Well you're really feeding my Nix confirmation bias here. I used to use Ansible with my dot files to configure my personal computers to make it easy to get set up on a new machine or server shell account. But it wasn't great because I would have to remember to update my Ansible config whenever I installed stuff with my OS package manager (and usually I did not remember). Then along came Nix and Home Manager which combined package management and configuration management in exactly the way I wanted. Now my config stays in sync because editing it is how I install stuff.
Nix with either Home Manager or NixOps checks all of the benefits you listed, except arguably using a "known" programming language. What are you waiting for?
I think you can mount an ISO image under your running system and make changes. I found a couple of guides that might be helpful:
How to Mount an ISO File on Linux
Edit and repack .iso bootable image
I haven't done this before, but I think you can
chroot
into the mount directory, and run package manager commands in the mounted image to install another package.Or I have an alternative suggestion that might or might not be easier. I've been hearing a lot about immutable/atomic distros, and people designing their own images. You could make your own ublue image, for example, with whatever you want on it.
A promising looking starting point is github:ublue-os/startingpoint. Ignore the "Installation" instructions, and follow the "ISO" instructions instead.
Or I saw recently an announcement of a new way to build atomic images that is supposed to be easier than ever, BlueBuild