diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix
index 908c8730ad2a..4bae05b6dd30 100644
--- a/nixos/modules/services/networking/wpa_supplicant.nix
+++ b/nixos/modules/services/networking/wpa_supplicant.nix
@@ -8,17 +8,20 @@ let
     ${optionalString cfg.userControlled.enable ''
       ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=${cfg.userControlled.group}
       update_config=1''}
-    ${concatStringsSep "\n" (mapAttrsToList (ssid: networkConfig: let
-      psk = if networkConfig.psk != null
-        then ''"${networkConfig.psk}"''
-        else networkConfig.pskRaw;
-      priority = networkConfig.priority;
+    ${concatStringsSep "\n" (mapAttrsToList (ssid: config: with config; let
+      key = if psk != null
+        then ''"${psk}"''
+        else pskRaw;
+      baseAuth = if key != null
+        then ''psk=${key}''
+        else ''key_mgmt=NONE'';
     in ''
       network={
         ssid="${ssid}"
-        ${optionalString (psk != null) ''psk=${psk}''}
-        ${optionalString (psk == null) ''key_mgmt=NONE''}
         ${optionalString (priority != null) ''priority=${toString priority}''}
+        ${optionalString hidden "scan_ssid=1"}
+        ${if (auth != null) then auth else baseAuth}
+        ${extraConfig}
       }
     '') cfg.networks)}
   '' else "/etc/wpa_supplicant.conf";
@@ -70,6 +73,32 @@ in {
                 Mutually exclusive with <varname>psk</varname>.
               '';
             };
+
+            auth = mkOption {
+              type = types.nullOr types.str;
+              default = null;
+              example = ''
+                key_mgmt=WPA-EAP
+                eap=PEAP
+                identity="user@example.com"
+                password="secret"
+              '';
+              description = ''
+                Use this option to configure advanced authentication methods like EAP.
+                See wpa_supplicant.conf(5) for example configurations.
+
+                Mutually exclusive with <varname>psk</varname> and <varname>pskRaw</varname>.
+              '';
+            };
+
+            hidden = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                Set this to <literal>true</literal> if the SSID of the network is hidden.
+              '';
+            };
+
             priority = mkOption {
               type = types.nullOr types.int;
               default = null;
@@ -83,6 +112,19 @@ in {
                 policy, signal strength, etc.
               '';
             };
+
+            extraConfig = mkOption {
+              type = types.str;
+              default = "";
+              example = ''
+                bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
+              '';
+              description = ''
+                Extra configuration lines appended to the network block.
+                See wpa_supplicant.conf(5) for available options.
+              '';
+            };
+
           };
         });
         description = ''
@@ -128,8 +170,8 @@ in {
 
   config = mkIf cfg.enable {
     assertions = flip mapAttrsToList cfg.networks (name: cfg: {
-      assertion = cfg.psk == null || cfg.pskRaw == null;
-      message = ''networking.wireless."${name}".psk and networking.wireless."${name}".pskRaw are mutually exclusive'';
+      assertion = with cfg; count (x: x != null) [ psk pskRaw auth ] <= 1;
+      message = ''options networking.wireless."${name}".{psk,pskRaw,auth} are mutually exclusive'';
     });
 
     environment.systemPackages =  [ pkgs.wpa_supplicant ];