From 10c1d4f0d230ab58f039c069af470a081ed140a2 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Wed, 4 Feb 2026 18:57:30 -0500
Subject: [PATCH 01/14] Remove unused files

---
 .dockerignore                                 |  1 -
 Dockerfile                                    | 22 ------
 .../mkosi.extra/usr}/bin/lighthouse-init      |  0
 bob-l1/mkosi.postinst                         |  3 -
 buildernet.conf                               |  3 -
 buildernet/mkosi.build                        | 25 -------
 buildernet/mkosi.conf                         | 25 -------
 buildernet/mkosi.postinst                     | 25 -------
 .../mkosi.skeleton/etc/bidding.toml.mustache  |  7 --
 .../etc/rbuilder.config.mustache              | 74 -------------------
 .../mkosi.skeleton/etc/rclone.conf.mustache   |  9 ---
 .../etc/systemd/system/lighthouse.service     | 34 ---------
 buildernet/render-config.sh                   | 31 --------
 env.json.example                              | 23 ------
 services/bin/rbuilder-init                    | 15 ----
 services/bin/reth-sync                        | 17 -----
 services/systemd/persistence-setup.service    | 15 ----
 services/systemd/rbuilder-bidding.service     | 30 --------
 services/systemd/rbuilder.service             | 30 --------
 services/systemd/reth-sync.service            | 16 ----
 services/systemd/reth.service                 | 32 --------
 21 files changed, 437 deletions(-)
 delete mode 120000 .dockerignore
 delete mode 100644 Dockerfile
 rename {services => bob-l1/mkosi.extra/usr}/bin/lighthouse-init (100%)
 delete mode 100644 buildernet.conf
 delete mode 100755 buildernet/mkosi.build
 delete mode 100644 buildernet/mkosi.conf
 delete mode 100755 buildernet/mkosi.postinst
 delete mode 100644 buildernet/mkosi.skeleton/etc/bidding.toml.mustache
 delete mode 100644 buildernet/mkosi.skeleton/etc/rbuilder.config.mustache
 delete mode 100644 buildernet/mkosi.skeleton/etc/rclone.conf.mustache
 delete mode 100644 buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service
 delete mode 100755 buildernet/render-config.sh
 delete mode 100644 env.json.example
 delete mode 100755 services/bin/rbuilder-init
 delete mode 100755 services/bin/reth-sync
 delete mode 100644 services/systemd/persistence-setup.service
 delete mode 100644 services/systemd/rbuilder-bidding.service
 delete mode 100644 services/systemd/rbuilder.service
 delete mode 100644 services/systemd/reth-sync.service
 delete mode 100644 services/systemd/reth.service

diff --git a/.dockerignore b/.dockerignore
deleted file mode 120000
index 3e4e48b0..00000000
--- a/.dockerignore
+++ /dev/null
@@ -1 +0,0 @@
-.gitignore
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 57739de9..00000000
--- a/Dockerfile
+++ /dev/null
@@ -1,22 +0,0 @@
-FROM ubuntu:25.04
-
-RUN apt-get update && apt-get install -y \
-    curl git sudo qemu-system-x86 qemu-utils \
-    debian-archive-keyring systemd-boot reprepro xz-utils
-
-RUN echo "ubuntu ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && \
-    chmod 0440 /etc/sudoers.d/ubuntu
-
-COPY --chown=ubuntu:ubuntu . /home/ubuntu/mkosi
-RUN mkdir -p /home/ubuntu/mkosi/mkosi.packages /home/ubuntu/mkosi/mkosi.cache \
-        /home/ubuntu/mkosi/mkosi.builddir /home/ubuntu/mkosi/build /nix && \
-    chown -R ubuntu:ubuntu /home/ubuntu/mkosi /nix
-
-USER ubuntu
-RUN curl -L https://nixos.org/nix/install | sh -s -- --no-daemon && \
-    mkdir -p ~/.config/nix ~/.cache/mkosi/ && \
-    echo 'experimental-features = nix-command flakes' > ~/.config/nix/nix.conf
-
-WORKDIR /home/ubuntu/mkosi
-RUN /home/ubuntu/.nix-profile/bin/nix develop -c /bin/true
-ENTRYPOINT ["/home/ubuntu/.nix-profile/bin/nix", "develop", "-c", "/bin/bash"]
\ No newline at end of file
diff --git a/services/bin/lighthouse-init b/bob-l1/mkosi.extra/usr/bin/lighthouse-init
similarity index 100%
rename from services/bin/lighthouse-init
rename to bob-l1/mkosi.extra/usr/bin/lighthouse-init
diff --git a/bob-l1/mkosi.postinst b/bob-l1/mkosi.postinst
index 7a447d03..da2abaf3 100755
--- a/bob-l1/mkosi.postinst
+++ b/bob-l1/mkosi.postinst
@@ -7,9 +7,6 @@ set -euxo pipefail
 mkosi-chroot groupadd -r eth
 mkosi-chroot useradd -r -s /bin/false -G eth lighthouse
 
-# Install lighthouse
-install -m 755 services/bin/lighthouse-init "$BUILDROOT/usr/bin/"
-
 # Enable services
 mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
 for service in \
diff --git a/buildernet.conf b/buildernet.conf
deleted file mode 100644
index 41897e36..00000000
--- a/buildernet.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Include]
-Include=base/mkosi.conf
-Include=buildernet/mkosi.conf
diff --git a/buildernet/mkosi.build b/buildernet/mkosi.build
deleted file mode 100755
index 664e5043..00000000
--- a/buildernet/mkosi.build
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-set -euxo pipefail
-
-source scripts/build_rust_package.sh
-
-build_rust_package \
-    "lighthouse" \
-    "v7.1.0" \
-    "https://github.com/sigp/lighthouse.git" \
-    "$LIGHTHOUSE_BINARY" \
-    "" \
-    "-l z -l zstd -l snappy"
-
-build_rust_package \
-    "reth" \
-    "v1.0.8" \
-    "https://github.com/paradigmxyz/reth.git" \
-    "$RETH_BINARY" \
-    "jemalloc"
-
-build_rust_package \
-    "rbuilder" \
-    "v0.1.2" \
-    "https://github.com/flashbots/rbuilder-operator.git" \
-    "$RBUILDER_BINARY"
diff --git a/buildernet/mkosi.conf b/buildernet/mkosi.conf
deleted file mode 100644
index 8c840493..00000000
--- a/buildernet/mkosi.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-[Build]
-Environment=LIGHTHOUSE_BINARY RETH_BINARY RBUILDER_BINARY
-WithNetwork=true
-
-[Content]
-SkeletonTrees=buildernet/mkosi.skeleton
-PostInstallationScripts=buildernet/mkosi.postinst
-PostInstallationScripts=buildernet/render-config.sh
-BuildScripts=buildernet/mkosi.build
-
-Packages=prometheus
-         prometheus-node-exporter
-         prometheus-process-exporter
-         rclone
-         openntpd
-         libsnappy1v5
-         netcat-openbsd
-         bubblewrap
-BuildPackages=cargo
-              libleveldb-dev
-              libsnappy-dev
-              zlib1g-dev
-              libzstd-dev
-              libpq-dev
-              protobuf-compiler
diff --git a/buildernet/mkosi.postinst b/buildernet/mkosi.postinst
deleted file mode 100755
index 3804cd99..00000000
--- a/buildernet/mkosi.postinst
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-set -euxo pipefail
-
-# Create groups/users
-mkosi-chroot groupadd -r eth
-mkosi-chroot useradd -r -s /bin/false -G eth reth
-mkosi-chroot useradd -r -s /bin/false -G eth lighthouse
-mkosi-chroot useradd -r -s /bin/false -G eth rbuilder
-
-# Install scripts
-install -m 755 services/bin/reth-sync "$BUILDROOT/usr/bin/"
-install -m 755 services/bin/lighthouse-init "$BUILDROOT/usr/bin/"
-install -m 755 services/bin/rbuilder-init "$BUILDROOT/usr/bin/"
-
-# Install systemd service units
-SERVICE_DIR="$BUILDROOT/etc/systemd/system"
-mkdir -p "$SERVICE_DIR"
-
-# Copy systemd service files for buildernet
-for service in \
-    persistence-setup # reth reth-sync \
-    # rbuilder-bidding rbuilder
-do
-    install -m 644 "services/systemd/$service.service" "$SERVICE_DIR/"
-done
\ No newline at end of file
diff --git a/buildernet/mkosi.skeleton/etc/bidding.toml.mustache b/buildernet/mkosi.skeleton/etc/bidding.toml.mustache
deleted file mode 100644
index 32d242fd..00000000
--- a/buildernet/mkosi.skeleton/etc/bidding.toml.mustache
+++ /dev/null
@@ -1,7 +0,0 @@
-ipc_path = "/var/run/rbuilder/rpc_bidding_server.sock"
-
-log_color = false
-log_json = true
-log_level = "info"
-
-{{{bidding_service.config}}}
\ No newline at end of file
diff --git a/buildernet/mkosi.skeleton/etc/rbuilder.config.mustache b/buildernet/mkosi.skeleton/etc/rbuilder.config.mustache
deleted file mode 100644
index af8bd131..00000000
--- a/buildernet/mkosi.skeleton/etc/rbuilder.config.mustache
+++ /dev/null
@@ -1,74 +0,0 @@
-bidding_service_ipc_path = "/var/run/rbuilder/rpc_bidding_server.sock"
-blocklist_file_path = "/persistent/rbuilder/rbuilder.blocklist.json"
-blocks_processor_url = "https://orderflow-archive.flashbots.net/api"
-chain = "mainnet"
-cl_node_url = ["http://127.0.0.1:3500"]
-coinbase_secret_key = "{{rbuilder.coinbase_secret_key}}"
-dry_run = {{rbuilder.dry_run}}
-dry_run_validation_url = "http://127.0.0.1:9999"
-el_node_ipc_path = "/tmp/reth.ipc"
-error_storage_path = "/tmp/rbuilder_errors.sqlite"
-extra_data = "{{rbuilder.extra_data}}"
-full_telemetry_server_ip = "127.0.0.1"
-full_telemetry_server_port = 6060
-ignore_blobs = false
-ignore_cancellable_orders = false
-jsonrpc_server_ip = "127.0.0.1"
-jsonrpc_server_port = 8645
-live_builders = ["mgp-ordering", "mp-ordering", "mp-ordering-cb", "mp-ordering-deadline"]
-log_color = false
-log_json = true
-log_level = "info,rbuilder=debug"
-max_concurrent_seals = 1
-optimistic_enabled = false
-relay_secret_key = "{{rbuilder.relay_secret_key}}"
-reth_db_path = "/persistent/reth/db"
-reth_static_files_path = "/persistent/reth/static_files"
-root_hash_task_pool_threads = 6
-root_hash_use_sparse_trie = true
-sbundle_mergeabe_signers = ["0xFC171C46A32DC7fF09fBDDD4884a65b2aD596517"]
-simulation_threads = 4
-top_bid_ws_basic_auth = "{{rbuilder.top_bid_ws_basic_auth}}"
-top_bid_ws_url = "{{rbuilder.top_bid_ws_url}}"
-watchdog_timeout_sec = 45
-
-[[builders]]
-algo = "ordering-builder"
-discard_txs = true
-drop_failed_orders = true
-failed_order_retries = 1
-name = "mgp-ordering"
-sorting = "mev-gas-price"
-
-[[builders]]
-algo = "ordering-builder"
-discard_txs = true
-drop_failed_orders = true
-failed_order_retries = 1
-name = "mp-ordering"
-sorting = "max-profit"
-
-[[builders]]
-algo = "ordering-builder"
-build_duration_deadline_ms = 30
-discard_txs = true
-drop_failed_orders = true
-failed_order_retries = 1
-name = "mp-ordering-deadline"
-sorting = "max-profit"
-
-[[builders]]
-algo = "ordering-builder"
-coinbase_payment = true
-discard_txs = true
-drop_failed_orders = true
-failed_order_retries = 1
-name = "mp-ordering-cb"
-sorting = "max-profit"
-
-[[builders]]
-algo = "merging-builder"
-discard_txs = true
-merge_wait_time_ms = 300
-name = "merging"
-num_threads = 3
diff --git a/buildernet/mkosi.skeleton/etc/rclone.conf.mustache b/buildernet/mkosi.skeleton/etc/rclone.conf.mustache
deleted file mode 100644
index 1713cd67..00000000
--- a/buildernet/mkosi.skeleton/etc/rclone.conf.mustache
+++ /dev/null
@@ -1,9 +0,0 @@
-[r2]
-type = s3
-provider = Cloudflare
-endpoint = {{rclone.bucket_endpoint}}
-region = auto
-acl = private
-no_check_bucket = true
-access_key_id = {{rclone.access_key_id}}
-secret_access_key = {{rclone.secret_access_key}}
diff --git a/buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service b/buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service
deleted file mode 100644
index dd64addc..00000000
--- a/buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service
+++ /dev/null
@@ -1,34 +0,0 @@
-[Unit]
-Description=Lighthouse Consensus Client
-After=network.target network-setup.service persistent-mount.service
-Requires=network-setup.service persistent-mount.service
-
-[Service]
-Type=exec
-User=lighthouse
