migrate ISO build from Alpine to Debian 12 (Bookworm)

Replace the entire live CD build pipeline:
- Alpine SDK + mkimage + genapkovl → Debian live-build (lb config/build)
- OpenRC init scripts → systemd service units
- dropbear → openssh-server (native to Debian live)
- udhcpc → dhclient for DHCP
- apk → apt-get in setup-builder.sh and build-nvidia-module.sh
- Add auto/config (lb config options) and auto/build wrapper
- Add config/package-lists/bee.list.chroot replacing Alpine apks
- Add config/hooks/normal/9000-bee-setup.hook.chroot to enable services
- Add bee-nvidia-load and bee-sshsetup helper scripts
- Keep NVIDIA pre-compile pipeline (Option B): compile on builder VM against
  pinned Debian kernel headers (DEBIAN_KERNEL_ABI), inject .ko into includes.chroot
- Fixes: native glibc (no gcompat shims), proper udev, writable /lib/modules,
  no Alpine modloop read-only constraint, no stale apk cache issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/smoketest.sh

@@ -24,11 +24,10 @@ echo " date:   $(date -u)"
 echo "========================================"
 echo ""
 
-# --- kernel version ---
 KVER=$(uname -r)
 info "kernel: $KVER"
 
-# --- PATH ---
+# --- PATH & binaries ---
 echo "-- PATH & binaries --"
 for tool in dmidecode smartctl nvme ipmitool lspci audit; do
     if p=$(PATH="/usr/local/bin:$PATH" command -v "$tool" 2>/dev/null); then
@@ -96,30 +95,21 @@ for lib in libnvidia-ml libcuda; do
 done
 
 echo ""
-echo "-- gcompat (glibc compat for nvidia-smi) --"
-if [ -L /lib64/ld-linux-x86-64.so.2 ] || [ -f /lib64/ld-linux-x86-64.so.2 ]; then
-    ok "gcompat: /lib64/ld-linux-x86-64.so.2 present"
-else
-    fail "gcompat: /lib64/ld-linux-x86-64.so.2 MISSING — nvidia-smi will fail to exec"
-fi
-
-echo ""
-echo "-- openrc services --"
+echo "-- systemd services --"
 for svc in bee-nvidia bee-network bee-audit; do
-    if rc-service "$svc" status >/dev/null 2>&1; then
-        ok "service running: $svc"
+    if systemctl is-active --quiet "$svc" 2>/dev/null; then
+        ok "service active: $svc"
     else
-        fail "service NOT running: $svc"
+        fail "service NOT active: $svc"
     fi
 done
 
-for svc in dropbear bee-sshsetup; do
-    if [ -f "/etc/init.d/$svc" ]; then
-        if rc-service "$svc" status >/dev/null 2>&1; then
-            ok "service running: $svc"
-        else
-            warn "service not running: $svc (may be one-shot)"
-        fi
+for svc in ssh bee-sshsetup; do
+    if systemctl is-active --quiet "$svc" 2>/dev/null \
+        || systemctl show "$svc" --property=ActiveState 2>/dev/null | grep -q "inactive\|exited"; then
+        ok "service ok: $svc"
+    else
+        warn "service status unknown: $svc"
     fi
 done
 
@@ -136,8 +126,6 @@ fi
 
 echo ""
 echo "-- audit last run --"
-# audit binary logs via slog to stderr (bee-audit.log); JSON output goes to bee-audit.json.
-# slog format: time=... level=INFO msg="audit output written" path=...
 if [ -f /var/log/bee-audit.json ] && [ -s /var/log/bee-audit.json ]; then
     ok "audit: bee-audit.json present and non-empty"
     info "size: $(du -sh /var/log/bee-audit.json | cut -f1)"
@@ -148,13 +136,11 @@ fi
 if [ -f /var/log/bee-audit.log ]; then
     last_line=$(tail -1 /var/log/bee-audit.log)
     info "last log line: $last_line"
-    # slog writes: msg="audit output written" on success
     if grep -q "audit output written" /var/log/bee-audit.log 2>/dev/null; then
         ok "audit: completed successfully"
     else
         warn "audit: 'audit output written' not found in log — may have failed"
     fi
-    # check for nvidia enrichment skip (slog message from nvidia collector)
     if grep -q "nvidia: enrichment skipped\|nvidia.*skipped\|enrichment skipped" /var/log/bee-audit.log 2>/dev/null; then
         reason=$(grep -E "nvidia.*skipped|enrichment skipped" /var/log/bee-audit.log | tail -1)
         fail "audit: nvidia enrichment skipped — $reason"