diff --git a/clanModules/wifi/roles/default.nix b/clanModules/wifi/roles/default.nix
index 04ad9e6a9..1e524da12 100644
--- a/clanModules/wifi/roles/default.nix
+++ b/clanModules/wifi/roles/default.nix
@@ -1,21 +1,22 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.clan.wifi;
-  secret_path = ssid: config.clan.core.vars.generators."iwd.${ssid}".files.password.path;
+  secret_path =
+    network_name: config.clan.core.vars.generators."iwd.${network_name}".files.password.path;
+  ssid_path = network_name: config.clan.core.vars.generators."iwd.${network_name}".files.ssid.path;
   secret_generator = name: value: {
-    name = "iwd.${value.ssid}";
+    name = "iwd.${name}";
     value = {
-      script = ''
-        config="
-        [Settings]
-          AutoConnect=${if value.AutoConnect then "true" else "false"}
-        [Security]
-          Passphrase=$(cat $prompts/password)
-        "
-        echo "$config" > $out/password
-      '';
+      prompts.ssid.type = "line";
+      prompts.ssid.createFile = true;
       prompts.password.type = "hidden";
+      prompts.password.createFile = true;
       share = true;
     };
   };
@@ -26,15 +27,15 @@ in
       visible = false;
       type = lib.types.attrsOf (
         lib.types.submodule (
-          { name, ... }:
+          { ... }:
           {
             options = {
-              ssid = lib.mkOption {
-                type = lib.types.str;
-                default = name;
-                description = "The name of the wifi network";
+              enable = lib.mkOption {
+                type = lib.types.bool;
+                default = true;
+                description = "Enable this wifi network";
               };
-              AutoConnect = lib.mkOption {
+              autoConnect = lib.mkOption {
                 type = lib.types.bool;
                 default = true;
                 description = "Automatically try to join this wifi network";
@@ -50,14 +51,40 @@ in
 
   config = lib.mkMerge [
     (lib.mkIf (cfg.networks != { }) {
-      # Systemd tmpfiles rule to create /var/lib/iwd/example.pswd.${ssid}k file
-      systemd.tmpfiles.rules = lib.mapAttrsToList (
-        _: value: ''C "/var/lib/iwd/${value.ssid}.psk" 0600 root root - ${secret_path value.ssid}''
-      ) cfg.networks;
 
       clan.core.vars.generators = lib.mapAttrs' secret_generator cfg.networks;
 
       systemd.services.iwd.partOf = [ "nixos-activation.service" ];
+
+      /*
+        script that generates iwd config files inside /var/lib/iwd/clan and symlinks
+          them to /var/lib/iwd.
+      */
+      systemd.services.iwd.serviceConfig.ExecStartPre = pkgs.writeShellScript "clan-iwd-setup" ''
+        set -e
+
+        rm -rf /var/lib/iwd/clan
+        mkdir -p /var/lib/iwd/clan
+
+        # remove all existing symlinks in /var/lib/iwd
+        ${pkgs.findutils}/bin/find /var/lib/iwd -type l -exec rm {} \;
+
+        ${toString (
+          lib.mapAttrsFlatten (name: network: ''
+            passwd=$(cat "${secret_path name}")
+            ssid=$(cat "${ssid_path name}")
+            echo "
+            [Settings]
+              autoConnect=${if network.autoConnect then "true" else "false"}
+            [Security]
+              Passphrase=$passwd
+            " > "/var/lib/iwd/clan/$ssid.psk"
+          '') cfg.networks
+        )}
+
+        # link all files in /var/lib/iwd/clan to /var/lib/iwd
+        ${pkgs.findutils}/bin/find /var/lib/iwd/clan -type f -exec ln -s {} /var/lib/iwd \;
+      '';
     })
     {
       # disable wpa supplicant
@@ -74,7 +101,7 @@ in
             EnableIPv6 = true;
             RoutePriorityOffset = 300;
           };
-          Settings.AutoConnect = true;
+          Settings.autoConnect = true;
         };
       };
     }