diff --git a/deploy/install.sh b/deploy/install.sh
index 60a83b6..0779736 100755
--- a/deploy/install.sh
+++ b/deploy/install.sh
@@ -15,9 +15,13 @@
 #   - Build the orchestrator (this script assumes you ran
 #     `make orchestrator-linux` beforehand and that bin/vetting-linux-amd64
 #     exists alongside this script, or pass --binary to locate it).
-#   - Install the live image or TFTP payloads — those are separate,
-#     since most operators want to build them from a pinned CI artifact
-#     rather than on the LXC itself.
+#   - Fetch TFTP iPXE payloads (that's pxe-setup.sh's job — it also
+#     writes the pxe: block of vetting.yaml with first-time args).
+#
+# When a live-image/{vmlinuz,initrd.img} is present next to this script
+# (release bundle) or under ../live-image/build/ (repo checkout), it's
+# staged into --live-dir automatically. This makes the one-liner
+# upgrade loop work end-to-end for PXE-enabled installs.
 #
 # Usage:
 #   sudo ./install.sh [--binary PATH] [--config-dir /etc/vetting]
@@ -30,31 +34,41 @@ CONFIG_DIR="/etc/vetting"
 STATE_DIR="/var/lib/vetting"
 LOG_DIR="/var/log/vetting"
 ASSET_DIR="/var/lib/vetting/assets"
+LIVE_DIR="/var/lib/vetting/live"
+LIVE_IMAGE_SRC=""
 SERVICE_USER="vetting"
 
 usage() {
     cat <<EOF
 Usage: $0 [--binary PATH] [--agent-binary PATH] [--config-dir DIR]
 
-  --binary PATH        Path to a pre-built vetting binary (default:
-                       auto-detect ../bin/vetting-linux-amd64 relative to
-                       this script).
-  --agent-binary PATH  Path to a pre-built vetting-agent linux-amd64 binary
-                       served at /assets/vetting-agent-linux-amd64 for the
-                       quick-register one-liner (default: auto-detect).
-  --config-dir DIR     Where to install vetting.yaml + systemd unit drop
-                       (default: /etc/vetting).
-  -h, --help           Print this message.
+  --binary PATH          Path to a pre-built vetting binary (default:
+                         auto-detect ../bin/vetting-linux-amd64 relative to
+                         this script).
+  --agent-binary PATH    Path to a pre-built vetting-agent linux-amd64 binary
+                         served at /assets/vetting-agent-linux-amd64 for the
+                         quick-register one-liner (default: auto-detect).
+  --config-dir DIR       Where to install vetting.yaml + systemd unit drop
+                         (default: /etc/vetting).
+  --live-dir DIR         Where to stage vmlinuz + initrd.img for PXE boots
+                         (default: /var/lib/vetting/live). Must match
+                         pxe.live_dir in vetting.yaml.
+  --live-image-src DIR   Directory containing vmlinuz + initrd.img to stage
+                         into --live-dir. Default: auto-detect the bundle's
+                         live-image/ subdir or the repo-tree build output.
+  -h, --help             Print this message.
 EOF
 }
 
 while [[ $# -gt 0 ]]; do
     case "$1" in
-        --binary)       BINARY="$2"; shift 2 ;;
-        --agent-binary) AGENT_BINARY="$2"; shift 2 ;;
-        --config-dir)   CONFIG_DIR="$2"; shift 2 ;;
-        -h|--help)      usage; exit 0 ;;
-        *)              echo "unknown arg: $1" >&2; usage; exit 2 ;;
+        --binary)         BINARY="$2"; shift 2 ;;
+        --agent-binary)   AGENT_BINARY="$2"; shift 2 ;;
+        --config-dir)     CONFIG_DIR="$2"; shift 2 ;;
+        --live-dir)       LIVE_DIR="$2"; shift 2 ;;
+        --live-image-src) LIVE_IMAGE_SRC="$2"; shift 2 ;;
+        -h|--help)        usage; exit 0 ;;
+        *)                echo "unknown arg: $1" >&2; usage; exit 2 ;;
     esac
 done
 