-Group=eth
-ExecStartPre=+/usr/bin/lighthouse-init
-ExecStart=/usr/bin/lighthouse bn \
-    --eth1 \
-    --checkpoint-sync-url https://mainnet.checkpoint.sigp.io \
-    --execution-endpoint http://localhost:8551 \
-    --execution-jwt /tmp/jwt.hex \
-    --suggested-fee-recipient 0x000000000000000000000000000000000000dead \
-    --http-allow-sync-stalled \
-    --always-prepare-payload \
-    --prepare-payload-lookahead 8000 \
-    --disable-deposit-contract-sync \
-    --http \
-    --port 9000 \
-    --http-port 3500 \
-    --metrics \
-    --metrics-address 127.0.0.1 \
-    --metrics-port 5054 \
-    --datadir /persistent/lighthouse
-Restart=on-failure
-RestartSec=10
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=minimal.target
\ No newline at end of file
diff --git a/buildernet/render-config.sh b/buildernet/render-config.sh
deleted file mode 100755
index 8102fa82..00000000
--- a/buildernet/render-config.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-set -euxo pipefail
-
-# TODO: Convert this file into a service that pulls from buildernet
-
-ENV_FILE="env.json"
-if [ ! -f "$ENV_FILE" ]; then
-    echo "Error: env.json not found"
-    exit 1
-fi
-
-# Find and process all mustache templates in skeleton directory
-find buildernet/mkosi.skeleton -type f -name "*.mustache" | while read -r template; do
-    rel_path="${template#buildernet/mkosi.skeleton/}"
-    output_path="$BUILDROOT/${rel_path%.mustache}"
-    mustache "$ENV_FILE" "$template" > "$output_path"
-    rm "$BUILDROOT/$rel_path"
-done
-
-# Download rbuilder-bidding binary
-export rbuilder_version="v0.4.2"
-export github_token="$(jq -j ".bidding_service.github_token" env.json)"
-export rbuilder_url="https://api.github.com/repos/flashbots/rbuilder-bidding-service/releases/tags/$rbuilder_version"
-export headers="Authorization: token $github_token"
-export asset_url=$(curl -s -H "$headers" "$rbuilder_url" | jq -j '.assets[] | select(.name == "bidding-service") | .url')
-curl -s -H "$headers" -H "Accept: application/octet-stream" -L "$asset_url" -o "$BUILDROOT/usr/bin/bidding-service"
-chmod +x "$BUILDROOT/usr/bin/bidding-service"
-
-# Set permissions of templated files
-chmod 640 "$BUILDROOT/etc/rbuilder.config"
-chmod 600 "$BUILDROOT/etc/rclone.conf"
diff --git a/env.json.example b/env.json.example
deleted file mode 100644
index 41278556..00000000
--- a/env.json.example
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-    "bidding_service_download": {
-        "github_token": "",
-        "config": ""
-    },
-    "fluentbit": {
-        "aws_access_key_id": "",
-        "aws_secret_access_key": ""
-    },
-    "rbuilder": {
-        "coinbase_secret_key": "",
-        "dry_run": "true",
-        "optimistic_relay_secret_key": "",
-        "relay_secret_key": "",
-        "top_bid_ws_basic_auth": "",
-        "top_bid_ws_url": ""
-    },
-    "rclone": {
-        "access_key_id": "",
-        "bucket_endpoint": "",
-        "secret_access_key": ""
-    }
-}
\ No newline at end of file
diff --git a/services/bin/rbuilder-init b/services/bin/rbuilder-init
deleted file mode 100755
index 94e4ff29..00000000
--- a/services/bin/rbuilder-init
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-set -e
-
-# Create necessary directories
-mkdir -p /var/run/rbuilder /persistent/rbuilder
-chown -R rbuilder:eth /var/run/rbuilder /persistent/rbuilder /etc/rbuilder.config
-chmod 640 /etc/rbuilder.config
-chmod 770 /var/run/rbuilder
-
-# Create initial blocklist file
-if [ ! -f /persistent/rbuilder/rbuilder.blocklist.json ]; then
-    echo '{}' > /persistent/rbuilder/rbuilder.blocklist.json
-    chmod 640 /persistent/rbuilder/rbuilder.blocklist.json
-    chown rbuilder:eth /persistent/rbuilder/rbuilder.blocklist.json
-fi
\ No newline at end of file
diff --git a/services/bin/reth-sync b/services/bin/reth-sync
deleted file mode 100755
index f7dbe8c9..00000000
--- a/services/bin/reth-sync
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/sh
-set -e
-
-# Set up directories
-mkdir -p /persistent/reth
-chown reth:eth /persistent/reth
-
-# Get latest version and sync
-LATEST_META=$(rclone --config /etc/rclone.conf cat r2:chain-db-snapshots/reth-mainnet-full/latest_version.meta.txt)
-
-rclone sync --config /etc/rclone.conf -v -P \
-    --transfers=20 --multi-thread-streams 30 \
-    --contimeout=10m --retries 10 --retries-sleep 60s \
-    --error-on-no-transfer --update --fast-list \
-    --delete-during --disable-http2 --no-gzip-encoding \
-    --exclude 'files.txt' \
-    r2:chain-db-snapshots/reth-mainnet-full/$LATEST_META/ /persistent/reth
\ No newline at end of file
diff --git a/services/systemd/persistence-setup.service b/services/systemd/persistence-setup.service
deleted file mode 100644
index d03b6a1f..00000000
--- a/services/systemd/persistence-setup.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Setup Persistent Storage
-DefaultDependencies=no
-After=local-fs-pre.target
-Before=local-fs.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/sh -c "if [ -e /dev/vda ] && ! blkid /dev/vda | grep -q 'TYPE=\"ext4\"'; then mkfs.ext4 -F /dev/vda; fi"
-ExecStart=/bin/sh -c "mkdir -p /persistent"
-ExecStart=/bin/sh -c "mount /dev/vda /persistent || echo 'Failed to mount persistent storage'"
-RemainAfterExit=yes
-
-[Install]
-WantedBy=sysinit.target
\ No newline at end of file
diff --git a/services/systemd/rbuilder-bidding.service b/services/systemd/rbuilder-bidding.service
deleted file mode 100644
index 8d039242..00000000
--- a/services/systemd/rbuilder-bidding.service
+++ /dev/null
@@ -1,30 +0,0 @@
-[Unit]
-Description=RBuilder Bidding Service
-After=network.target network-setup.service persistent-mount.service rbuilder.service
-Requires=network-setup.service persistent-mount.service rbuilder.service
-
-[Service]
-Type=exec
-User=rbuilder
-Group=eth
-WorkingDirectory=/var/run/rbuilder
-ExecStart=/usr/bin/bwrap \
-    --ro-bind /usr /usr \
-    --ro-bind /lib /lib \
-    --ro-bind /lib64 /lib64 \
-    --ro-bind /bin /bin \
-    --ro-bind /sbin /sbin \
-    --ro-bind /etc/bidding.toml /config.toml \
-    --bind /var/run/rbuilder /var/run/rbuilder \
-    --proc /proc \
-    --dev /dev \
-    --clearenv \
-    --unshare-pid \
-    bidding-service /config.toml
-Restart=on-failure
-RestartSec=10
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=minimal.target
\ No newline at end of file
diff --git a/services/systemd/rbuilder.service b/services/systemd/rbuilder.service
deleted file mode 100644
index 764d82b7..00000000
--- a/services/systemd/rbuilder.service
+++ /dev/null
@@ -1,30 +0,0 @@
-[Unit]
-Description=RBuilder Bidding Service
-After=network.target network-setup.service persistent-mount.service
-Requires=network-setup.service persistent-mount.service
-
-[Service]
-Type=exec
-User=rbuilder
-Group=eth
-ExecStartPre=+/usr/bin/rbuilder-init
-ExecStart=/usr/bin/bwrap \
-    --ro-bind /usr /usr \
-    --ro-bind /lib /lib \
-    --ro-bind /lib64 /lib64 \
-    --ro-bind /bin /bin \
-    --ro-bind /sbin /sbin \
-    --ro-bind /etc/bidding.toml /config.toml \
-    --bind /var/run/rbuilder /var/run/rbuilder \
-    --proc /proc \
-    --dev /dev \
-    --clearenv \
-    --unshare-pid \
-    bidding-service /config.toml
-Restart=on-failure
-RestartSec=10
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=minimal.target
\ No newline at end of file
diff --git a/services/systemd/reth-sync.service b/services/systemd/reth-sync.service
deleted file mode 100644
index e47c9c85..00000000
--- a/services/systemd/reth-sync.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Reth Chain Data Sync
-After=network.target network-setup.service persistent-mount.service
-Requires=network-setup.service persistent-mount.service
-
-[Service]
-User=reth
-Group=eth
-Type=oneshot
-ExecStart=/usr/bin/reth-sync
-RemainAfterExit=yes
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=minimal.target
\ No newline at end of file
diff --git a/services/systemd/reth.service b/services/systemd/reth.service
deleted file mode 100644
index 9d41f010..00000000
--- a/services/systemd/reth.service
+++ /dev/null
@@ -1,32 +0,0 @@
-[Unit]
-Description=Reth Execution Client
-After=network-setup.service reth-sync.service persistent-mount.service
-Requires=network-setup.service reth-sync.service persistent-mount.service
-
-[Service]
-User=reth
-Group=eth
-ExecStart=/usr/bin/reth node \
-    --full \
-    --datadir "/persistent/reth" \
-    --authrpc.addr 127.0.0.1 \
-    --authrpc.jwtsecret "/tmp/jwt.hex" \
-    --authrpc.port 8551 \
-    --http \
-    --http.addr 127.0.0.1 \
-    --http.port 8545 \
-    --http.api "eth,net,web3,trace,rpc,debug,txpool" \
-    --ws \
-    --ws.addr 127.0.0.1 \
-    --ws.port 8546 \
-    --ws.api "eth,net,trace,web3,rpc,debug,txpool" \
-    --log.stdout.format json \
-    --log.file.max-files 0 \
-    --metrics "127.0.0.1:9001"
-Restart=on-failure
-RestartSec=10
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=minimal.target
\ No newline at end of file

From 73884c650b5d825843bb0c5db002577510bc58c2 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Wed, 4 Feb 2026 19:03:08 -0500
Subject: [PATCH 02/14] Switch to more idiomatic mathod of enabling systemd
 services

---
 DEVELOPMENT.md                                | 21 +++++--------------
 base/debloat-systemd.sh                       |  3 ---
 base/mkosi.conf                               |  2 +-
 .../etc/systemd/system/minimal.target         |  3 ---
 .../etc/systemd/system/network-setup.service  |  2 +-
 base/mkosi.skeleton/init                      |  2 +-
 .../dropbear.service.d/dropbear-prereq.conf   |  3 ---
 bob-common/mkosi.postinst                     | 18 +++-------------
 bob-l1/mkosi.postinst                         |  9 +-------
 mkosi.profiles/azure/mkosi.postinst           |  3 ---
 .../etc/systemd/system/serial-console.service |  2 --
 mkosi.profiles/devtools/mkosi.postinst        |  2 +-
 .../etc/systemd/system/set-hostname.service   |  2 +-
 mkosi.profiles/gcp/mkosi.postinst             | 11 ++++------
 14 files changed, 18 insertions(+), 65 deletions(-)

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index c6701b4e..6046382a 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -364,24 +364,14 @@ Requires=persistent-mount.service
 After=basic.target
 ```
 
-### Enabling Services
+### Enabling Packaged Services
 
-**In `mkosi.postinst` script**:
-```bash
-#!/bin/bash
-set -euxo pipefail
+To enable a service installed with a Debian package, add the following to your `mkosi.postinst` script:
 
-# Enable service
-mkosi-chroot systemctl enable myapp.service
-
-# Create symlink for minimal.target
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-ln -sf "/etc/systemd/system/myapp.service" \
-    "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
+```bash
+mkosi-chroot systemctl add-wants minimal.target myapp.service
 ```
 
-For comprehensive systemd options, see: [systemd Service Documentation](https://www.freedesktop.org/software/systemd/man/systemd.service.html)
-
 ## Extending Built-in systemd Services
 
 Sometimes you need to modify existing systemd services rather than creating new ones.
