Fix dnsmasq not responding to PXE clients and seed iPXE binaries

Remove tag:known filter from dhcp-range — in proxy DHCP mode the tag
filter prevents responses. dhcp-ignore=tag:!known still filters
unknown hosts. Also copy ipxe.efi and undionly.kpxe from the system
ipxe package into the TFTP root at startup so clients can actually
download the bootloader.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/pxe/supervisor.go

@@ -3,6 +3,7 @@ package pxe
 import (
 	"context"
 	"fmt"
+	"io"
 	"log"
 	"os"
 	"os/exec"
@@ -44,6 +45,7 @@ func (s *Supervisor) Start(ctx context.Context, hosts []model.Host) error {
 	if err := os.MkdirAll(s.cfg.TFTPRoot, 0o755); err != nil {
 		return fmt.Errorf("pxe: create tftp root: %w", err)
 	}
+	s.seedIPXE()
 	if err := s.writeConfig(hosts); err != nil {
 		return err
 	}
@@ -133,6 +135,40 @@ func (s *Supervisor) startProcess(ctx context.Context) error {
 	return nil
 }
 
+var ipxeFiles = []struct{ src, dst string }{
+	{"/usr/lib/ipxe/undionly.kpxe", "undionly.kpxe"},
+	{"/usr/lib/ipxe/ipxe.efi", "ipxe.efi"},
+}
+
+func (s *Supervisor) seedIPXE() {
+	for _, f := range ipxeFiles {
+		dst := filepath.Join(s.cfg.TFTPRoot, f.dst)
+		if _, err := os.Stat(dst); err == nil {
+			continue
+		}
+		if err := copyFile(f.src, dst); err != nil {
+			log.Printf("pxe: copy %s → %s: %v", f.src, dst, err)
+		} else {
+			log.Printf("pxe: seeded %s", f.dst)
+		}
+	}
+}
+
+func copyFile(src, dst string) error {
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+	out, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+	_, err = io.Copy(out, in)
+	return err
+}
+
 type dnsmasqConf struct {
 	Interface  string
 	Subnet     string
@@ -147,7 +183,7 @@ port=0
 interface={{.Interface}}
 bind-interfaces
 
-dhcp-range=tag:known,{{.Subnet}},proxy
+dhcp-range={{.Subnet}},proxy
 dhcp-hostsfile={{.HostsFile}}
 dhcp-ignore=tag:!known