migrate ISO build from Alpine to Debian 12 (Bookworm)

Replace the entire live CD build pipeline:
- Alpine SDK + mkimage + genapkovl → Debian live-build (lb config/build)
- OpenRC init scripts → systemd service units
- dropbear → openssh-server (native to Debian live)
- udhcpc → dhclient for DHCP
- apk → apt-get in setup-builder.sh and build-nvidia-module.sh
- Add auto/config (lb config options) and auto/build wrapper
- Add config/package-lists/bee.list.chroot replacing Alpine apks
- Add config/hooks/normal/9000-bee-setup.hook.chroot to enable services
- Add bee-nvidia-load and bee-sshsetup helper scripts
- Keep NVIDIA pre-compile pipeline (Option B): compile on builder VM against
  pinned Debian kernel headers (DEBIAN_KERNEL_ABI), inject .ko into includes.chroot
- Fixes: native glibc (no gcompat shims), proper udev, writable /lib/modules,
  no Alpine modloop read-only constraint, no stale apk cache issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/overlay/usr/local/bin/bee-network.sh

@@ -22,9 +22,8 @@ for iface in $interfaces; do
     log "bringing up $iface"
     ip link set "$iface" up 2>/dev/null || { log "WARN: could not bring up $iface"; continue; }
 
-    # DHCP in background: -b forks if no immediate lease, & ensures non-blocking always.
-    # -t 0: unlimited retries, -T 3: 3s per attempt. No -q: stay running to renew lease.
-    udhcpc -i "$iface" -b -t 0 -T 3 &
+    # DHCP in background — non-blocking, retries indefinitely
+    dhclient -nw "$iface" 2>/dev/null &
     log "DHCP started for $iface (pid $!)"
 done
 

iso/overlay/usr/local/bin/bee-nvidia-load

@@ -0,0 +1,59 @@
+#!/bin/sh
+# bee-nvidia-load — load NVIDIA kernel modules and create device nodes
+# Called by bee-nvidia.service at boot.
+
+NVIDIA_KO_DIR="/usr/local/lib/nvidia"
+
+log() { echo "[bee-nvidia] $*"; }
+
+log "kernel: $(uname -r)"
+
+if [ ! -d "$NVIDIA_KO_DIR" ]; then
+    log "ERROR: NVIDIA module dir missing: $NVIDIA_KO_DIR"
+    exit 1
+fi
+
+log "module dir: $NVIDIA_KO_DIR"
+ls "$NVIDIA_KO_DIR"/*.ko 2>/dev/null | sed 's/^/  /' || true
+
+# Load modules via insmod (direct load — no depmod needed)
+for mod in nvidia nvidia-modeset nvidia-uvm; do
+    ko="$NVIDIA_KO_DIR/${mod}.ko"
+    [ -f "$ko" ] || ko="$NVIDIA_KO_DIR/${mod//-/_}.ko"
+    if [ -f "$ko" ]; then
+        if insmod "$ko" 2>/dev/null; then
+            log "loaded: $mod"
+        else
+            log "WARN: failed to load: $mod"
+            dmesg | tail -n 5 | sed 's/^/  dmesg: /' || true
+        fi
+    else
+        log "WARN: not found: $ko"
+    fi
+done
+
+# Create /dev/nvidia* device nodes (udev rules absent since we use .run installer)
+nvidia_major=$(grep -m1 ' nvidiactl$' /proc/devices 2>/dev/null | awk '{print $1}')
+if [ -n "$nvidia_major" ]; then
+    mknod -m 666 /dev/nvidiactl c "$nvidia_major" 255 2>/dev/null \
+        && log "created /dev/nvidiactl (major $nvidia_major)" \
+        || log "WARN: /dev/nvidiactl already exists or mknod failed"
+    for i in 0 1 2 3 4 5 6 7; do
+        mknod -m 666 "/dev/nvidia$i" c "$nvidia_major" "$i" 2>/dev/null || true
+    done
+    log "created /dev/nvidia{0-7}"
+else
+    log "WARN: nvidiactl not in /proc/devices — no GPU hardware present?"
+fi
+
+uvm_major=$(grep -m1 ' nvidia-uvm$' /proc/devices 2>/dev/null | awk '{print $1}')
+if [ -n "$uvm_major" ]; then
+    mknod -m 666 /dev/nvidia-uvm       c "$uvm_major" 0 2>/dev/null \
+        && log "created /dev/nvidia-uvm (major $uvm_major)" \
+        || log "WARN: /dev/nvidia-uvm already exists"
+    mknod -m 666 /dev/nvidia-uvm-tools c "$uvm_major" 1 2>/dev/null || true
+else
+    log "WARN: nvidia-uvm not in /proc/devices"
+fi
+
+log "done"

iso/overlay/usr/local/bin/bee-sshsetup

@@ -0,0 +1,18 @@
+#!/bin/sh
+# bee-sshsetup — configure SSH access
+# Called by bee-sshsetup.service before SSH starts.
+
+log() { echo "[bee-sshsetup] $*"; }
+
+# Always create dedicated 'bee' user for password fallback.
+if ! id bee > /dev/null 2>&1; then
+    useradd -m -s /bin/sh bee > /dev/null 2>&1
+fi
+echo "bee:eeb" | chpasswd > /dev/null 2>&1
+
+if [ -f /etc/bee-ssh-password-fallback ]; then
+    log "SSH key auth unavailable — password fallback active"
+    log "Login: bee / eeb"
+else
+    log "SSH key auth configured"
+fi