@@ -542,8 +532,7 @@ chown myapp:myapp /etc/myapp/config.conf
 chmod 600 /etc/myapp/config.conf
 
 # Enable systemd service
-systemctl enable myapp.service || true
-systemctl start myapp.service || true
+mkosi-chroot systemctl add-wants minimal.target myapp.service || true
 
 exit 0
 ```
diff --git a/base/debloat-systemd.sh b/base/debloat-systemd.sh
index 096f4f07..1a07996e 100755
--- a/base/debloat-systemd.sh
+++ b/base/debloat-systemd.sh
@@ -40,6 +40,3 @@ mkosi-chroot dpkg-query -L systemd | grep -E '\.service$|\.socket$|\.timer$|\.ta
         ln -sf /dev/null "$SYSTEMD_DIR/$unit"
     fi
 done
-
-# Set default target
-ln -sf minimal.target "$SYSTEMD_DIR/default.target"
diff --git a/base/mkosi.conf b/base/mkosi.conf
index c39f8517..bc7ac9f6 100644
--- a/base/mkosi.conf
+++ b/base/mkosi.conf
@@ -17,7 +17,7 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 
 [Content]
 SourceDateEpoch=0
-KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
+KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target
 SkeletonTrees=base/mkosi.skeleton
 BuildScripts=kernel/mkosi.build
 PostInstallationScripts=base/debloat-systemd.sh
diff --git a/base/mkosi.skeleton/etc/systemd/system/minimal.target b/base/mkosi.skeleton/etc/systemd/system/minimal.target
index a8464ca2..dbc9a780 100644
--- a/base/mkosi.skeleton/etc/systemd/system/minimal.target
+++ b/base/mkosi.skeleton/etc/systemd/system/minimal.target
@@ -4,6 +4,3 @@ Requires=basic.target
 Conflicts=rescue.service rescue.target emergency.service emergency.target
 After=basic.target rescue.service rescue.target emergency.service emergency.target
 AllowIsolate=yes
-
-[Install]
-WantedBy=default.target
\ No newline at end of file
diff --git a/base/mkosi.skeleton/etc/systemd/system/network-setup.service b/base/mkosi.skeleton/etc/systemd/system/network-setup.service
index d980087b..804a50fe 100644
--- a/base/mkosi.skeleton/etc/systemd/system/network-setup.service
+++ b/base/mkosi.skeleton/etc/systemd/system/network-setup.service
@@ -13,4 +13,4 @@ ExecStart=/usr/sbin/udhcpc -i eth0 -n
 RemainAfterExit=yes
 
 [Install]
-WantedBy=sysinit.target
\ No newline at end of file
+WantedBy=minimal.target
diff --git a/base/mkosi.skeleton/init b/base/mkosi.skeleton/init
index b6f12563..78b382c2 100755
--- a/base/mkosi.skeleton/init
+++ b/base/mkosi.skeleton/init
@@ -14,4 +14,4 @@ exec unshare --mount sh -c '
     mkdir /@
     mount --rbind / /@
     cd /@ && mount --move . /
-    exec chroot . /lib/systemd/systemd systemd.unit=minimal.target'
+    exec chroot . /lib/systemd/systemd'
diff --git a/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf b/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf
index deb3611c..cdfcf563 100644
--- a/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf
+++ b/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf
@@ -5,6 +5,3 @@ Requires=wait-for-key.service searcher-firewall.service
 [Service]
 ExecStartPre=/usr/bin/chown -R searcher:searcher /home/searcher
 ExecStartPre=/bin/sh -c 'test -f /etc/dropbear/dropbear_ed25519_host_key || /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key'
-
-[Install]
-WantedBy=minimal.target
diff --git a/bob-common/mkosi.postinst b/bob-common/mkosi.postinst
index 227beea5..ab3b4b1c 100755
--- a/bob-common/mkosi.postinst
+++ b/bob-common/mkosi.postinst
@@ -18,25 +18,13 @@ mkdir -p "$BUILDROOT/etc/searcher/ssh_hostkey"
 rm -r "$BUILDROOT/etc/dropbear"
 mkdir "$BUILDROOT/etc/dropbear"
 
-# Enable services
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-for service in \
-    network-setup.service \
+# Enable packaged services
+mkosi-chroot systemctl add-wants minimal.target \
     logrotate.timer \
     delay-pipe.service \
-    wait-for-key.service \
-    searcher-firewall.service \
-    dropbear.service \
-    searcher-container.service \
-    ssh-pubkey-server.service \
-    cvm-reverse-proxy.service
-do
-    mkosi-chroot systemctl enable "$service"
-    ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
-done
+    dropbear.service
 
 # Don't reserve port 22
-mkosi-chroot systemctl disable ssh.service ssh.socket
 mkosi-chroot systemctl mask ssh.service ssh.socket
 
 # Lock the root account
diff --git a/bob-l1/mkosi.postinst b/bob-l1/mkosi.postinst
index da2abaf3..626ab872 100755
--- a/bob-l1/mkosi.postinst
+++ b/bob-l1/mkosi.postinst
@@ -7,11 +7,4 @@ set -euxo pipefail
 mkosi-chroot groupadd -r eth
 mkosi-chroot useradd -r -s /bin/false -G eth lighthouse
 
-# Enable services
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-for service in \
-    lighthouse.service
-do
-    mkosi-chroot systemctl enable "$service"
-    ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
-done
+mkosi-chroot systemctl add-wants minimal.target lighthouse
diff --git a/mkosi.profiles/azure/mkosi.postinst b/mkosi.profiles/azure/mkosi.postinst
index 64ffde07..5cab9756 100755
--- a/mkosi.profiles/azure/mkosi.postinst
+++ b/mkosi.profiles/azure/mkosi.postinst
@@ -5,6 +5,3 @@ set -euxo pipefail
 # Configure tdx-init disk glob for Azure
 mkdir -p "$BUILDROOT/etc/tdx-init"
 echo '/dev/disk/by-path/*10' >> "$BUILDROOT/etc/tdx-init/disk-glob"
-
-mkosi-chroot systemctl enable "azure-complete-provisioning.service"
-ln -sf "/etc/systemd/system/azure-complete-provisioning.service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
diff --git a/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service b/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service
index 04352634..bfcfdd63 100644
--- a/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service
+++ b/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service
@@ -13,5 +13,3 @@ Restart=always
 
 [Install]
 WantedBy=minimal.target
-WantedBy=rescue.target
-WantedBy=emergency.target
diff --git a/mkosi.profiles/devtools/mkosi.postinst b/mkosi.profiles/devtools/mkosi.postinst
index 5eca88d7..98af4442 100755
--- a/mkosi.profiles/devtools/mkosi.postinst
+++ b/mkosi.profiles/devtools/mkosi.postinst
@@ -13,6 +13,6 @@ if [ -f "$BUILDROOT/etc/default/dropbear" ]; then
 else
     echo "PermitRootLogin yes" >> "$BUILDROOT/etc/ssh/sshd_config"
     echo "PasswordAuthentication yes" >> "$BUILDROOT/etc/ssh/sshd_config"
-    mkosi-chroot systemctl enable ssh.service
     mkosi-chroot systemctl unmask ssh.service ssh.socket
+    mkosi-chroot systemctl add-wants minimal.target ssh.service
 fi
diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service
index 209cd01f..4021437f 100644
--- a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service
+++ b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service
@@ -11,4 +11,4 @@ Type=oneshot
 ExecStart=/usr/bin/set-hostname.sh
 
 [Install]
-WantedBy=default.target
+WantedBy=minimal.target
diff --git a/mkosi.profiles/gcp/mkosi.postinst b/mkosi.profiles/gcp/mkosi.postinst
index 5a074e05..052035c7 100755
--- a/mkosi.profiles/gcp/mkosi.postinst
+++ b/mkosi.profiles/gcp/mkosi.postinst
@@ -9,15 +9,12 @@ echo "/dev/disk/by-id/google-data" >> "$BUILDROOT/etc/tdx-init/disk-glob"
 # Enable systemd services
 
 mkdir "$BUILDROOT/etc/systemd/system/minimal.target.wants" || true
+
+# Enable packaged services
 mkosi-chroot systemctl unmask sys-kernel-config.mount
-for service in \
+mkosi-chroot systemctl add-wants minimal.target \
     chrony.service \
-    sys-kernel-config.mount \
-    set-hostname.service
-do
-    mkosi-chroot systemctl enable "$service"
-    ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
-done
+    sys-kernel-config.mount
 
 if [ -f /etc/rsyslog.d/50-default.conf ]; then
     sed -i 's/^.*\/var\/log\/syslog.*$/# &/' /etc/rsyslog.d/50-default.conf

From 4a5f9ba2cf8821ec743bc398b361a0e182a5bfd2 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Wed, 4 Feb 2026 19:59:10 -0500
Subject: [PATCH 03/14] Switch from mtools/etc to systemd-repart for cleaner
 GCP tar.gz creation

---
 flake.nix                               |  5 +-
 mkosi.profiles/gcp/mkosi.postoutput     | 79 +++++++++----------------
 mkosi.profiles/gcp/repart.d/00-uki.conf |  8 +++
 3 files changed, 38 insertions(+), 54 deletions(-)
 create mode 100644 mkosi.profiles/gcp/repart.d/00-uki.conf

diff --git a/flake.nix b/flake.nix
index 9b9c0a12..3fa639a2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,8 +44,8 @@
       src = pkgs.fetchFromGitHub {
         owner = "flashbots";
         repo = "dstack-mr-gcp";
-        rev = "ee95d36c8f18d159f6ada31474555e4a253b3897";
-        sha256 = "sha256-vAYN4zFXHSxd86KP+Toqh1ZDa4+KGLNsQoOuTr45pGg=";
+        rev = "be2d37a610b6afc7b535bdf0d637935f9d4a6e96";
+        sha256 = "sha256-HUs6Swj2e3KyxDjqw9XZfY6HmJ9qY2cd84iRP8xYiJ8=";
       };
       vendorHash = "sha256-glOyRTrIF/zP78XGV+v58a1Bec6C3Fvc5c8G3PglzPM=";
     };
@@ -61,7 +61,6 @@
             squashfsTools
             dosfstools
             e2fsprogs
-            mtools
             mustache-go
             cryptsetup
             gptfdisk
diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput
index 83228a42..2d4dbe66 100755
--- a/mkosi.profiles/gcp/mkosi.postoutput
+++ b/mkosi.profiles/gcp/mkosi.postoutput
@@ -1,53 +1,30 @@
 #!/bin/bash
-set -euxo pipefail
 
-EFI="${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi"
-TAR="${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.tar.gz"
-TMP="${OUTPUTDIR}/gcp-tmp"
-
-[ ! -f "$EFI" ] && echo "Error: $EFI not found" && exit 1
-
-mkdir -p "$TMP"
-
-# Fixed GUIDs and IDs
-DISK_GUID="12345678-1234-5678-1234-567812345678"
-PARTITION_GUID="87654321-4321-8765-4321-876543218765"
-FAT_SERIAL="12345678"
-
-# Create 500MB ESP
-dd if=/dev/zero of="$TMP/esp.img" bs=1M count=500
-
-# Format with fixed volume serial number and label
-mformat -i "$TMP/esp.img" -F -v "ESP" -N "$FAT_SERIAL" ::
-
-# Create directory structure
-mmd -i "$TMP/esp.img" ::EFI ::EFI/BOOT
-
-# Copy files with deterministic timestamps
-# -D o sets file times to 1980-01-01 (DOS epoch)
-mcopy -D o -i "$TMP/esp.img" "$EFI" ::EFI/BOOT/BOOTX64.EFI
-
-# Create 1GB disk with GPT
-dd if=/dev/zero of="$TMP/disk.raw" bs=1M count=1024
-sgdisk --disk-guid="$DISK_GUID" "$TMP/disk.raw"
-
-# Create ESP partition
-# -n creates partition (number:start:end)
-# -t sets type (1:ef00 for ESP)
-# -u sets partition GUID
-# -c sets partition name
-sgdisk -n 1:2048:1026047 \
-        -t 1:ef00 \
-        -u 1:"$PARTITION_GUID" \
-        -c 1:"ESP" \
-        -A 1:set:0 \
-        "$TMP/disk.raw"
