks loosely converted to YAML
      # (see import.py script)
    })
  ];
  # wireless support via wpa_supplicant
  networking = {
    wireless = {
      enable = true;
      extraConfig = ''
        country=NL
      '';
      userControlled.enable = true; # Allow some control with wpa_cli
    };
  };

  systemd.services.wifi_apply = {
    after = [ "wpa_supplicant.service" ];
    wantedBy = [ "wpa_supplicant.service" ];
    path = with pkgs; [ wpa_supplicant ];
    script = ''
      for i in {1..50}; do wpa_cli status &> /dev/null && break; sleep 0.1; done
      ${applyScript}
    '';
  };
}