flashbots · alexhulbert · Feb 4, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.dockerignore b/.dockerignore
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 build/
+build.*/
 mkosi/
 env.json
 mkosi.packages/
@@ -8,4 +9,6 @@ mkosi.builddir/
 .claudesync/
 .claudeignore
 tmp/
+.temp
 NvVars
+.vscode
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -15,6 +15,7 @@ This comprehensive guide covers everything you need to know about developing wit
 - [Freezing to Debian Archive Snapshots](#freezing-to-debian-archive-snapshots)
 - [Testing for Reproducibility](#testing-for-reproducibility)
 - [Creating Debian Packages](#creating-debian-packages)
+- [Custom Developer Files](#custom-developer-files)
 - [Debugging and Troubleshooting](#debugging-and-troubleshooting)
 
 ## Project Structure
@@ -276,8 +277,8 @@ systemd services are the primary way to run applications in Flashboxes. Here's h
 ```ini
 [Unit]
 Description=My Application
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=simple
@@ -354,8 +355,8 @@ Conflicts=apache2.service
 ```ini
 [Unit]
 # Network is available
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 # Persistent storage is mounted
 After=persistent-mount.service
@@ -365,24 +366,14 @@ Requires=persistent-mount.service
 After=basic.target
 ```
 
-### Enabling Services
+### Enabling Packaged Services
 
-**In `mkosi.postinst` script**:
-```bash
-#!/bin/bash
-set -euxo pipefail
-
-# Enable service
-mkosi-chroot systemctl enable myapp.service
+To enable a service installed with a Debian package, add the following to your `mkosi.postinst` script:
 
-# Create symlink for minimal.target
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-ln -sf "/etc/systemd/system/myapp.service" \
-    "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
+```bash
+mkosi-chroot systemctl add-wants minimal.target myapp.service
 ```
 
-For comprehensive systemd options, see: [systemd Service Documentation](https://www.freedesktop.org/software/systemd/man/systemd.service.html)
-
 ## Extending Built-in systemd Services
 
 Sometimes you need to modify existing systemd services rather than creating new ones.
@@ -543,8 +534,7 @@ chown myapp:myapp /etc/myapp/config.conf
 chmod 600 /etc/myapp/config.conf
 
 # Enable systemd service
-systemctl enable myapp.service || true
-systemctl start myapp.service || true
+mkosi-chroot systemctl add-wants minimal.target myapp.service || true
 
