@underpostnet/underpost 2.96.1 → 2.97.0

package/src/cli/baremetal.js

@@ -15,8 +15,9 @@ import path from 'path';
 import Downloader from '../server/downloader.js';
 import UnderpostCloudInit from './cloud-init.js';
 import UnderpostRepository from './repository.js';
-import { s4, timer } from '../client/components/core/CommonJs.js';
+import { newInstance, range, s4, timer } from '../client/components/core/CommonJs.js';
 import { spawnSync } from 'child_process';
+import Underpost from '../index.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -49,21 +50,40 @@ class UnderpostBaremetal {
      * It handles NFS root filesystem building, control server installation/uninstallation,
      * and system-level provisioning tasks like timezone and keyboard configuration.
      * @param {string} [workflowId='rpi4mb'] - Identifier for the specific workflow configuration to use.
-     * @param {string} [hostname=workflowId] - The hostname of the target baremetal machine.
      * @param {string} [ipAddress=getLocalIPv4Address()] - The IP address of the control server or the local machine.
+     * @param {string} [hostname=workflowId] - The hostname of the target baremetal machine.
+     * @param {string} [ipFileServer=getLocalIPv4Address()] - The IP address of the file server (NFS/TFTP).
+     * @param {string} [ipConfig=''] - IP configuration string for the baremetal machine.
+     * @param {string} [netmask=''] - Netmask of network
+     * @param {string} [dnsServer=''] - DNS server IP address.
      * @param {object} [options] - An object containing boolean flags for various operations.
      * @param {boolean} [options.dev=false] - Development mode flag.
      * @param {boolean} [options.controlServerInstall=false] - Flag to install the control server (e.g., MAAS).
      * @param {boolean} [options.controlServerUninstall=false] - Flag to uninstall the control server.
+     * @param {boolean} [options.controlServerRestart=false] - Flag to restart the control server.
      * @param {boolean} [options.controlServerDbInstall=false] - Flag to install the control server's database.
+     * @param {boolean} [options.createMachine=false] - Flag to create a machine in MAAS.
      * @param {boolean} [options.controlServerDbUninstall=false] - Flag to uninstall the control server's database.
+     * @param {string} [options.mac=''] - MAC address of the baremetal machine.
+     * @param {boolean} [options.ipxe=false] - Flag to use iPXE for booting.
+     * @param {boolean} [options.ipxeRebuild=false] - Flag to rebuild the iPXE binary with embedded script.
      * @param {boolean} [options.installPacker=false] - Flag to install Packer CLI.
      * @param {string} [options.packerMaasImageTemplate] - Template path from canonical/packer-maas to extract (requires workflow-id).
      * @param {string} [options.packerWorkflowId] - Workflow ID for Packer MAAS image operations (used with --packer-maas-image-build or --packer-maas-image-upload).
      * @param {boolean} [options.packerMaasImageBuild=false] - Flag to build a Packer MAAS image for the workflow specified by packerWorkflowId.
      * @param {boolean} [options.packerMaasImageUpload=false] - Flag to upload a Packer MAAS image artifact without rebuilding for the workflow specified by packerWorkflowId.
+     * @param {boolean} [options.packerMaasImageCached=false] - Flag to use cached artifacts when building the Packer MAAS image.
+     * @param {string} [options.removeMachines=''] - Comma-separated list of machine system IDs or '*' to remove existing machines from MAAS before commissioning.
+     * @param {boolean} [options.clearDiscovered=false] - Flag to clear discovered machines from MAAS before commissioning.
      * @param {boolean} [options.cloudInitUpdate=false] - Flag to update cloud-init configuration on the baremetal machine.
      * @param {boolean} [options.commission=false] - Flag to commission the baremetal machine.
+     * @param {number} [options.bootstrapHttpServerPort=8888] - Port for the bootstrap HTTP server.
+     * @param {string} [options.bootstrapHttpServerPath='./public/localhost'] - Path for the bootstrap HTTP server files.
+     * @param {string} [options.isoUrl=''] - Uses a custom ISO URL for baremetal machine commissioning.
+     * @param {boolean} [options.ubuntuToolsBuild=false] - Builds ubuntu tools for chroot environment.
+     * @param {boolean} [options.ubuntuToolsTest=false] - Tests ubuntu tools in chroot environment.
+     * @param {string} [options.bootcmd=''] - Comma-separated list of boot commands to execute.
+     * @param {string} [options.runcmd=''] - Comma-separated list of run commands to execute.
      * @param {boolean} [options.nfsBuild=false] - Flag to build the NFS root filesystem.
      * @param {boolean} [options.nfsMount=false] - Flag to mount the NFS root filesystem.
      * @param {boolean} [options.nfsUnmount=false] - Flag to unmount the NFS root filesystem.
@@ -74,22 +94,41 @@ class UnderpostBaremetal {
      */
     async callback(
       workflowId,
-      hostname,
       ipAddress,
+      hostname,
+      ipFileServer,
+      ipConfig,
+      netmask,
+      dnsServer,
       options = {
         dev: false,
         controlServerInstall: false,
         controlServerUninstall: false,
+        controlServerRestart: false,
         controlServerDbInstall: false,
         controlServerDbUninstall: false,
+        createMachine: false,
+        mac: '',
+        ipxe: false,
+        ipxeRebuild: false,
         installPacker: false,
         packerMaasImageTemplate: false,
         packerWorkflowId: '',
         packerMaasImageBuild: false,
         packerMaasImageUpload: false,
         packerMaasImageCached: false,
+        removeMachines: '',
+        clearDiscovered: false,
         cloudInitUpdate: false,
+        cloudInit: false,
         commission: false,
+        bootstrapHttpServerPort: 8888,
+        bootstrapHttpServerPath: './public/localhost',
+        isoUrl: '',
+        ubuntuToolsBuild: false,
+        ubuntuToolsTest: false,
+        bootcmd: '',
+        runcmd: '',
         nfsBuild: false,
         nfsMount: false,
         nfsUnmount: false,
@@ -105,37 +144,123 @@ class UnderpostBaremetal {
       const underpostRoot = options?.dev === true ? '.' : `${npmRoot}/underpost`;
 
