live-image: mask systemd-firstboot at image-build time

Belt-and-braces for the kernel-cmdline systemd.firstboot=off fix.
mkosi ships /etc/machine-id empty, which triggers firstboot's
interactive locale/timezone/root-password prompt on every PXE boot;
with the agent running unattended there's nobody to answer and
sysinit.target blocks indefinitely.

Mask via a /dev/null symlink in /etc/systemd/system so the service
is unstartable regardless of cmdline — rules out the failure mode
where an older orchestrator binary serves an iPXE script without
the off-switch arg.

live-image/mkosi.postinst

@@ -9,6 +9,15 @@ mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants"
 ln -sf /etc/systemd/system/vetting-agent.service \
     "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service"
 
+# Mask systemd-firstboot.service so the image never prompts for
+# locale/timezone/root-password on boot, regardless of kernel cmdline.
+# mkosi ships /etc/machine-id empty, which is what triggers the
+# wizard; without this mask the service blocks sysinit.target
+# indefinitely and nothing downstream (agent, ssh, network-online)
+# ever starts. Kernel-cmdline systemd.firstboot=off is belt; this
+# is braces.
+ln -sf /dev/null "$BUILDROOT/etc/systemd/system/systemd-firstboot.service"
+
 # Bootable=no means mkosi won't run update-initramfs for us, and the
 # deferred initramfs-tools trigger inside the chroot doesn't actually
 # generate /boot/initrd.img-<kver>. Do it explicitly so the top-level