-
-# Write ESP image to partition area
-dd if="$TMP/esp.img" of="$TMP/disk.raw" bs=512 seek=2048 conv=notrunc
-touch -d "2024-01-01 00:00:00 UTC" "$TMP/disk.raw" 2>/dev/null || true
-
-# Create GCP tar.gz
-tar --format=oldgnu -Sczf "$TAR" -C "$TMP" disk.raw
-
-rm -rf "$TMP"
+set -eu -o pipefail
+
+export SOURCE_DATE_EPOCH=0 # not propagated from the main config, needed for mkfs.vfat
+export SYSTEMD_REPART_MKFS_OPTIONS_VFAT="-i 12345678 --invariant"
+mkdir -p ${OUTPUTDIR}/esp/EFI/BOOT
+cp ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi ${OUTPUTDIR}/esp/EFI/BOOT/BOOTX64.EFI
+# Set fixed timestamps for reproducibility (FAT uses file mtime for directory entries)
+find ${OUTPUTDIR}/esp -exec touch -d "@${SOURCE_DATE_EPOCH}" {} +
+rm -f ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw
+
+# Hack to use the newer systemd-repart from nix instead of mkosi.tools one
+# TODO: remove after updating mkosi
+PATH="${PATH#/usr/bin:/usr/sbin:}" systemd-repart --empty=create \
+  --size=1G \
+  --definitions=mkosi.profiles/gcp/repart.d \
+  --copy-source=${OUTPUTDIR} \
+  --seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c \
+  --dry-run=no \
+  ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw
+sgdisk --disk-guid "12345678-1234-5678-1234-567812345678" ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw
+
+rm -rf ${OUTPUTDIR}/esp
+
+cd ${OUTPUTDIR}
+ln -sf ${IMAGE_ID}_${IMAGE_VERSION}.raw disk.raw
+tar --mtime="@${SOURCE_DATE_EPOCH}" --dereference --format=oldgnu -Sczf ${IMAGE_ID}_${IMAGE_VERSION}.tar.gz disk.raw
+unlink disk.raw
+rm -f ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw
diff --git a/mkosi.profiles/gcp/repart.d/00-uki.conf b/mkosi.profiles/gcp/repart.d/00-uki.conf
new file mode 100644
index 00000000..b161a108
--- /dev/null
+++ b/mkosi.profiles/gcp/repart.d/00-uki.conf
@@ -0,0 +1,8 @@
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/esp:/
+Minimize=off
+UUID=87654321-4321-8765-4321-876543218765
+SizeMinBytes=524288000
+SizeMaxBytes=524288000

From 15a1266ff9d4897904d60354ec54ae8abcfa9229 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Thu, 5 Feb 2026 22:18:20 -0500
Subject: [PATCH 04/14] Simplify base module and networking configuration

---
 DEVELOPMENT.md                                   |  8 ++++----
 base/debloat-systemd.sh                          |  7 ++++++-
 base/debloat.sh                                  |  2 --
 base/mkosi.conf                                  |  4 ++--
 .../etc/chrony/chrony.conf                       |  0
 base/mkosi.extra/etc/systemd/journald.conf       |  5 +++++
 .../etc/systemd/network/10-ethernet.network      |  9 +++++++++
 base/mkosi.extra/etc/systemd/resolved.conf       |  4 ++++
 .../etc/systemd/system/minimal.target            |  0
 base/{mkosi.skeleton => mkosi.extra}/init        |  0
 base/mkosi.skeleton/etc/resolv.conf              |  2 --
 .../etc/systemd/system/network-setup.service     | 16 ----------------
 .../etc/systemd/system/persistent-mount.service  |  2 +-
 .../etc/systemd/system/searcher-firewall.service |  4 ++--
 .../etc/systemd/system/wait-for-key.service      |  4 ++--
 .../etc/systemd/system/lighthouse.service        |  5 +++--
 bob-l1/readme.md                                 |  6 +++---
 .../etc/systemd/system/fetch-config.service      |  4 ++--
 flake.nix                                        | 11 ++++-------
 .../azure/azure-complete-provisioning.service    |  4 ++--
 mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf   |  2 --
 .../etc/systemd/system/set-hostname.service      |  4 ++--
 tdx-dummy/dummy-tdx-dcap.service                 |  4 ++--
 23 files changed, 53 insertions(+), 54 deletions(-)
 rename base/{mkosi.skeleton => mkosi.extra}/etc/chrony/chrony.conf (100%)
 create mode 100644 base/mkosi.extra/etc/systemd/journald.conf
 create mode 100644 base/mkosi.extra/etc/systemd/network/10-ethernet.network
 create mode 100644 base/mkosi.extra/etc/systemd/resolved.conf
 rename base/{mkosi.skeleton => mkosi.extra}/etc/systemd/system/minimal.target (100%)
 rename base/{mkosi.skeleton => mkosi.extra}/init (100%)
 delete mode 100644 base/mkosi.skeleton/etc/resolv.conf
 delete mode 100644 base/mkosi.skeleton/etc/systemd/system/network-setup.service
 rename {base/mkosi.skeleton => bob-common/mkosi.extra}/etc/systemd/system/persistent-mount.service (92%)
 delete mode 100644 mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 317f5807..9217d529 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -276,8 +276,8 @@ systemd services are the primary way to run applications in Flashboxes. Here's h
 ```ini
 [Unit]
 Description=My Application
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=simple
@@ -354,8 +354,8 @@ Conflicts=apache2.service
 ```ini
 [Unit]
 # Network is available
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 # Persistent storage is mounted
 After=persistent-mount.service
diff --git a/base/debloat-systemd.sh b/base/debloat-systemd.sh
index 61ee2548..f1559a06 100755
--- a/base/debloat-systemd.sh
+++ b/base/debloat-systemd.sh
@@ -16,6 +16,8 @@ systemd_svc_whitelist=(
     "systemd-journald-dev-log.socket"
     "systemd-remount-fs.service"
     "systemd-sysctl.service"
+    "systemd-networkd.service"
+    "systemd-networkd.socket"
     "chrony.service"
 )
 
@@ -43,4 +45,7 @@ mkosi-chroot dpkg-query -L systemd | grep -E '\.service$|\.socket$|\.timer$|\.ta
 done
 
 # Enable chrony service
-mkosi-chroot systemctl add-wants minimal.target chrony.service
+mkosi-chroot systemctl add-wants minimal.target \
+    chrony.service \
+    systemd-resolved.service \
+    systemd-networkd.service
diff --git a/base/debloat.sh b/base/debloat.sh
index 1906010d..ffe0416a 100755
--- a/base/debloat.sh
+++ b/base/debloat.sh
@@ -31,10 +31,8 @@ debloat_paths=(
     "/usr/lib/systemd/catalog"
     "/usr/lib/systemd/user"
     "/usr/lib/systemd/user-generators"
-    "/usr/lib/systemd/network"
     "/usr/lib/pcrlock.d"
     "/usr/lib/tmpfiles.d"
-    "/etc/systemd/network"
     "/etc/credstore"
     "/nix"
 )
diff --git a/base/mkosi.conf b/base/mkosi.conf
index 3decf5a9..427bb721 100644
--- a/base/mkosi.conf
+++ b/base/mkosi.conf
@@ -18,7 +18,7 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 [Content]
 SourceDateEpoch=0
 KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target
-SkeletonTrees=base/mkosi.skeleton
+ExtraTrees=base/mkosi.extra
 BuildScripts=kernel/mkosi.build
 PostInstallationScripts=base/debloat-systemd.sh
 PostInstallationScripts=base/efi-stub.sh
@@ -30,6 +30,7 @@ SyncScripts=base/normalize-umask.sh
 CleanPackageMetadata=true
 Packages=kmod
          systemd
+         systemd-resolved
          systemd-boot-efi
          busybox
          util-linux
@@ -37,7 +38,6 @@ Packages=kmod
          ca-certificates
          openssl
          iproute2
-         udhcpc
          e2fsprogs
          chrony
 BuildPackages=build-essential
diff --git a/base/mkosi.skeleton/etc/chrony/chrony.conf b/base/mkosi.extra/etc/chrony/chrony.conf
similarity index 100%
rename from base/mkosi.skeleton/etc/chrony/chrony.conf
rename to base/mkosi.extra/etc/chrony/chrony.conf
diff --git a/base/mkosi.extra/etc/systemd/journald.conf b/base/mkosi.extra/etc/systemd/journald.conf
new file mode 100644
index 00000000..44e635ca
--- /dev/null
+++ b/base/mkosi.extra/etc/systemd/journald.conf
@@ -0,0 +1,5 @@
+[Journal]
+SystemMaxFileSize=128M
+SystemMaxFiles=2
+RuntimeMaxFileSize=512K
+RuntimeMaxFiles=2
diff --git a/base/mkosi.extra/etc/systemd/network/10-ethernet.network b/base/mkosi.extra/etc/systemd/network/10-ethernet.network
new file mode 100644
index 00000000..560dbd99
--- /dev/null
+++ b/base/mkosi.extra/etc/systemd/network/10-ethernet.network
@@ -0,0 +1,9 @@
+[Match]
+Name=eth* en*
+
+[Network]
+DHCP=yes
+
+[DHCPv4]
+UseDNS=no
+UseHostname=no
diff --git a/base/mkosi.extra/etc/systemd/resolved.conf b/base/mkosi.extra/etc/systemd/resolved.conf
new file mode 100644
index 00000000..61eeb301
--- /dev/null
+++ b/base/mkosi.extra/etc/systemd/resolved.conf
@@ -0,0 +1,4 @@
+[Resolve]
+# GCP: 169.254.169.254, Azure: 168.63.129.16
+DNS=169.254.169.254 168.63.129.16
+FallbackDNS=1.1.1.1 1.0.0.1
diff --git a/base/mkosi.skeleton/etc/systemd/system/minimal.target b/base/mkosi.extra/etc/systemd/system/minimal.target
similarity index 100%
rename from base/mkosi.skeleton/etc/systemd/system/minimal.target
rename to base/mkosi.extra/etc/systemd/system/minimal.target
diff --git a/base/mkosi.skeleton/init b/base/mkosi.extra/init
similarity index 100%
rename from base/mkosi.skeleton/init
rename to base/mkosi.extra/init
diff --git a/base/mkosi.skeleton/etc/resolv.conf b/base/mkosi.skeleton/etc/resolv.conf
deleted file mode 100644
index 0bb99396..00000000
--- a/base/mkosi.skeleton/etc/resolv.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-nameserver 8.8.8.8
-nameserver 8.8.4.4
\ No newline at end of file
diff --git a/base/mkosi.skeleton/etc/systemd/system/network-setup.service b/base/mkosi.skeleton/etc/systemd/system/network-setup.service
deleted file mode 100644
index 804a50fe..00000000
--- a/base/mkosi.skeleton/etc/systemd/system/network-setup.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Basic Network Setup
-DefaultDependencies=no
-Before=network.target
-Wants=network.target
-
-[Service]
-Type=oneshot
-ExecStart=ip link set lo up
-ExecStart=ip link set eth0 up
-ExecStart=chattr +i /etc/resolv.conf
-ExecStart=/usr/sbin/udhcpc -i eth0 -n
-RemainAfterExit=yes
-
-[Install]
-WantedBy=minimal.target
diff --git a/base/mkosi.skeleton/etc/systemd/system/persistent-mount.service b/bob-common/mkosi.extra/etc/systemd/system/persistent-mount.service
similarity index 92%
rename from base/mkosi.skeleton/etc/systemd/system/persistent-mount.service
rename to bob-common/mkosi.extra/etc/systemd/system/persistent-mount.service
index 1c630ea5..f3cc2c85 100644
--- a/base/mkosi.skeleton/etc/systemd/system/persistent-mount.service
+++ b/bob-common/mkosi.extra/etc/systemd/system/persistent-mount.service
@@ -11,4 +11,4 @@ ExecStart=/bin/bash -c 'until grep -q " /persistent " /proc/mounts; do sleep 1;
 RemainAfterExit=yes
 
 [Install]
-WantedBy=minimal.target
+WantedBy=minimal.target
\ No newline at end of file
diff --git a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service
index 3812c1eb..84b5dd77 100644
--- a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service