       // Set default values if not provided.
-      workflowId = workflowId ? workflowId : 'rpi4mb';
+      workflowId = workflowId ? workflowId : 'rpi4mbarm64-iso-ram';
       hostname = hostname ? hostname : workflowId;
-      ipAddress = ipAddress ? ipAddress : '192.168.1.192';
+      ipAddress = ipAddress ? ipAddress : '192.168.1.191';
+      ipFileServer = ipFileServer ? ipFileServer : getLocalIPv4Address();
+      netmask = netmask ? netmask : '255.255.255.0';
+      dnsServer = dnsServer ? dnsServer : '8.8.8.8';
+
+      // IpConfig options:
+      // dhcp - DHCP configuration
+      // dhpc6 - DHCP IPv6 configuration
+      // auto6 - automatic IPv6 configuration
+      // on, any - any protocol available in the kernel (default)
+      // none, off - no autoconfiguration, static network configuration
+      ipConfig = ipConfig ? ipConfig : 'none';
 
       // Set default MAC address
-      let macAddress = '00:00:00:00:00:00';
+      let macAddress = UnderpostBaremetal.API.macAddressFactory(options).mac;
+      const workflowsConfig = UnderpostBaremetal.API.loadWorkflowsConfig();
 
+      if (!workflowsConfig[workflowId]) {
+        throw new Error(`Workflow configuration not found for ID: ${workflowId}`);
+      }
+
+      const tftpPrefix = workflowsConfig[workflowId].tftpPrefix || 'rpi4mb';
       // Define the debootstrap architecture.
       let debootstrapArch;
 
+      // Set debootstrap architecture.
+      if (workflowsConfig[workflowId].type === 'chroot') {
+        const { architecture } = workflowsConfig[workflowId].debootstrap.image;
+        debootstrapArch = architecture;
+      }
+
       // Define the database provider ID.
       const dbProviderId = 'postgresql-17';
 
       // Define the NFS host path based on the environment variable and hostname.
       const nfsHostPath = `${process.env.NFS_EXPORT_PATH}/${hostname}`;
 
