diff --git a/live-image/mkosi.postinst b/live-image/mkosi.postinst
index e301a0e..316805f 100755
--- a/live-image/mkosi.postinst
+++ b/live-image/mkosi.postinst
@@ -9,6 +9,15 @@ mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants"
 ln -sf /etc/systemd/system/vetting-agent.service \
     "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service"
 
+# Mask systemd-firstboot.service so the image never prompts for
+# locale/timezone/root-password on boot, regardless of kernel cmdline.
+# mkosi ships /etc/machine-id empty, which is what triggers the
+# wizard; without this mask the service blocks sysinit.target
+# indefinitely and nothing downstream (agent, ssh, network-online)
+# ever starts. Kernel-cmdline systemd.firstboot=off is belt; this
+# is braces.
+ln -sf /dev/null "$BUILDROOT/etc/systemd/system/systemd-firstboot.service"
+
 # Bootable=no means mkosi won't run update-initramfs for us, and the
 # deferred initramfs-tools trigger inside the chroot doesn't actually
 # generate /boot/initrd.img-<kver>. Do it explicitly so the top-level