From 026923075ce28d12e3f407a161bc1c75d69f7d96 Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 18 Apr 2026 15:35:24 -0400
Subject: [PATCH] pxe: disable systemd-firstboot so the live image doesn't
 prompt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

systemd-firstboot.service is an interactive wizard that asks for
locale, timezone, and root password when /etc/machine-id isn't
populated — i.e. every PXE boot of a mkosi-built image. It sits on
sysinit.target waiting for input that will never arrive, blocking
the agent service and every other downstream unit indefinitely.

systemd.firstboot=off on the kernel cmdline is the documented kill
switch; no image-side changes needed.
---
 internal/pxe/ipxe.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/pxe/ipxe.go b/internal/pxe/ipxe.go
index 25079aa..b488898 100644
--- a/internal/pxe/ipxe.go
+++ b/internal/pxe/ipxe.go
@@ -56,6 +56,13 @@ func BuildScript(p IPXEParams) string {
 		// tee to ttyS0 if the port exists, we just don't spawn
 		// a login prompt there.
 		"systemd.mask=serial-getty@ttyS0.service",
+		// systemd-firstboot.service is the interactive "first boot
+		// wizard" (locale/timezone/root-password prompts). In a
+		// PXE live image there's no operator at the console to
+		// answer, so it blocks sysinit.target forever and the
+		// agent never comes up. systemd.firstboot=off short-
+		// circuits it entirely.
+		"systemd.firstboot=off",
 	)
 
 	var b strings.Builder