-      // Define the TFTP root path based on the environment variable and hostname.
-      const tftpRootPath = `${process.env.TFTP_ROOT}/${hostname}`;
+      // Define the TFTP root prefix path based
+      const tftpRootPath = `${process.env.TFTP_ROOT}/${tftpPrefix}`;
+
+      // Define the bootstrap HTTP server path.
+      const bootstrapHttpServerPath = options.bootstrapHttpServerPath
+        ? options.bootstrapHttpServerPath
+        : `/tmp/bootstrap-http-server/${workflowId}`;
 
       // Capture metadata for the callback execution, useful for logging and auditing.
       const callbackMetaData = {
-        args: { hostname, ipAddress, workflowId },
+        args: { workflowId, ipAddress, hostname, ipFileServer, ipConfig, netmask, dnsServer },
         options,
         runnerHost: { architecture: UnderpostBaremetal.API.getHostArch().alias, ip: getLocalIPv4Address() },
         nfsHostPath,
         tftpRootPath,
+        bootstrapHttpServerPath,
       };
 
       // Log the initiation of the baremetal callback with relevant metadata.
       logger.info('Baremetal callback', callbackMetaData);
 
+      // Create a new machine in MAAS if the option is set.
+      let machine;
+      if (options.createMachine === true) {
+        const [searhMachine] = JSON.parse(
+          shellExec(`maas maas machines read hostname=${hostname}`, {
+            stdout: true,
+            silent: true,
+          }),
+        );
+
+        if (searhMachine) {
+          // Check if existing machine's MAC matches the specified MAC
+          const existingMac = searhMachine.boot_interface?.mac_address || searhMachine.mac_address;
+
+          // If using hardware MAC (macAddress is null), skip MAC validation and use existing machine
+          if (macAddress === null) {
+            logger.info(`Using hardware MAC mode - keeping existing machine ${hostname} with MAC ${existingMac}`);
+            machine = searhMachine;
+          } else if (existingMac && existingMac !== macAddress) {
+            logger.warn(`⚠ Machine ${hostname} exists with MAC ${existingMac}, but --mac specified ${macAddress}`);
+            logger.info(`Deleting existing machine ${searhMachine.system_id} to recreate with correct MAC...`);
+
+            // Delete the existing machine
+            shellExec(`maas maas machine delete ${searhMachine.system_id}`, {
+              silent: true,
+            });
+
+            // Create new machine with correct MAC
+            machine = UnderpostBaremetal.API.machineFactory({
+              hostname,
+              ipAddress,
+              macAddress,
+              maas: workflowsConfig[workflowId].maas,
+            }).machine;
+
+            logger.info(`✓ Machine recreated with MAC ${macAddress}`);
+          } else {
+            logger.info(`Using existing machine ${hostname} with MAC ${existingMac}`);
+            machine = searhMachine;
+          }
+        } else {
+          // No existing machine found, create new one
+          // For hardware MAC mode (macAddress is null), we'll create machine after discovery
+          if (macAddress === null) {
+            logger.info(`Hardware MAC mode - machine will be created after discovery`);
+            machine = null;
+          } else {
+            machine = UnderpostBaremetal.API.machineFactory({
+              hostname,
+              ipAddress,
+              macAddress,
+              maas: workflowsConfig[workflowId].maas,
+            }).machine;
+          }
+        }
+      }
+
       if (options.installPacker) {
         await UnderpostBaremetal.API.installPacker(underpostRoot);
         return;
@@ -183,9 +308,9 @@ class UnderpostBaremetal {
           workflows[workflowId] = workflowConfig;
           UnderpostBaremetal.API.writePackerMaasImageBuildWorkflows(workflows);
 
-          logger.info('\nTemplate extracted successfully!');
-          logger.info(`\nAdded configuration for ${workflowId} to engine/baremetal/packer-workflows.json`);
-          logger.info('\nNext steps:');
+          logger.info('Template extracted successfully!');
+          logger.info(`Added configuration for ${workflowId} to engine/baremetal/packer-workflows.json`);
+          logger.info('Next steps');
           logger.info(`1. Review and customize the Packer template files in: ${targetDir}`);
           logger.info(`2. Review the workflow configuration in engine/baremetal/packer-workflows.json`);
           logger.info(
@@ -324,18 +449,31 @@ rm -rf ${artifacts.join(' ')}`);
         return;
       }
 
