diff --git a/iso/build-iso.sh b/iso/build-iso.sh
new file mode 100644
index 0000000..2586426
--- /dev/null
+++ b/iso/build-iso.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+NIXPKGS=$(nix-build nixpkgs.nix)
+
+nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
diff --git a/iso/configuration.nix b/iso/configuration.nix
new file mode 100644
index 0000000..ab5ce0b
--- /dev/null
+++ b/iso/configuration.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+
+let
+  dgn-lib = import ../lib/trivial.nix;
+
+  dgn-members = (import ../meta).members.groups.iso;
+in
+
+{
+  boot = {
+    blacklistedKernelModules = [ "snd_pcsp" ];
+    kernelPackages = pkgs.linuxPackages_6_1;
+    tmp.cleanOnBoot = true;
+
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    supportedFilesystems = [
+      "exfat"
+      "zfs"
+    ];
+  };
+
+  services = {
+    openssh.enable = true;
+  };
+
+  users.users.root.openssh.authorizedKeys.keyFiles =
+    builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys") dgn-members;
+}
diff --git a/iso/nixpkgs.nix b/iso/nixpkgs.nix
new file mode 100644
index 0000000..73a6d6a
--- /dev/null
+++ b/iso/nixpkgs.nix
@@ -0,0 +1,5 @@
+let
+  inherit (import ../npins) nixpkgs;
+in
+
+(import nixpkgs { }).srcOnly { name = "nixpkgs-for-iso"; src = nixpkgs; }
diff --git a/meta/members.nix b/meta/members.nix
index 7097ee7..b9c6a84 100644
--- a/meta/members.nix
+++ b/meta/members.nix
@@ -26,6 +26,9 @@ let
 
     # members of this group are root on web nodes
     web = [ "mdebray" "raito" ];
+
+    # members of this group will have root acces on the installation isos
+    iso = [ "thubrecht" "mdebray" "raito" ];
   };
 in
 
diff --git a/shell.nix b/shell.nix
index bd90833..bcef228 100644
--- a/shell.nix
+++ b/shell.nix
@@ -43,6 +43,7 @@ pkgs.mkShell {
   packages = with pkgs; [
     npins
     colmena
+    nixos-generators
   ] ++ (builtins.map (p: callPackage p { }) [
     (sources.disko + "/package.nix")
   ]);