From 8e8dd928be5602b125ab59cf6cb7244adc92a4cf Mon Sep 17 00:00:00 2001
From: Nickolaj Jepsen <nickolaj@fireproof.website>
Date: Sat, 13 Dec 2025 19:31:56 +0100
Subject: [PATCH] feat: update bootstrap image

---
 hosts/bootstrap/configuration.nix      | 76 +++++++++++++++++++++++++-
 hosts/bootstrap/disk-configuration.nix |  7 +++
 hosts/default.nix                      |  9 ++-
 justfile                               | 33 +++++++++++
 4 files changed, 117 insertions(+), 8 deletions(-)
 create mode 100644 hosts/bootstrap/disk-configuration.nix

diff --git a/hosts/bootstrap/configuration.nix b/hosts/bootstrap/configuration.nix
index b4053da..b5b39a5 100644
--- a/hosts/bootstrap/configuration.nix
+++ b/hosts/bootstrap/configuration.nix
@@ -1,5 +1,75 @@
-{username, ...}: {
-  networking.wireless.enable = false;
+{
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
+  # Minimal system without desktop or dev tools
+  fireproof.desktop.enable = false;
+  fireproof.dev.enable = false;
+  fireproof.work.enable = false;
+  fireproof.homelab.enable = false;
+
+  # Use the nixos installation ISO as base
+  imports = [
+    "${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
+  ];
+
+  # Disable systemd-boot as we're using ISO bootloader
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  # Enable SSH for remote installation
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "yes";
+      PasswordAuthentication = lib.mkForce true;
+      KbdInteractiveAuthentication = lib.mkForce true;
+    };
+  };
+
+  # Set a root password for the live environment (override the ISO's empty password)
+  users.users.root = {
+    initialHashedPassword = lib.mkForce null;
+    initialPassword = lib.mkForce "nixos";
+  };
+
+  # Networking
   networking.networkmanager.enable = true;
-  users.users.${username}.extraGroups = ["networkmanager"];
+  networking.wireless.enable = lib.mkForce false; # Conflicts with networkmanager
+
+  # Installation tools
+  environment.systemPackages = with pkgs; [
+    # Disk tools
+    gptfdisk
+    parted
+    cryptsetup
+    btrfs-progs
+    dosfstools
+    ntfs3g
+
+    # NixOS installation
+    nixos-install-tools
+
+    # Network tools
+    wget
+    curl
+    git
+
+    # Editors
+    vim
+    nano
+
+    # System tools
+    htop
+    pciutils
+    usbutils
+    lsof
+
+    # Hardware detection
+    nixos-facter
+  ];
+
+  # System state version (use mkForce to override the default)
+  system.stateVersion = lib.mkForce "25.11";
 }
diff --git a/hosts/bootstrap/disk-configuration.nix b/hosts/bootstrap/disk-configuration.nix
new file mode 100644
index 0000000..ff797be
--- /dev/null
+++ b/hosts/bootstrap/disk-configuration.nix
@@ -0,0 +1,7 @@
+# Bootstrap disk configuration
+# This is a placeholder - the ISO doesn't use disko for its own disk
+# but disko is available for formatting target systems
+_: {
+  # No disko configuration needed for the live USB
+  # The installation medium uses the standard ISO layout
+}
diff --git a/hosts/default.nix b/hosts/default.nix
index 1ed31b1..071471c 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -57,11 +57,6 @@ with lib; let
     );
 in {
   config.flake.nixosConfigurations = {
-    bootstrap = mkSystem {
-      hostname = "bootstrap";
-      username = "nixos";
-    };
-
     laptop = mkSystem {
       hostname = "laptop";
       username = "nickolaj";
@@ -78,5 +73,9 @@ in {
       hostname = "homelab";
       username = "nickolaj";
     };
+    bootstrap = mkSystem {
+      hostname = "bootstrap";
+      username = "nickolaj";
+    };
   };
 }
diff --git a/justfile b/justfile
index 986b1a6..57c301b 100644
--- a/justfile
+++ b/justfile
@@ -79,6 +79,39 @@ disko-install hostname disk:
 iso hostname:
     {{ nixcmd }} build .#nixosConfigurations.{{ hostname }}.config.formats.install-iso
 
+[doc('Build the bootstrap ISO for USB installation')]
+[group('deploy')]
+bootstrap-iso:
+    @echo "Building bootstrap ISO..."
+    {{ nixcmd }} build .#nixosConfigurations.bootstrap.config.system.build.isoImage {{ nix_output_monitor }}
+    @echo "ISO built: $(ls -1 result/iso/*.iso)"
+
+[doc('Flash the bootstrap ISO to a USB drive')]
+[group('deploy')]
+bootstrap-flash device:
+    #!/usr/bin/env -S bash -e
+    if [ ! -b "{{ device }}" ]; then
+        echo "Error: {{ device }} is not a block device"
+        exit 1
+    fi
+    
+    # Build the ISO first if needed
+    if [ ! -d "result/iso" ]; then
+        just bootstrap-iso
+    fi
+    
+    iso_file=$(ls -1 result/iso/*.iso | head -1)
+    echo "Flashing $iso_file to {{ device }}..."
+    echo "WARNING: This will ERASE ALL DATA on {{ device }}"
+    read -p "Are you sure? (y/N) " -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        sudo dd if="$iso_file" of="{{ device }}" bs=4M status=progress oflag=sync
+        echo "Done! You can now boot from {{ device }}"
+    else
+        echo "Aborted"
+    fi
+
 [doc('Runs (r)age with yubikey identity')]
 [group('secret')]
 age *ARGS="--help":