+++ b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Searcher Network and Firewall Rules
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=oneshot
diff --git a/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service b/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service
index 5a4c1eae..e575f806 100644
--- a/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service
+++ b/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=SSH Public Key Server
-After=network.target network-setup.service wait-for-key.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=oneshot
diff --git a/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service b/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service
index e0f79633..df8422ed 100644
--- a/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service
+++ b/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service
@@ -1,7 +1,8 @@
 [Unit]
 Description=Lighthouse Consensus Client
-After=network.target network-setup.service persistent-mount.service
-Requires=network-setup.service persistent-mount.service
+After=network-online.target persistent-mount.service
+Wants=network-online.target
+Requires=persistent-mount.service
 
 [Service]
 Type=exec
diff --git a/bob-l1/readme.md b/bob-l1/readme.md
index edb9bba2..e24f1a42 100644
--- a/bob-l1/readme.md
+++ b/bob-l1/readme.md
@@ -601,9 +601,9 @@ Developer Notes
 
 ### Service Order
 
-1. Initialize network (**name:** `network-setup.service`)
-2. Get searcher key from LUKS partition or wait for key on port 8080 (**name:** `wait-for-key.service`) (**after:** `network-setup.service`)
-3. Setup firewall (**name:** `searcher-firewall.service`) (**after:** `network-setup.service`)
+1. Initialize network via `systemd-networkd.service`
+2. Get searcher key from LUKS partition or wait for key on port 8080 (**name:** `wait-for-key.service`) (**after:** `network-online.target`)
+3. Setup firewall (**name:** `searcher-firewall.service`) (**after:** `network-online.target`)
 4. Start dropbear server for `initialize`, `toggle`, etc. (**name:** `dropbear.service`) (**after:** `wait-for-key.service`, `searcher-firewall.service`)
 5. Open a log socket and forward text from it to the delayed log file after 300s (**name:** searcher-log-reader.service) (**after:** `/persistent` is mounted)
 6. Write new text in `bob.log` to the log socket (**name:** searcher-log-writer.service) (**after:** searcher-log-reader.service)
diff --git a/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service b/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service
index 258aeda0..28779a07 100644
--- a/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service
+++ b/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Fetch some configuration variables from Vault
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=oneshot
diff --git a/flake.nix b/flake.nix
index 0ce05c79..0ee2116c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,8 +44,8 @@
       src = pkgs.fetchFromGitHub {
         owner = "flashbots";
         repo = "dstack-mr-gcp";
-        rev = "be2d37a610b6afc7b535bdf0d637935f9d4a6e96";
-        sha256 = "sha256-HUs6Swj2e3KyxDjqw9XZfY6HmJ9qY2cd84iRP8xYiJ8=";
+        rev = "503e7c506f89f9d81be04025c90921778b26f0a4";
+        sha256 = "sha256-z6STTgcOXatiqA2rlpzwRyvAwnXrK30oNDCJqtIp7/8=";
       };
       vendorHash = "sha256-glOyRTrIF/zP78XGV+v58a1Bec6C3Fvc5c8G3PglzPM=";
     };
@@ -61,6 +61,7 @@
             squashfsTools
             dosfstools
             e2fsprogs
+            mtools
             mustache-go
             cryptsetup
             gptfdisk
@@ -89,11 +90,7 @@
     devShells = builtins.listToAttrs (map (system: {
       name = system;
       value.default = pkgs.mkShell {
-        nativeBuildInputs = [
-          (mkosi system)
-          measured-boot
-          measured-boot-gcp
-        ];
+        nativeBuildInputs = [(mkosi system) measured-boot measured-boot-gcp];
         shellHook = ''
           mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi
           touch mkosi.builddir/debian-backports.sources
diff --git a/mkosi.profiles/azure/azure-complete-provisioning.service b/mkosi.profiles/azure/azure-complete-provisioning.service
index 4d8866dd..bb35fe7e 100644
--- a/mkosi.profiles/azure/azure-complete-provisioning.service
+++ b/mkosi.profiles/azure/azure-complete-provisioning.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Report VM is ready to Azure API
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=oneshot
diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf b/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf
deleted file mode 100644
index 6c6486e6..00000000
--- a/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-nameserver 169.254.169.254
-options edns0 trust-ad
diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service
index 4021437f..eb16abf9 100644
--- a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service
+++ b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service
@@ -1,8 +1,8 @@
 [Unit]
 Description=Set hostname
 ConditionFirstBoot=yes
-After=network.target network-setup.service
-Wants=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 User=root
diff --git a/tdx-dummy/dummy-tdx-dcap.service b/tdx-dummy/dummy-tdx-dcap.service
index f3feae45..b71ab38b 100644
--- a/tdx-dummy/dummy-tdx-dcap.service
+++ b/tdx-dummy/dummy-tdx-dcap.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Dummy TDX DCAP server
-After=network-setup.service
-Wants=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=exec

From 9856bdf2f99b5a0af00bc25721adf815e447d4fd Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Fri, 6 Feb 2026 16:35:27 -0500
Subject: [PATCH 05/14] Encrypt external DNS traffic / standardize
 Resolved/Networkd configuration

---
 base/debloat-systemd.sh                                   | 4 +++-
 base/mkosi.extra/etc/systemd/resolved.conf                | 5 ++---
 bob-l1/mkosi.extra/etc/bob/firewall-config                | 2 ++
 bob-l1/mkosi.extra/etc/bob/toggle-config                  | 1 +
 bob-l2/mkosi.extra/etc/bob/firewall-config                | 2 ++
 bob-l2/mkosi.extra/etc/bob/toggle-config                  | 1 +
 mkosi.profiles/azure/mkosi.conf                           | 2 --
 .../mkosi.extra/etc/systemd/network/99-azure-dns.network  | 8 ++++++++
 .../systemd/system}/azure-complete-provisioning.service   | 0
 .../{ => mkosi.extra/usr/bin}/azure-complete-provisioning | 0
 .../mkosi.extra/etc/systemd/network/99-gcp-dns.network    | 8 ++++++++
 11 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100644 mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network
 rename mkosi.profiles/azure/{ => mkosi.extra/etc/systemd/system}/azure-complete-provisioning.service (100%)
 rename mkosi.profiles/azure/{ => mkosi.extra/usr/bin}/azure-complete-provisioning (100%)
 create mode 100644 mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network

diff --git a/base/debloat-systemd.sh b/base/debloat-systemd.sh
index f1559a06..2cb8f4bb 100755
--- a/base/debloat-systemd.sh
+++ b/base/debloat-systemd.sh
@@ -18,6 +18,7 @@ systemd_svc_whitelist=(
     "systemd-sysctl.service"
     "systemd-networkd.service"
     "systemd-networkd.socket"
+    "systemd-networkd-wait-online.service"
     "chrony.service"
 )
 
@@ -48,4 +49,5 @@ done
 mkosi-chroot systemctl add-wants minimal.target \
     chrony.service \
     systemd-resolved.service \
-    systemd-networkd.service
+    systemd-networkd.service \
+    systemd-networkd-wait-online.service
diff --git a/base/mkosi.extra/etc/systemd/resolved.conf b/base/mkosi.extra/etc/systemd/resolved.conf
index 61eeb301..479b4103 100644
--- a/base/mkosi.extra/etc/systemd/resolved.conf
+++ b/base/mkosi.extra/etc/systemd/resolved.conf
@@ -1,4 +1,3 @@
 [Resolve]
-# GCP: 169.254.169.254, Azure: 168.63.129.16
-DNS=169.254.169.254 168.63.129.16
-FallbackDNS=1.1.1.1 1.0.0.1
+FallbackDNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
+DNSOverTLS=yes
diff --git a/bob-l1/mkosi.extra/etc/bob/firewall-config b/bob-l1/mkosi.extra/etc/bob/firewall-config
index 6355d153..7f856645 100644
--- a/bob-l1/mkosi.extra/etc/bob/firewall-config
+++ b/bob-l1/mkosi.extra/etc/bob/firewall-config
@@ -11,6 +11,7 @@ SEARCHER_INPUT_TCP_PORT=27018
 
 # Well-known ports
 DNS_PORT=53
+DNS_OVER_TLS_PORT=853
 HTTP_PORT=80
 HTTPS_PORT=443
 NTP_PORT=123
@@ -90,6 +91,7 @@ drop_dst_ip $CHAIN_MAINTENANCE_OUT $FLASHBOTS_TX_STREAM_1,$FLASHBOTS_TX_STREAM_2
 
 accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)"
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)"
+accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_OVER_TLS_PORT "DNS-over-TLS"
 
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTP_PORT "HTTP"
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTPS_PORT "HTTPS"
diff --git a/bob-l1/mkosi.extra/etc/bob/toggle-config b/bob-l1/mkosi.extra/etc/bob/toggle-config
index 9be10caa..086e17c8 100644
--- a/bob-l1/mkosi.extra/etc/bob/toggle-config
+++ b/bob-l1/mkosi.extra/etc/bob/toggle-config
@@ -17,6 +17,7 @@ MAINTENANCE_ENDPOINTS=(
     "tcp:10022:SSH data port"
     "tcp:53:DNS"
     "udp:53:DNS"
+    "tcp:853:DNS-over-TLS"
     "tcp:80:HTTP"
     "tcp:443:HTTPS"
     "tcp:30303:EL P2P"
diff --git a/bob-l2/mkosi.extra/etc/bob/firewall-config b/bob-l2/mkosi.extra/etc/bob/firewall-config
index 85e7925f..30e1aebb 100644
--- a/bob-l2/mkosi.extra/etc/bob/firewall-config
+++ b/bob-l2/mkosi.extra/etc/bob/firewall-config
@@ -11,6 +11,7 @@ SEARCHER_INPUT_TCP_PORT=27018
 
 # Well-known ports
 DNS_PORT=53
+DNS_OVER_TLS_PORT=853
 HTTP_PORT=80
 HTTPS_PORT=443
 NTP_PORT=123
@@ -67,6 +68,7 @@ drop_dst_ip $CHAIN_MAINTENANCE_OUT "$CONFIG_SIMULATOR_IP" "Simulator (blocked in
 
 accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)"
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)"
+accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_OVER_TLS_PORT "DNS-over-TLS"
 
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTP_PORT "HTTP"
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTPS_PORT "HTTPS"
diff --git a/bob-l2/mkosi.extra/etc/bob/toggle-config b/bob-l2/mkosi.extra/etc/bob/toggle-config
index a75e9b30..1359d2f3 100644
--- a/bob-l2/mkosi.extra/etc/bob/toggle-config
+++ b/bob-l2/mkosi.extra/etc/bob/toggle-config
@@ -21,6 +21,7 @@ MAINTENANCE_ENDPOINTS=(
