orphanage/flake.nix

{
  description = "The simple provisioning service";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-unstable";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, nixos-generators, ... }:
    let
      lastModifiedDate = self.lastModifiedDate or self.lastModified or "19700101";
      version = builtins.substring 0 8 lastModifiedDate;
      supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
    in
    {
      packages = forAllSystems (system:
        let
          pkgs = nixpkgsFor.${system};
          clientPackage = pkgs.buildGoModule {
            pname = "client";
            inherit version;
            src = ./client;
            vendorHash = null;
          };
        in
        {
          default = clientPackage;
          boot-env-iso = nixos-generators.nixosGenerate {
            inherit system;
            format = "iso";
            modules = [
              ({modulesPath, ...}: {
                imports = [
                  (modulesPath + "/profiles/minimal.nix")
                  (modulesPath + "/profiles/base.nix")
                ];

                system.stateVersion = "25.05";

                # Disable unneeded features
                ##boot.loader.grub.enable = true; # Not needed as iso-image.nix in modulesPath defines these and cause conflict 
                ##boot.loader.grub.device = "nodev";
                documentation.enable = false;
                fonts.fontconfig.enable = false;
                services.udisks2.enable = false;

                networking.firewall.enable = false; # Technically we COULD use the firewall, but given that this is a network-dependent, one-time-use service, it would cause more issues

                services.getty.autologinUser = "root";

                environment.systemPackages = [ clientPackage ];
                environment.etc."profile.local".text = ''
                  client
                '';

                isoImage.squashfsCompression = "gzip -Xcompression-level 1";
            })
          ];
        };
        });

        devShells = forAllSystems (system:
          let
            pkgs = nixpkgsFor.${system};
          in
          {
            default = pkgs.mkShell {
              hardeningDisable = [ "fortify" ];
              buildInputs = [
                pkgs.bashInteractive
                pkgs.go
                pkgs.delve
                pkgs.qemu_kvm
              ];
            };
          });
    };
}