# Vetting live image (Phase 2 skeleton).
#
# Produces a Debian-based rootfs packaged as squashfs plus a kernel
# image, ready to be served over HTTP to iPXE. The image is deliberately
# small: only what the agent needs to run Phase 2 (the Hello / Claim /
# Heartbeat loop). Phase 4+ adds smartctl, stress-ng, fio, iperf3, etc.

[Distribution]
Distribution=debian
Release=bookworm
# non-free-firmware is where bookworm landed i915 GuC/HuC, iwlwifi,
# amdgpu, nvidia-*, realtek NIC firmware, etc. — anything we'd want
# when PXE-booting a random repaired host. Without it i915 wedges
# on Tiger Lake+ and drags the serial console with it.
#
# Belt-and-suspenders: mkosi.sources.d/debian.sources ships an
# explicit deb822 sources drop-in so the bootstrap step sees the
# component regardless of how this shorthand is interpreted by the
# mkosi version doing the build.
Repositories=main non-free-firmware

[Output]
Format=directory
Output=build

[Content]
# PXE live image — iPXE loads vmlinuz+initrd from TFTP, so the rootfs
# itself doesn't need an EFI bootloader. Bootable=no skips mkosi's
# systemd-boot/bootctl dance; we still get /vmlinuz + /initrd.img
# symlinks courtesy of the linux-image-amd64 postinst.
Bootable=no
BuildPackages=
Packages=
    systemd
    systemd-sysv
    udev
    linux-image-amd64
    live-boot
    iproute2
    iputils-ping
    openssh-server
    ca-certificates
    curl
    dmidecode
    pciutils
    usbutils
    initramfs-tools
    zstd
    # Stage binaries. Every package here backs a stage the agent runs —
    # if any one goes missing the corresponding stage now fails the run
    # (was: pass-with-skip). Keep this list in sync with agent/tests.
    smartmontools
    stress-ng
    fio
    iperf3
    lshw
    lm-sensors
    e2fsprogs
    util-linux
    # Firmware probe tooling. Without these, the Firmware stage silently
    # skips whole components (ethtool → nic, nvme-cli → nvme fallback) or
    # emits a cosmetic "not installed" warning (ipmitool → bmc).
    ipmitool
    ethtool
    nvme-cli
    # Firmware. firmware-linux-nonfree on bookworm is a thin metapackage
    # that does NOT pull i915 GuC/HuC — those live in firmware-misc-nonfree.
    # Enumerate explicitly so the blob for whatever hardware we boot on
    # actually lands in /lib/firmware and then in the initrd.
    firmware-misc-nonfree
    firmware-iwlwifi
    firmware-realtek
    firmware-amd-graphics
    firmware-intel-sound
    intel-microcode
    amd64-microcode
    firmware-linux-nonfree

[Host]
# Copy the prebuilt Go agent in from the repo root via postinst.