 exit 0
 ```
@@ -636,6 +626,30 @@ For systems without systemd v250+ or where Nix installation isn't feasible, you
    > Replace "btrfs" with your chosen storage driver
 5. Run the desired `mkosi` command inside the shell Podman environment
 
+## Custom Developer Files
+
+When building with the `devtools` profile, you can add your own custom files to the image without committing them to git. This is useful for adding personal SSH keys, configuration files, or debugging tools during development.
+
+### Adding Custom Files
+
+Place files in `mkosi.profiles/devtools/custom/` mirroring the filesystem structure you want:
+
+```bash
+# Add your SSH authorized keys
+mkdir -p mkosi.profiles/devtools/custom/root/.ssh
+cp ~/.ssh/id_rsa.pub mkosi.profiles/devtools/custom/root/.ssh/authorized_keys
+
+# Add a custom configuration file
+mkdir -p mkosi.profiles/devtools/custom/etc
+echo "my_setting=value" > mkosi.profiles/devtools/custom/etc/myconfig.conf
+
+# Add a debugging script
+mkdir -p mkosi.profiles/devtools/custom/usr/local/bin
+cp my-debug-script.sh mkosi.profiles/devtools/custom/usr/local/bin/
+```
+
+Files placed here will be copied into the image (like any other `ExtraTrees` directory) but will be ignored by git, so they won't be accidentally committed.
+
 ## Debugging and Troubleshooting
 
 ### mkosi Debugging

diff --git a/Dockerfile b/Dockerfile
diff --git a/base/add-backports.sh b/base/add-backports.sh
diff --git a/base/mkosi.conf b/base/mkosi.conf
@@ -5,7 +5,7 @@ Release=trixie
 
 [Build]
 PackageCacheDirectory=mkosi.cache
-SandboxTrees=mkosi.builddir/debian-backports.sources:/etc/apt/sources.list.d/debian-backports.sources
+SandboxTrees=mkosi.builddir/mkosi.sources:/etc/apt/sources.list.d/mkosi.sources
 Environment=KERNEL_IMAGE KERNEL_VERSION
 WithNetwork=true
 
@@ -17,27 +17,24 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 
 [Content]
 SourceDateEpoch=0
-KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
-SkeletonTrees=base/mkosi.skeleton
+KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target
+ExtraTrees=base/mkosi.extra
 BuildScripts=kernel/mkosi.build
-PostInstallationScripts=base/debloat-systemd.sh
-PostInstallationScripts=base/efi-stub.sh
-SyncScripts=base/add-backports.sh
-FinalizeScripts=base/debloat.sh
-FinalizeScripts=base/remove-image-version.sh
-SyncScripts=base/normalize-umask.sh
+SyncScripts=base/mkosi.sync.d/*
+PostInstallationScripts=base/mkosi.postinst.d/*
+FinalizeScripts=base/mkosi.finalize.d/*
 
 CleanPackageMetadata=true
 Packages=kmod
          systemd
+         systemd-resolved
          systemd-boot-efi
          busybox
          util-linux
          procps
          ca-certificates
          openssl
          iproute2
-         udhcpc
          e2fsprogs
          chrony
 BuildPackages=build-essential

diff --git a/base/mkosi.skeleton/etc/chrony/chrony.conf → base/mkosi.extra/etc/chrony/chrony.conf b/base/mkosi.skeleton/etc/chrony/chrony.conf → base/mkosi.extra/etc/chrony/chrony.conf
diff --git a/base/mkosi.extra/etc/systemd/journald.conf b/base/mkosi.extra/etc/systemd/journald.conf
@@ -0,0 +1,5 @@
+[Journal]
+SystemMaxFileSize=128M
+SystemMaxFiles=2
+RuntimeMaxFileSize=512K
+RuntimeMaxFiles=2
diff --git a/base/mkosi.extra/etc/systemd/network/10-ethernet.network b/base/mkosi.extra/etc/systemd/network/10-ethernet.network
@@ -0,0 +1,9 @@
+[Match]
+Name=eth* en*
+
+[Network]
+DHCP=yes
+
+[DHCPv4]
+UseDNS=no
+UseHostname=no
diff --git a/base/mkosi.extra/etc/systemd/resolved.conf b/base/mkosi.extra/etc/systemd/resolved.conf
@@ -0,0 +1,3 @@
+[Resolve]
+FallbackDNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
+DNSOverTLS=yes
diff --git a/...keleton/etc/systemd/system/minimal.target → ...i.extra/etc/systemd/system/minimal.target b/...keleton/etc/systemd/system/minimal.target → ...i.extra/etc/systemd/system/minimal.target
@@ -4,6 +4,3 @@ Requires=basic.target
 Conflicts=rescue.service rescue.target emergency.service emergency.target
 After=basic.target rescue.service rescue.target emergency.service emergency.target
 AllowIsolate=yes
-
-[Install]
-WantedBy=default.target
diff --git a/base/mkosi.skeleton/init → base/mkosi.extra/init b/base/mkosi.skeleton/init → base/mkosi.extra/init
@@ -14,4 +14,4 @@ exec unshare --mount sh -c '
     mkdir /@
     mount --rbind / /@
     cd /@ && mount --move . /
-    exec chroot . /lib/systemd/systemd systemd.unit=minimal.target'
+    exec chroot . /lib/systemd/systemd'
diff --git a/base/remove-image-version.sh → ...osi.finalize.d/10-remove-image-version.sh b/base/remove-image-version.sh → ...osi.finalize.d/10-remove-image-version.sh
diff --git a/base/debloat.sh → base/mkosi.finalize.d/90-debloat.sh b/base/debloat.sh → base/mkosi.finalize.d/90-debloat.sh
@@ -1,6 +1,11 @@
 #!/bin/bash
 set -euo pipefail
 
+# Ensure deterministic ordering of uid and gids before debloating
+# See Debian issue #963788
+mkosi-chroot pwck  --sort >/dev/null
+mkosi-chroot grpck --sort >/dev/null
+
 # Remove all logs and cache, but keep directory structure intact
 find "$BUILDROOT/var/log" -type f -delete
