Generate NixOS ISO with secrets deployed

I would like to create my own custom NixOS ISO. I know about the installer modules so I just import the modules = [ "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" ]; module and I can build my ISO. The problem is that I would like to be able to include a private SSH-key on the ISO without including the private key in the nix store. The only way I can currently think about a solution for this is to make a script which unpackages the iso and squashfs image, add a root home catalog and copies over my private key. Then it bundles together the squashfs file system and rebuilds to a bootable iso. And doing all that in a temporary directory which does not add anything to the nix store.

Is this the way to do it or is there a simpler way that I have overlooked?

You can use isoImage.contents for that:

This is sadly not available in the generated documentation since this module is not imported by default.

Yes that is a nice option, but it would still put the secrets in the nix store right? So you basically cannot generate the final ISO through nix.

Yeah, this will put the secrets in the Nix store but only at build time on your build host since it needs to be available in the sandbox. The contents shouldn’t be in the store of the final ISO image though IIRC.

The only other issue that might be relevant is that you cannot modify their permissions. You could use boot.postBootCommands for that at runtime. But then again, with access to the ISO extracting the secrets from the ISO is trivial even with permissions in place. Furthermore, if you use the installer profile the root account is not secured anyway.

Another option would be to write your own version of