     "tcp:10022:SSH data port"
     "tcp:53:DNS"
     "udp:53:DNS"
+    "tcp:853:DNS-over-TLS"
     "tcp:80:HTTP"
     "tcp:443:HTTPS"
     "tcp:40404:OP-Geth P2P"
diff --git a/mkosi.profiles/azure/mkosi.conf b/mkosi.profiles/azure/mkosi.conf
index b28c483a..9c28b6da 100644
--- a/mkosi.profiles/azure/mkosi.conf
+++ b/mkosi.profiles/azure/mkosi.conf
@@ -1,4 +1,2 @@
 [Content]
-SkeletonTrees=azure-complete-provisioning.service:/etc/systemd/system/azure-complete-provisioning.service
-SkeletonTrees=azure-complete-provisioning:/usr/bin/azure-complete-provisioning
 Packages=dmidecode
diff --git a/mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network b/mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network
new file mode 100644
index 00000000..eae5e182
--- /dev/null
+++ b/mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network
@@ -0,0 +1,8 @@
+[Match]
+Name=eth* en*
+
+[Network]
+# Azure internal DNS
+DNS=168.63.129.16
+Domains=~internal.cloudapp.net
+DNSOverTLS=no
diff --git a/mkosi.profiles/azure/azure-complete-provisioning.service b/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service
similarity index 100%
rename from mkosi.profiles/azure/azure-complete-provisioning.service
rename to mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service
diff --git a/mkosi.profiles/azure/azure-complete-provisioning b/mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning
similarity index 100%
rename from mkosi.profiles/azure/azure-complete-provisioning
rename to mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning
diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network
new file mode 100644
index 00000000..5bf197c1
--- /dev/null
+++ b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network
@@ -0,0 +1,8 @@
+[Match]
+Name=eth* en*
+
+[Network]
+# GCP internal DNS
+DNS=169.254.169.254
+Domains=~internal ~google.internal
+DNSOverTLS=no

From 7fb00db65c9a59d7bb67e70db417f499ac52138b Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Wed, 11 Feb 2026 20:10:43 -0500
Subject: [PATCH 06/14] Update mkosi

---
 bob-l1.conf |  2 +-
 bob-l2.conf |  2 +-
 flake.lock  |  6 +++---
 flake.nix   | 36 ++++++++++++++++++++++++++++++++++--
 4 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/bob-l1.conf b/bob-l1.conf
index 207015fb..0f26cd46 100644
--- a/bob-l1.conf
+++ b/bob-l1.conf
@@ -7,7 +7,7 @@ Include=bob-l1/mkosi.conf
 Profiles=azure,gcp
 
 [Distribution]
-Mirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
+Snapshot=20251113T083151Z
 
 [Build]
 ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
diff --git a/bob-l2.conf b/bob-l2.conf
index 80690614..1900d3dc 100644
--- a/bob-l2.conf
+++ b/bob-l2.conf
@@ -7,7 +7,7 @@ Include=bob-l2/mkosi.conf
 Profiles=gcp
 
 [Distribution]
-Mirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
+Snapshot=20251113T083151Z
 
 [Build]
 ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
diff --git a/flake.lock b/flake.lock
index 7dcb42b7..0c6ae986 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1746904237,
-        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+        "lastModified": 1769170682,
+        "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+        "rev": "c5296fdd05cfa2c187990dd909864da9658df755",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 0ee2116c..3a9a9f04 100644
--- a/flake.nix
+++ b/flake.nix
@@ -51,7 +51,7 @@
     };
     mkosi = system: let
       pkgsForSystem = import nixpkgs {inherit system;};
-      mkosi-unwrapped = pkgsForSystem.mkosi.override {
+      mkosi-unwrapped = (pkgsForSystem.mkosi.override {
         extraDeps = with pkgsForSystem;
           [
             apt
@@ -74,7 +74,39 @@
             jq
           ]
           ++ [reprepro];
-      };
+      }).overrideAttrs (old: {
+        src = pkgsForSystem.fetchFromGitHub {
+          owner = "alexhulbert";
+          repo = "mkosi";
+          rev = "1c15276e3bdb379bd62629420a55eae4a4091b24";
+          hash = "sha256-N7P39o2FyGvbnVU7SQadF19WFTTNzSf2iLprYIUwYY8=";
+        };
+        patches = let
+          # TODO: remove the hunk from nixpkgs and remove this hack
+          # Newest mkosi adds nix store paths to PATH dynamically
+          # so this patch hunk in nixpkgs is no longer needed
+          patchWithoutFinalizePath = pkgsForSystem.runCommandLocal "mkosi-patch-fixed" {} ''
+            ${pkgsForSystem.gawk}/bin/awk '
+              /^@@ .* finalize_path\(/ { skip=1; next }
+              skip && /^(@@|diff )/ { skip=0 }
+              !skip
+            ' ${builtins.elemAt old.patches 0} > $out
+          '';
+        in [patchWithoutFinalizePath] ++ builtins.tail old.patches;
+        postFixup = (old.postFixup or "") + ''
+          # Fix mkosi-sandbox: Nix wraps console_scripts entry points via
+          # "from mkosi.sandbox import main", so __name__ in sandbox.py is
+          # "mkosi.sandbox" not "__main__", breaking is_main() checks.
+          # Use runpy to run the module as __main__ instead.
+          substituteInPlace $out/bin/.mkosi-sandbox-wrapped \
+            --replace-fail \
+              'from mkosi.sandbox import main' \
+              'import runpy' \
+            --replace-fail \
+              $'sys.argv[0] = re.sub(r"(-script\\.pyw|\\.exe)?$", "", sys.argv[0])\n    sys.exit(main())' \
+              'runpy.run_module("mkosi.sandbox", run_name="__main__", alter_sys=True)'
+        '';
+      });
     in
       # Create a wrapper script that runs mkosi with unshare
       # Unshare is needed to create files owned by multiple uids/gids

From cf40c33a8c062a9a15691573ba75f16e163b4455 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Wed, 11 Feb 2026 20:11:17 -0500
Subject: [PATCH 07/14] Move base scripts to mkosi.*.d dirs

---
 base/mkosi.conf                                          | 9 +++------
 .../10-remove-image-version.sh}                          | 0
 base/{debloat.sh => mkosi.finalize.d/90-debloat.sh}      | 0
 base/{efi-stub.sh => mkosi.postinst.d/10-efi-stub.sh}    | 0
 .../90-debloat-systemd.sh}                               | 0
 .../10-add-backports.sh}                                 | 0
 .../20-normalize-umask.sh}                               | 0
 7 files changed, 3 insertions(+), 6 deletions(-)
 rename base/{remove-image-version.sh => mkosi.finalize.d/10-remove-image-version.sh} (100%)
 rename base/{debloat.sh => mkosi.finalize.d/90-debloat.sh} (100%)
 rename base/{efi-stub.sh => mkosi.postinst.d/10-efi-stub.sh} (100%)
 rename base/{debloat-systemd.sh => mkosi.postinst.d/90-debloat-systemd.sh} (100%)
 rename base/{add-backports.sh => mkosi.sync.d/10-add-backports.sh} (100%)
 rename base/{normalize-umask.sh => mkosi.sync.d/20-normalize-umask.sh} (100%)

diff --git a/base/mkosi.conf b/base/mkosi.conf
index 427bb721..7666342f 100644
--- a/base/mkosi.conf
+++ b/base/mkosi.conf
@@ -20,12 +20,9 @@ SourceDateEpoch=0
 KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target
 ExtraTrees=base/mkosi.extra
 BuildScripts=kernel/mkosi.build
-PostInstallationScripts=base/debloat-systemd.sh
-PostInstallationScripts=base/efi-stub.sh
-SyncScripts=base/add-backports.sh
-FinalizeScripts=base/debloat.sh
-FinalizeScripts=base/remove-image-version.sh
-SyncScripts=base/normalize-umask.sh
+SyncScripts=base/mkosi.sync.d/*
+PostInstallationScripts=base/mkosi.postinst.d/*
+FinalizeScripts=base/mkosi.finalize.d/*
 
 CleanPackageMetadata=true
 Packages=kmod
diff --git a/base/remove-image-version.sh b/base/mkosi.finalize.d/10-remove-image-version.sh
similarity index 100%
rename from base/remove-image-version.sh
rename to base/mkosi.finalize.d/10-remove-image-version.sh
diff --git a/base/debloat.sh b/base/mkosi.finalize.d/90-debloat.sh
similarity index 100%
rename from base/debloat.sh
rename to base/mkosi.finalize.d/90-debloat.sh
diff --git a/base/efi-stub.sh b/base/mkosi.postinst.d/10-efi-stub.sh
similarity index 100%
rename from base/efi-stub.sh
rename to base/mkosi.postinst.d/10-efi-stub.sh
diff --git a/base/debloat-systemd.sh b/base/mkosi.postinst.d/90-debloat-systemd.sh
similarity index 100%
rename from base/debloat-systemd.sh
rename to base/mkosi.postinst.d/90-debloat-systemd.sh
diff --git a/base/add-backports.sh b/base/mkosi.sync.d/10-add-backports.sh
similarity index 100%
rename from base/add-backports.sh
rename to base/mkosi.sync.d/10-add-backports.sh
diff --git a/base/normalize-umask.sh b/base/mkosi.sync.d/20-normalize-umask.sh
similarity index 100%
rename from base/normalize-umask.sh
rename to base/mkosi.sync.d/20-normalize-umask.sh

From 7d373b1a912b90300e37cec3af3eeaf8a4967443 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Tue, 17 Feb 2026 19:23:33 -0500
Subject: [PATCH 08/14] Remove hacky nix packages, update to latest mkosi

---
 flake.nix | 38 +++++++++++---------------------------
 1 file changed, 11 insertions(+), 27 deletions(-)

diff --git a/flake.nix b/flake.nix
index 3a9a9f04..5975112d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -76,35 +76,19 @@
           ++ [reprepro];
       }).overrideAttrs (old: {
         src = pkgsForSystem.fetchFromGitHub {
-          owner = "alexhulbert";
+          owner = "systemd";
           repo = "mkosi";
-          rev = "1c15276e3bdb379bd62629420a55eae4a4091b24";
-          hash = "sha256-N7P39o2FyGvbnVU7SQadF19WFTTNzSf2iLprYIUwYY8=";
+          rev = "df51194bc2d890d4c267af644a1832d2d53339ac";
+          hash = "sha256-rGGzE9xIR8WvK07GBnaAmeLpmnM3Uy51wqyrmuHuWXo=";
         };
-        patches = let
-          # TODO: remove the hunk from nixpkgs and remove this hack
-          # Newest mkosi adds nix store paths to PATH dynamically
-          # so this patch hunk in nixpkgs is no longer needed
-          patchWithoutFinalizePath = pkgsForSystem.runCommandLocal "mkosi-patch-fixed" {} ''
-            ${pkgsForSystem.gawk}/bin/awk '
-              /^@@ .* finalize_path\(/ { skip=1; next }
-              skip && /^(@@|diff )/ { skip=0 }
-              !skip
-            ' ${builtins.elemAt old.patches 0} > $out
-          '';
-        in [patchWithoutFinalizePath] ++ builtins.tail old.patches;
-        postFixup = (old.postFixup or "") + ''
-          # Fix mkosi-sandbox: Nix wraps console_scripts entry points via
-          # "from mkosi.sandbox import main", so __name__ in sandbox.py is
-          # "mkosi.sandbox" not "__main__", breaking is_main() checks.
