# TFTP server for BIOS/legacy PXE bootstrap. It serves the small iPXE NBP
# (~1 MB: ipxe.efi for UEFI-via-TFTP, undionly.kpxe for BIOS) over udp/69;
# the client then chainloads bty's HTTP iPXE script and fetches everything
# else (kernel / initrd / squashfs) from bty-web over HTTP. The NBPs are
# baked into the image -- no volume, no shared data. Enable it with the
# compose `tftp` profile.
FROM debian:bookworm-slim

RUN apt-get update \
 && apt-get install -y --no-install-recommends tftpd-hpa ipxe \
 && rm -rf /var/lib/apt/lists/*

# Stock NBPs as the baseline: ipxe.efi (UEFI-via-TFTP) and undionly.kpxe
# (BIOS); snponly.efi is included when the package ships it. ``-L``
# dereferences (the package ships ipxe.efi as a symlink to /boot/ipxe.efi,
# which would dangle under the TFTP --secure chroot).
RUN mkdir -p /opt/ipxe \
 && cp -L /usr/lib/ipxe/undionly.kpxe /usr/lib/ipxe/ipxe.efi /opt/ipxe/ \
 && cp -L /usr/lib/ipxe/snponly.efi /opt/ipxe/ 2>/dev/null || true

# Override ipxe.efi with bty's custom embedded-chain build when CI has
# staged it into deploy/tftp/seed/ (dev builds keep just .gitkeep, so the
# stock NBPs above stand). The custom binary carries the embedded
# ``chain http://${next-server}:8080/pxe-bootstrap.ipxe`` so the operator's
# DHCP only needs a single bootfile -- no userclass logic. (x86_64-efi
# only; BIOS undionly.kpxe stays stock.)
COPY seed/ /opt/ipxe-custom/
RUN cp -a /opt/ipxe-custom/. /opt/ipxe/ 2>/dev/null || true; rm -f /opt/ipxe/.gitkeep

EXPOSE 69/udp
# Serve the baked NBP dir read-only. --secure chroots clients to it; the
# data transfer uses an ephemeral UDP port, so run with host networking.
ENTRYPOINT ["/usr/sbin/in.tftpd", "--foreground", "--address", "0.0.0.0:69", "--secure", "/opt/ipxe"]
