From 1459fad584aedce4cc948b97c98613f01d43fef7 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Tue, 2 Jun 2026 15:14:17 +0200
Subject: [PATCH] nixos/wireless: restrict chown /etc/wpa_supplicant scope

Otherwise the recursive chown can fail, hence wpa_supplicant doesn't
start, if some read-only file has been bind-mounted into
/etc/wpa_supplicant.

This can happen if one uses `extraConfigFile` to add a file that is
under /etc/wpa_supplicant.

(cherry picked from commit 197a055a025d2e5ae987c4da201cb1f031102fd0)
---
 nixos/modules/services/networking/wpa_supplicant.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix
index 0e092de5e609..2c3c0a62b18d 100644
--- a/nixos/modules/services/networking/wpa_supplicant.nix
+++ b/nixos/modules/services/networking/wpa_supplicant.nix
@@ -123,7 +123,8 @@ let
             # set up imperative config file
             "+${pkgs.coreutils}/bin/touch /etc/wpa_supplicant/imperative.conf"
             "+${pkgs.coreutils}/bin/chmod 664 /etc/wpa_supplicant/imperative.conf"
-            "+${pkgs.coreutils}/bin/chown -R wpa_supplicant:wpa_supplicant /etc/wpa_supplicant"
+            "+${pkgs.coreutils}/bin/chown wpa_supplicant:wpa_supplicant /etc/wpa_supplicant"
+            "+${pkgs.coreutils}/bin/chown wpa_supplicant:wpa_supplicant /etc/wpa_supplicant/imperative.conf"
           ]
           ++ lib.optionals cfg.userControlled [
             # set up client sockets directory