Switch to pxe-service for proxy DHCP boot and restore host filtering

dhcp-boot alone does not send PXE vendor extensions (option 43) that
PXE clients need in proxy DHCP mode. Switch to pxe-service directives
for initial PXE boot, keep dhcp-boot only for iPXE chainloading.
Create .0 symlinks for pxe-service filename convention. Restore
dhcp-ignore=tag:!known filtering.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/pxe/supervisor.go

@@ -140,6 +140,11 @@ var ipxeFiles = []struct{ src, dst string }{
 	{"/usr/lib/ipxe/ipxe.efi", "ipxe.efi"},
 }
 
+var ipxeSymlinks = []struct{ target, link string }{
+	{"undionly.kpxe", "undionly.0"},
+	{"ipxe.efi", "ipxe.0"},
+}
+
 func (s *Supervisor) seedIPXE() {
 	for _, f := range ipxeFiles {
 		dst := filepath.Join(s.cfg.TFTPRoot, f.dst)
@@ -152,6 +157,15 @@ func (s *Supervisor) seedIPXE() {
 			log.Printf("pxe: seeded %s", f.dst)
 		}
 	}
+	for _, l := range ipxeSymlinks {
+		link := filepath.Join(s.cfg.TFTPRoot, l.link)
+		if _, err := os.Lstat(link); err == nil {
+			continue
+		}
+		if err := os.Symlink(l.target, link); err != nil {
+			log.Printf("pxe: symlink %s → %s: %v", l.link, l.target, err)
+		}
+	}
 }
 
 func copyFile(src, dst string) error {
@@ -185,20 +199,18 @@ bind-interfaces
 
 dhcp-range={{.Subnet}},proxy
 dhcp-hostsfile={{.HostsFile}}
+dhcp-ignore=tag:!known
 
 enable-tftp
 tftp-root={{.TFTPRoot}}
 
-# Legacy BIOS
+# PXE boot menu (timeout 0 = boot immediately)
-dhcp-match=set:bios,option:client-arch,0
+pxe-prompt="Provisioning",0
-dhcp-boot=tag:bios,undionly.kpxe
+pxe-service=x86PC,"Provisioning",undionly
+pxe-service=X86-64_EFI,"Provisioning",ipxe
 
-# UEFI
+# iPXE chainload: once iPXE boots, serve HTTP script
-dhcp-match=set:efi64,option:client-arch,7
+dhcp-userclass=set:ipxe,iPXE
-dhcp-boot=tag:efi64,ipxe.efi
-
-# iPXE user-class: chain to HTTP script
-dhcp-match=set:ipxe,option:user-class,iPXE
 dhcp-boot=tag:ipxe,{{.PublicURL}}/ipxe/${mac:hexhyp}
 
 log-dhcp