-          # Use runpy to run the module as __main__ instead.
-          substituteInPlace $out/bin/.mkosi-sandbox-wrapped \
-            --replace-fail \
-              'from mkosi.sandbox import main' \
-              'import runpy' \
-            --replace-fail \
-              $'sys.argv[0] = re.sub(r"(-script\\.pyw|\\.exe)?$", "", sys.argv[0])\n    sys.exit(main())' \
-              'runpy.run_module("mkosi.sandbox", run_name="__main__", alter_sys=True)'
+        # TODO: remove these patch hunks from upstream nixpkgs next time mkosi has a release
+        # The latest mkosi doesn't need them
+        patches = pkgs.lib.drop 2 old.patches;
+        postPatch = let fd = "${pkgs.patchutils}/bin/filterdiff"; in ''
+          { ${fd} -x '*/run.py' --hunks=x2   ${builtins.elemAt old.patches 0}
+            ${fd} -i '*/run.py' --hunks=x1-2 ${builtins.elemAt old.patches 0}
+            ${fd} --hunks=x1                 ${builtins.elemAt old.patches 1}
+          } | patch -p1
         '';
       });
     in

From 83a1456bfe52d13826d45ace901cd84552c9a9c8 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Tue, 17 Feb 2026 20:52:42 -0500
Subject: [PATCH 09/14] Debian-archive-keyring is no longer needed from host

---
 base/mkosi.conf                       |  2 +-
 base/mkosi.sync.d/10-add-backports.sh | 18 ------------------
 base/mkosi.sync.d/10-setup-apt.sh     | 17 +++++++++++++++++
 bob-l1.conf                           |  3 ---
 bob-l2.conf                           |  3 ---
 flake.nix                             |  2 +-
 scripts/setup_deps.sh                 |  4 +---
 7 files changed, 20 insertions(+), 29 deletions(-)
 delete mode 100755 base/mkosi.sync.d/10-add-backports.sh
 create mode 100755 base/mkosi.sync.d/10-setup-apt.sh

diff --git a/base/mkosi.conf b/base/mkosi.conf
index 7666342f..cd501cc2 100644
--- a/base/mkosi.conf
+++ b/base/mkosi.conf
@@ -5,7 +5,7 @@ Release=trixie
 
 [Build]
 PackageCacheDirectory=mkosi.cache
-SandboxTrees=mkosi.builddir/debian-backports.sources:/etc/apt/sources.list.d/debian-backports.sources
+SandboxTrees=mkosi.builddir/mkosi.sources:/etc/apt/sources.list.d/mkosi.sources
 Environment=KERNEL_IMAGE KERNEL_VERSION
 WithNetwork=true
 
diff --git a/base/mkosi.sync.d/10-add-backports.sh b/base/mkosi.sync.d/10-add-backports.sh
deleted file mode 100755
index c14a8bfc..00000000
--- a/base/mkosi.sync.d/10-add-backports.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# The mkosi sandbox environment should have a debian backports source list
-# that matches the archive timestamp of the main release.
-# See https://github.com/systemd/mkosi/issues/1755
-MIRROR=$(jq -r .Mirror /work/config.json)
-if [ "$MIRROR" = "null" ]; then
-    MIRROR="http://deb.debian.org/debian"
-fi
-
-cat > "$SRCDIR/mkosi.builddir/debian-backports.sources" <<EOF
-Types: deb deb-src
-URIs: $MIRROR
-Suites: ${RELEASE}-backports
-Components: main
-Enabled: yes
-Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
-EOF
diff --git a/base/mkosi.sync.d/10-setup-apt.sh b/base/mkosi.sync.d/10-setup-apt.sh
new file mode 100755
index 00000000..587875a9
--- /dev/null
+++ b/base/mkosi.sync.d/10-setup-apt.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Adds mkosi sources. See https://github.com/systemd/mkosi/issues/1755
+SNAPSHOT=$(jq -r .Snapshot /work/config.json)
+if [ "$SNAPSHOT" = "null" ]; then
+    MIRROR="http://deb.debian.org/debian"
+else
+    MIRROR="http://snapshot.debian.org/archive/debian/${SNAPSHOT}"
+fi
+
+cat > "$SRCDIR/mkosi.builddir/mkosi.sources" <<EOF
+Types: deb deb-src
+URIs: $MIRROR
+Suites: ${RELEASE} ${RELEASE}-backports
+Components: main
+Trusted: yes
+EOF
diff --git a/bob-l1.conf b/bob-l1.conf
index 0f26cd46..526bbe92 100644
--- a/bob-l1.conf
+++ b/bob-l1.conf
@@ -8,6 +8,3 @@ Profiles=azure,gcp
 
 [Distribution]
 Snapshot=20251113T083151Z
-
-[Build]
-ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
diff --git a/bob-l2.conf b/bob-l2.conf
index 1900d3dc..839f5e35 100644
--- a/bob-l2.conf
+++ b/bob-l2.conf
@@ -8,6 +8,3 @@ Profiles=gcp
 
 [Distribution]
 Snapshot=20251113T083151Z
-
-[Build]
-ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
diff --git a/flake.nix b/flake.nix
index 5975112d..80589616 100644
--- a/flake.nix
+++ b/flake.nix
@@ -109,7 +109,7 @@
         nativeBuildInputs = [(mkosi system) measured-boot measured-boot-gcp];
         shellHook = ''
           mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi
-          touch mkosi.builddir/debian-backports.sources
+          touch mkosi.builddir/mkosi.sources
         '';
       };
     }) ["x86_64-linux" "aarch64-linux"]);
diff --git a/scripts/setup_deps.sh b/scripts/setup_deps.sh
index d0e66987..66d7b23c 100755
--- a/scripts/setup_deps.sh
+++ b/scripts/setup_deps.sh
@@ -24,8 +24,6 @@ cmd_exists curl || missing+=("curl")
 cmd_exists qemu-img || missing+=("qemu-utils")
 cmd_exists newuidmap || missing+=("uidmap")
 
-ls /usr/share/keyrings/debian-archive* &>/dev/null 2>&1 || missing+=("debian-archive-keyring")
-
 if cmd_exists systemctl; then
     version=$(systemctl --version | head -1 | awk '{print $2}')
     [ "$version" -ge 250 ] || err "systemd 250+ required (current: $version). $LIMA_MSG"
@@ -55,7 +53,7 @@ fi
 
 apt_pkgs=()
 for dep in "${missing[@]}"; do
-    [[ "$dep" == "curl" || "$dep" == "debian-archive-keyring" || "$dep" == "qemu-utils" || "$dep" == "uidmap" ]] && apt_pkgs+=("$dep")
+    [[ "$dep" == "curl" || "$dep" == "qemu-utils" || "$dep" == "uidmap" ]] && apt_pkgs+=("$dep")
 done
 
 if [ ${#apt_pkgs[@]} -gt 0 ]; then

From fe4af99b3439213ca1f8d4de254c09e9c4b5ba08 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Wed, 18 Feb 2026 21:08:36 -0500
Subject: [PATCH 10/14] Compatibility with L2 branch build scripts

---
 scripts/build_rust_package.sh | 15 ++++++++++++---
 scripts/make_git_package.sh   | 14 +++++++++++---
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/scripts/build_rust_package.sh b/scripts/build_rust_package.sh
index e38f412a..7cbd08fa 100755
--- a/scripts/build_rust_package.sh
+++ b/scripts/build_rust_package.sh
@@ -7,6 +7,7 @@ build_rust_package() {
     local provided_binary="${4:-}"
     local extra_features="${5:-}"
     local extra_rustflags="${6:-}"
+    local cargo_package="${7:-$package}"
 
     local dest_path="$DESTDIR/usr/bin/$package"
     mkdir -p "$DESTDIR/usr/bin"
@@ -19,7 +20,8 @@ build_rust_package() {
     fi
 
     # If binary is cached, skip compilation
-    local cached_binary="$BUILDDIR/${package}-${version}"
+    local safe_version="${version//\//_}"
+    local cached_binary="$BUILDDIR/${package}-${safe_version}"
     if [ -f "$cached_binary" ]; then
         echo "Using cached binary for $package version $version"
         cp "$cached_binary" "$dest_path"
@@ -29,7 +31,14 @@ build_rust_package() {
     # Clone the repository
     local build_dir="$BUILDROOT/build/$package"
     mkdir -p "$build_dir"
-    git clone --depth 1 --branch "$version" "$git_url" "$build_dir"
+    if [ -f "$BUILDDIR/.ghtoken" ]; then
+        git_url="${git_url/#https:\/\/github.com/https:\/\/x-access-token:$(cat "$BUILDDIR/.ghtoken")@github.com}"
+    fi
+    git clone --depth 1 --branch "$version" "$git_url" "$build_dir" || (
+        echo "Could not clone branch/tag, attempting to checkout the commit by sha"
+        git clone "$git_url" "$build_dir" &&
+        git -C "$build_dir" checkout "$version"
+    )
 
     # Define Rust flags for reproducibility
     local rustflags=(
@@ -50,7 +59,7 @@ build_rust_package() {
                CARGO_TERM_COLOR='never'
         cd '/build/$package'
         cargo fetch
-        cargo build --release --frozen ${extra_features:+--features $extra_features}
+        cargo build --release --frozen ${extra_features:+--features $extra_features} --package $cargo_package
     "
 
     # Cache and install the built binary
diff --git a/scripts/make_git_package.sh b/scripts/make_git_package.sh
index 5771e162..f037bfa5 100644
--- a/scripts/make_git_package.sh
+++ b/scripts/make_git_package.sh
@@ -10,8 +10,9 @@ make_git_package() {
     # All remaining arguments are artifact mappings in src:dest format
     
     mkdir -p "$DESTDIR/usr/bin"
-    local cache_dir="$BUILDDIR/${package}-${version}"
-    
+    local safe_version="${version//\//_}"
+    local cache_dir="$BUILDDIR/${package}-${safe_version}"
+
     # Use cached artifacts if available
     if [ -n "$cache_dir" ] && [ -d "$cache_dir" ] && [ "$(ls -A "$cache_dir" 2>/dev/null)" ]; then
         echo "Using cached artifacts for $package version $version"
@@ -32,7 +33,14 @@ make_git_package() {
     
     # Build from source
     local build_dir="$BUILDROOT/build/$package"
-    git clone --depth 1 --branch "$version" "$git_url" "$build_dir"
+    if [ -f "$BUILDDIR/.ghtoken" ]; then
+        git_url="${git_url/#https:\/\/github.com/https:\/\/x-access-token:$(cat "$BUILDDIR/.ghtoken")@github.com}"
+    fi
+    git clone --depth 1 --branch "$version" "$git_url" "$build_dir" || (
+        echo "Could not clone branch/tag, attempting to checkout the commit by sha"
+        git clone "$git_url" "$build_dir" &&
+        git -C "$build_dir" checkout "$version"
+    )
     mkosi-chroot bash -c "cd '/build/$package' && $build_cmd"
 
     # Copy artifacts to image and cache

From 41a5042359bff0a10e5b6cba99a043005283a947 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Mon, 2 Feb 2026 21:31:44 -0500
Subject: [PATCH 11/14] Add folder for custom gitignored developer files

---
 DEVELOPMENT.md                            | 25 +++++++++++++++++++++++
 mkosi.profiles/devtools/custom/.gitignore |  3 +++
 mkosi.profiles/devtools/mkosi.conf        |  1 +
 mkosi.profiles/devtools/mkosi.postinst    |  3 +++
 4 files changed, 32 insertions(+)
 create mode 100644 mkosi.profiles/devtools/custom/.gitignore

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 9217d529..77415a1e 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -15,6 +15,7 @@ This comprehensive guide covers everything you need to know about developing wit
 - [Freezing to Debian Archive Snapshots](#freezing-to-debian-archive-snapshots)
 - [Testing for Reproducibility](#testing-for-reproducibility)
 - [Creating Debian Packages](#creating-debian-packages)
+- [Custom Developer Files](#custom-developer-files)
 - [Debugging and Troubleshooting](#debugging-and-troubleshooting)
 
 ## Project Structure
@@ -625,6 +626,30 @@ For systems without systemd v250+ or where Nix installation isn't feasible, you
    > Replace "btrfs" with your chosen storage driver
 5. Run the desired `mkosi` command inside the shell Podman environment
 
+## Custom Developer Files
+
+When building with the `devtools` profile, you can add your own custom files to the image without committing them to git. This is useful for adding personal SSH keys, configuration files, or debugging tools during development.