 find "$BUILDROOT/var/cache" -type f -delete
@@ -31,10 +36,9 @@ debloat_paths=(
     "/usr/lib/systemd/catalog"
     "/usr/lib/systemd/user"
     "/usr/lib/systemd/user-generators"
-    "/usr/lib/systemd/network"
     "/usr/lib/pcrlock.d"
     "/usr/lib/tmpfiles.d"
-    "/etc/systemd/network"
+    "/var/lib/ucf"
     "/etc/credstore"
     "/nix"
 )

diff --git a/base/efi-stub.sh → base/mkosi.postinst.d/10-efi-stub.sh b/base/efi-stub.sh → base/mkosi.postinst.d/10-efi-stub.sh
diff --git a/base/debloat-systemd.sh → base/mkosi.postinst.d/90-debloat-systemd.sh b/base/debloat-systemd.sh → base/mkosi.postinst.d/90-debloat-systemd.sh
@@ -16,6 +16,9 @@ systemd_svc_whitelist=(
     "systemd-journald-dev-log.socket"
     "systemd-remount-fs.service"
     "systemd-sysctl.service"
+    "systemd-networkd.service"
+    "systemd-networkd.socket"
+    "systemd-networkd-wait-online.service"
     "chrony.service"
 )
 
@@ -42,10 +45,9 @@ mkosi-chroot dpkg-query -L systemd | grep -E '\.service$|\.socket$|\.timer$|\.ta
     fi
 done
 
-# Set default target
-ln -sf minimal.target "$SYSTEMD_DIR/default.target"
-
-# Enable chrony and link to minimal.target
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-mkosi-chroot systemctl enable chrony.service
-ln -sf /lib/systemd/system/chrony.service "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
+# Enable chrony service
+mkosi-chroot systemctl add-wants minimal.target \
+    chrony.service \
+    systemd-resolved.service \
+    systemd-networkd.service \
+    systemd-networkd-wait-online.service
diff --git a/base/mkosi.skeleton/etc/resolv.conf b/base/mkosi.skeleton/etc/resolv.conf
diff --git a/base/mkosi.skeleton/etc/systemd/system/network-setup.service b/base/mkosi.skeleton/etc/systemd/system/network-setup.service
diff --git a/base/mkosi.sync.d/10-setup-apt.sh b/base/mkosi.sync.d/10-setup-apt.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Adds mkosi sources. See https://github.com/systemd/mkosi/issues/1755
+SNAPSHOT=$(jq -r .Snapshot /work/config.json)
+if [ "$SNAPSHOT" = "null" ]; then
+    MIRROR="http://deb.debian.org/debian"
+else
+    MIRROR="http://snapshot.debian.org/archive/debian/${SNAPSHOT}"
+fi
+
+cat > "$SRCDIR/mkosi.builddir/mkosi.sources" <<EOF
+Types: deb deb-src
+URIs: $MIRROR
+Suites: ${RELEASE} ${RELEASE}-backports
+Components: main
+Trusted: yes
+EOF
diff --git a/base/normalize-umask.sh → base/mkosi.sync.d/20-normalize-umask.sh b/base/normalize-umask.sh → base/mkosi.sync.d/20-normalize-umask.sh
diff --git a/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf b/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf
@@ -5,6 +5,3 @@ Requires=wait-for-key.service searcher-firewall.service
 [Service]
 ExecStartPre=/usr/bin/chown -R searcher:searcher /home/searcher
 ExecStartPre=/bin/sh -c 'test -f /etc/dropbear/dropbear_ed25519_host_key || /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key'
-
-[Install]
-WantedBy=minimal.target
diff --git a/...c/systemd/system/persistent-mount.service → ...c/systemd/system/persistent-mount.service b/...c/systemd/system/persistent-mount.service → ...c/systemd/system/persistent-mount.service
@@ -11,4 +11,4 @@ ExecStart=/bin/bash -c 'until grep -q " /persistent " /proc/mounts; do sleep 1;
 RemainAfterExit=yes
 
 [Install]
-WantedBy=minimal.target
+WantedBy=minimal.target
diff --git a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Searcher Network and Firewall Rules
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=oneshot

diff --git a/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service b/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=SSH Public Key Server
-After=network.target network-setup.service wait-for-key.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=oneshot

diff --git a/bob-common/mkosi.postinst b/bob-common/mkosi.postinst
@@ -18,25 +18,13 @@ mkdir -p "$BUILDROOT/etc/searcher/ssh_hostkey"
 rm -r "$BUILDROOT/etc/dropbear"
 mkdir "$BUILDROOT/etc/dropbear"
 
-# Enable services
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-for service in \
-    network-setup.service \
+# Enable packaged services
+mkosi-chroot systemctl add-wants minimal.target \
     logrotate.timer \
     delay-pipe.service \
-    wait-for-key.service \
-    searcher-firewall.service \
-    dropbear.service \
-    searcher-container.service \
-    ssh-pubkey-server.service \
-    cvm-reverse-proxy.service
-do
-    mkosi-chroot systemctl enable "$service"
-    ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
-done
+    dropbear.service
 
 # Don't reserve port 22
-mkosi-chroot systemctl disable ssh.service ssh.socket
 mkosi-chroot systemctl mask ssh.service ssh.socket
 
 # Lock the root account

diff --git a/bob-l1.conf b/bob-l1.conf
@@ -7,7 +7,4 @@ Include=bob-l1/mkosi.conf
 Profiles=azure,gcp
 
 [Distribution]
-Mirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
-
-[Build]
-ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/
+Snapshot=20251113T083151Z