@@ -130,6 +144,34 @@ else
 fi
 install -m 0644 "${SCRIPT_DIR}/vetting.service" /etc/systemd/system/vetting.service
 
+# Stage the live image into LIVE_DIR if we can find one. Two layouts:
+#   - release bundle:    ${SCRIPT_DIR}/live-image/{vmlinuz,initrd.img}
+#   - repo-tree dev run: ${REPO_ROOT}/live-image/build/{vmlinuz,initrd.img}
+# Silently skipped when no source is found — operators without PXE
+# don't need it, and dev checkouts that haven't run `make live-image`
+# shouldn't fail the install.
+if [[ -z "${LIVE_IMAGE_SRC}" ]]; then
+    for cand in \
+        "${SCRIPT_DIR}/live-image" \
+        "${REPO_ROOT}/live-image/build"; do
+        if [[ -f "${cand}/vmlinuz" && -f "${cand}/initrd.img" ]]; then
+            LIVE_IMAGE_SRC="${cand}"
+            break
+        fi
+    done
+fi
+
+if [[ -n "${LIVE_IMAGE_SRC}" ]]; then
+    echo "==> staging live image from ${LIVE_IMAGE_SRC} into ${LIVE_DIR}"
+    install -d -m 0755 -o "${SERVICE_USER}" -g "${SERVICE_USER}" "${LIVE_DIR}"
+    install -m 0644 -o "${SERVICE_USER}" -g "${SERVICE_USER}" \
+        "${LIVE_IMAGE_SRC}/vmlinuz"    "${LIVE_DIR}/vmlinuz"
+    install -m 0644 -o "${SERVICE_USER}" -g "${SERVICE_USER}" \
+        "${LIVE_IMAGE_SRC}/initrd.img" "${LIVE_DIR}/initrd.img"
+else
+    echo "==> no live image found (bundle/live-image or ../live-image/build); skipping live-dir staging"
+fi
+
 # Disable the distro's dnsmasq so only the orchestrator-supervised
 # instance owns DHCP/TFTP. Operators who want to keep dnsmasq for
 # something else can re-enable it after configuring a disjoint listen
@@ -141,7 +183,22 @@ fi
 
 systemctl daemon-reload
 
-cat <<EOF
+# Upgrade path: if vetting.service is already enabled, restart it so the
+# new binary + live image take effect without an explicit second
+# command. First-install path (service not enabled yet) leaves the
+# service alone so the operator can edit the config before starting.
+if systemctl is-enabled --quiet vetting.service 2>/dev/null; then
+    echo "==> restarting vetting.service (upgrade path)"
+    systemctl reset-failed vetting.service 2>/dev/null || true
+    systemctl restart vetting.service
+    cat <<EOF
+
+vetting upgraded and restarted. Tail logs with:
+  journalctl -fu vetting
+
+EOF
+else
+    cat <<EOF
 
 vetting is installed but not yet enabled.
 
@@ -163,3 +220,4 @@ password, front the service with a reverse proxy (Caddy/nginx
 basic-auth) instead.
 
 EOF
+fi
diff --git a/docs/operations.md b/docs/operations.md
index 8dc6d2f..ad50e39 100644
--- a/docs/operations.md
+++ b/docs/operations.md
@@ -220,9 +220,13 @@ Rerun the registry-fetch one-liner on the LXC:
 ```
 curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh \
     | sudo bash
-sudo systemctl restart vetting
 ```
 
+That's it — `install.sh` auto-restarts `vetting.service` when it's
+already enabled, and re-stages `vmlinuz`/`initrd.img` into
+`/var/lib/vetting/live/` so PXE-enabled LXCs come back up with the
+fresh live image. Watch the logs with `journalctl -fu vetting`.
+
 Pin to a specific build with `VETTING_VERSION=sha-abc1234` if you
 need to roll back or test a commit. The DB migration runs at startup
 and is append-only — no manual schema work unless a release's notes