+
+### Adding Custom Files
+
+Place files in `mkosi.profiles/devtools/custom/` mirroring the filesystem structure you want:
+
+```bash
+# Add your SSH authorized keys
+mkdir -p mkosi.profiles/devtools/custom/root/.ssh
+cp ~/.ssh/id_rsa.pub mkosi.profiles/devtools/custom/root/.ssh/authorized_keys
+
+# Add a custom configuration file
+mkdir -p mkosi.profiles/devtools/custom/etc
+echo "my_setting=value" > mkosi.profiles/devtools/custom/etc/myconfig.conf
+
+# Add a debugging script
+mkdir -p mkosi.profiles/devtools/custom/usr/local/bin
+cp my-debug-script.sh mkosi.profiles/devtools/custom/usr/local/bin/
+```
+
+Files placed here will be copied into the image (like any other `ExtraTrees` directory) but will be ignored by git, so they won't be accidentally committed.
+
 ## Debugging and Troubleshooting
 
 ### mkosi Debugging
diff --git a/mkosi.profiles/devtools/custom/.gitignore b/mkosi.profiles/devtools/custom/.gitignore
new file mode 100644
index 00000000..38e31890
--- /dev/null
+++ b/mkosi.profiles/devtools/custom/.gitignore
@@ -0,0 +1,3 @@
+# Ignore everything in this directory except .gitignore
+*
+!.gitignore
diff --git a/mkosi.profiles/devtools/mkosi.conf b/mkosi.profiles/devtools/mkosi.conf
index c720603f..512ac25c 100644
--- a/mkosi.profiles/devtools/mkosi.conf
+++ b/mkosi.profiles/devtools/mkosi.conf
@@ -1,5 +1,6 @@
 [Content]
 ExtraTrees=mkosi.extra
+           custom
 
 Packages=adjtimex
          apt
diff --git a/mkosi.profiles/devtools/mkosi.postinst b/mkosi.profiles/devtools/mkosi.postinst
index 98af4442..cc0db73b 100755
--- a/mkosi.profiles/devtools/mkosi.postinst
+++ b/mkosi.profiles/devtools/mkosi.postinst
@@ -7,6 +7,9 @@ HASH=$(mkosi-chroot openssl passwd -6 -salt salt "$PASSWORD")
 mkosi-chroot passwd -u root
 mkosi-chroot usermod -p "$HASH" root
 
+# Remove git files in custom/ folder
+mkosi-chroot rm /.gitignore /.gitkeep || true
+
 if [ -f "$BUILDROOT/etc/default/dropbear" ]; then
     # Remove -s, -w, -g flags from dropbear args
     sed -i '/^DROPBEAR_EXTRA_ARGS=/s/-[swg] \?//g' "$BUILDROOT/etc/default/dropbear"

From bf3ab5badd8dc744f8bf1bb50f2bd6c7593e6d52 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Fri, 20 Feb 2026 00:33:19 -0500
Subject: [PATCH 12/14] Add custom dev directory for postinst files using new
 glob exprs

---
 mkosi.profiles/devtools/custom.postinst.d/.gitignore | 3 +++
 mkosi.profiles/devtools/mkosi.conf                   | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 mkosi.profiles/devtools/custom.postinst.d/.gitignore

diff --git a/mkosi.profiles/devtools/custom.postinst.d/.gitignore b/mkosi.profiles/devtools/custom.postinst.d/.gitignore
new file mode 100644
index 00000000..38e31890
--- /dev/null
+++ b/mkosi.profiles/devtools/custom.postinst.d/.gitignore
@@ -0,0 +1,3 @@
+# Ignore everything in this directory except .gitignore
+*
+!.gitignore
diff --git a/mkosi.profiles/devtools/mkosi.conf b/mkosi.profiles/devtools/mkosi.conf
index 512ac25c..747bca08 100644
--- a/mkosi.profiles/devtools/mkosi.conf
+++ b/mkosi.profiles/devtools/mkosi.conf
@@ -1,6 +1,7 @@
 [Content]
 ExtraTrees=mkosi.extra
            custom
+PostInstallationScripts=custom.postinst.d/*.sh
 
 Packages=adjtimex
          apt

From 51f1a42429b532c1234ed7f2a437ac4eee2e8f02 Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Fri, 20 Feb 2026 00:34:20 -0500
Subject: [PATCH 13/14] Use systemd conditional param to remove need for if
 statement

---
 mkosi.profiles/azure/mkosi.conf                              | 1 -
 .../etc/systemd/system/azure-complete-provisioning.service   | 1 +
 .../azure/mkosi.extra/usr/bin/azure-complete-provisioning    | 5 -----
 3 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/mkosi.profiles/azure/mkosi.conf b/mkosi.profiles/azure/mkosi.conf
index 9c28b6da..9ec84e2e 100644
--- a/mkosi.profiles/azure/mkosi.conf
+++ b/mkosi.profiles/azure/mkosi.conf
@@ -1,2 +1 @@
 [Content]
-Packages=dmidecode
diff --git a/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service b/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service
index bb35fe7e..70fe33db 100644
--- a/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service
+++ b/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=Report VM is ready to Azure API
+ConditionVirtualization=microsoft
 After=network-online.target
 Wants=network-online.target
 
diff --git a/mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning b/mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning
index c4dce969..ca89c5b4 100755
--- a/mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning
+++ b/mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning
@@ -4,11 +4,6 @@
 
 set -e
 
-if ! dmidecode -s system-manufacturer 2>/dev/null | grep -q "Microsoft Corporation"; then
-    echo "Not running on Azure, skipping provisioning"
-    exit 0
-fi
-
 attempts=1
 retrieved_goal_state=false
 until [ "$attempts" -gt 5 ]

From 87a71af411decd812ccb6efb1784761deaacb63e Mon Sep 17 00:00:00 2001
From: alexhulbert <alex@alexhulbert.com>
Date: Fri, 20 Feb 2026 00:34:51 -0500
Subject: [PATCH 14/14] Backport misc. fixes from L2 branch

---
 .gitignore                          | 3 +++
 base/mkosi.finalize.d/90-debloat.sh | 6 ++++++
 mkosi.profiles/devtools/mkosi.conf  | 6 ++++++
 3 files changed, 15 insertions(+)

diff --git a/.gitignore b/.gitignore
index 483e4b6e..2c11510d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 build/
+build.*/
 mkosi/
 env.json
 mkosi.packages/
@@ -8,4 +9,6 @@ mkosi.builddir/
 .claudesync/
 .claudeignore
 tmp/
+.temp
 NvVars
+.vscode
diff --git a/base/mkosi.finalize.d/90-debloat.sh b/base/mkosi.finalize.d/90-debloat.sh
index ffe0416a..582889aa 100755
--- a/base/mkosi.finalize.d/90-debloat.sh
+++ b/base/mkosi.finalize.d/90-debloat.sh
@@ -1,6 +1,11 @@
 #!/bin/bash
 set -euo pipefail
 
+# Ensure deterministic ordering of uid and gids before debloating
+# See Debian issue #963788
+mkosi-chroot pwck  --sort >/dev/null
+mkosi-chroot grpck --sort >/dev/null
+
 # Remove all logs and cache, but keep directory structure intact
 find "$BUILDROOT/var/log" -type f -delete
 find "$BUILDROOT/var/cache" -type f -delete
@@ -33,6 +38,7 @@ debloat_paths=(
     "/usr/lib/systemd/user-generators"
     "/usr/lib/pcrlock.d"
     "/usr/lib/tmpfiles.d"
+    "/var/lib/ucf"
     "/etc/credstore"
     "/nix"
 )
diff --git a/mkosi.profiles/devtools/mkosi.conf b/mkosi.profiles/devtools/mkosi.conf
index 747bca08..c7eb8d59 100644
--- a/mkosi.profiles/devtools/mkosi.conf
+++ b/mkosi.profiles/devtools/mkosi.conf
@@ -8,12 +8,18 @@ Packages=adjtimex
          bash-completion
          curl
          dnsutils
+         iftop
+         iotop
          iputils-ping
+         jq
          net-tools
          netcat-openbsd
          openssh-server
+         screen
          socat
          strace
          tcpdump
          tcpflow
          vim
+         wget
+         zstd