From d9eaddc9dbd82aeb61edf2bd568e23e36fb37bb0 Mon Sep 17 00:00:00 2001
From: Chris Toph <toph@ryot.foo>
Date: Mon, 16 Jun 2025 14:13:05 -0400
Subject: [PATCH] Enhance ISO configuration: add ARM-specific options and
 update system settings; ensure no password conflicts for users

---
 iso/default.nix     | 26 +++++++++++++++++++-------
 iso/not-secrets.nix |  4 ++++
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/iso/default.nix b/iso/default.nix
index f20129d..ccd76b5 100644
--- a/iso/default.nix
+++ b/iso/default.nix
@@ -8,15 +8,17 @@
   ...
 }:
 {
-  # ISO settings
+  ## ISO ##
   isoImage = {
     isoName = lib.mkForce "nixos-${config.hostSpec.hostName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";
     makeEfiBootable = true;
     makeUsbBootable = true;
     compressImage = false;
+    squashfsCompression = lib.mkIf isARM "gzip";
+    includeSystemBuildDependencies = lib.mkIf isARM false;
   };
 
-  # Enable root SSH access
+  ## SSH  & NETWORK ##
   services.openssh = {
     enable = true;
     settings = {
@@ -31,7 +33,7 @@
     enableIPv6 = false;
   };
 
-  # Extra pkgs; iso tools
+  ## PKGS ##
   environment.systemPackages = with pkgs; [
     parted
     gptfdisk
@@ -39,11 +41,10 @@
     gparted
   ];
 
-  # VM guest additions to improve host-guest interaction
+  ## VM additions ##
   services.spice-vdagentd.enable = true;
   services.qemuGuest.enable = true;
   virtualisation.vmware.guest.enable = pkgs.stdenv.hostPlatform.isx86;
-  # https://github.com/torvalds/linux/blob/00b827f0cffa50abb6773ad4c34f4cd909dae1c8/drivers/hv/Kconfig#L7-L8
   virtualisation.hypervGuest.enable =
     pkgs.stdenv.hostPlatform.isx86 || pkgs.stdenv.hostPlatform.isAarch64;
   services.xe-guest-utilities.enable = pkgs.stdenv.hostPlatform.isx86;
@@ -51,9 +52,20 @@
   # which lags behind kernel releases, potentially causing broken builds.
   virtualisation.virtualbox.guest.enable = false;
 
-  # Basic system settings
+  ## System ##
   system.stateVersion = "25.05";
   nixpkgs.hostPlatform = system;
-  nixpkgs.config.allowUnsupportedSystem = true; # Cross-compilation
   users.mutableUsers = lib.mkForce true; # Allow password changes
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  nixpkgs.config = {
+    allowUnsupportedSystem = true;
+    allowUnfree = true;
+    allowBroken = false;
+  };
+
+  systemd.services = lib.mkIf isARM {
+    systemd-firstboot.enable = lib.mkForce false;
+    systemd-machine-id-commit.enable = lib.mkForce false;
+  };
 }
diff --git a/iso/not-secrets.nix b/iso/not-secrets.nix
index ad8bf1c..f885954 100644
--- a/iso/not-secrets.nix
+++ b/iso/not-secrets.nix
@@ -48,4 +48,8 @@ in
       };
     };
   };
+
+  # Override the installation-cd defaults to prevent password conflicts
+  users.users.nixos.initialHashedPassword = lib.mkForce null;
+  users.users.root.initialHashedPassword = lib.mkForce null;
 }