-      if (options.logs === 'cloud') {
+      if (options.logs === 'dhcp-lease') {
+        shellExec(`cat /var/snap/maas/common/maas/dhcp/dhcpd.leases`);
+        shellExec(`cat /var/snap/maas/common/maas/dhcp/dhcpd.pid`);
+        return;
+      }
+
+      if (options.logs === 'dhcp-lan') {
+        shellExec(`sudo tcpdump -l -n -i any -s0 -vv 'udp and (port 67 or 68)'`);
+        return;
+      }
+
+      if (options.logs === 'cloud-init') {
         shellExec(`tail -f -n 900 ${nfsHostPath}/var/log/cloud-init.log`);
         return;
       }
 
-      if (options.logs === 'machine') {
+      if (options.logs === 'cloud-init-machine') {
         shellExec(`tail -f -n 900 ${nfsHostPath}/var/log/cloud-init-output.log`);
         return;
       }
 
-      if (options.logs === 'cloud-config') {
-        shellExec(`cat ${nfsHostPath}/etc/cloud/cloud.cfg.d/90_maas.cfg`);
+      if (options.logs === 'cloud-init-config') {
+        shellExec(`cat ${bootstrapHttpServerPath}/${hostname}/cloud-init/user-data`);
+        shellExec(`cat ${bootstrapHttpServerPath}/${hostname}/cloud-init/meta-data`);
+        shellExec(`cat ${bootstrapHttpServerPath}/${hostname}/cloud-init/vendor-data`);
         return;
       }
 
@@ -371,7 +509,6 @@ rm -rf ${artifacts.join(' ')}`);
         shellExec(`chmod +x ${underpostRoot}/scripts/maas-setup.sh`);
         shellExec(`chmod +x ${underpostRoot}/scripts/nat-iptables.sh`);
         shellExec(`${underpostRoot}/scripts/maas-setup.sh`);
-        shellExec(`${underpostRoot}/scripts/nat-iptables.sh`);
         return;
       }
 
@@ -393,6 +530,12 @@ rm -rf ${artifacts.join(' ')}`);
         return;
       }
 
+      // Handle control server restart.
+      if (options.controlServerRestart === true) {
+        shellExec(`sudo snap restart maas`);
+        return;
+      }
+
       // Handle control server database installation.
       if (options.controlServerDbInstall === true) {
         // Deploy the database provider and manage MAAS database.
@@ -410,41 +553,43 @@ rm -rf ${artifacts.join(' ')}`);
         return;
       }
 
-      const workflowsConfig = UnderpostBaremetal.API.loadWorkflowsConfig();
-      if (!workflowsConfig[workflowId]) {
-        throw new Error(`Workflow configuration not found for ID: ${workflowId}`);
-      }
-
-      // Set debootstrap architecture.
-      {
-        const { architecture } = workflowsConfig[workflowId].debootstrap.image;
-        debootstrapArch = architecture;
-      }
-
       // Handle NFS mount operation.
       if (options.nfsMount === true) {
-        // Mount binfmt_misc filesystem.
-        UnderpostBaremetal.API.mountBinfmtMisc({ nfsHostPath });
-        UnderpostBaremetal.API.nfsMountCallback({ hostname, workflowId, mount: true });
+        const { isMounted } = UnderpostBaremetal.API.nfsMountCallback({
+          hostname,
+          nfsHostPath,
+          workflowId,
+          mount: true,
+        });
+        return;
       }
 
       // Handle NFS unmount operation.
       if (options.nfsUnmount === true) {
-        UnderpostBaremetal.API.nfsMountCallback({ hostname, workflowId, unmount: true });
+        const { isMounted } = UnderpostBaremetal.API.nfsMountCallback({
+          hostname,
+          nfsHostPath,
+          workflowId,
+          unmount: true,
+        });
+        return;
       }
 
       // Handle NFS root filesystem build operation.
       if (options.nfsBuild === true) {
-        // Check if NFS is already mounted to avoid redundant builds.
-        const { isMounted } = UnderpostBaremetal.API.nfsMountCallback({ hostname, workflowId });
+        const { isMounted } = UnderpostBaremetal.API.nfsMountCallback({
+          hostname,
+          nfsHostPath,
+          workflowId,
+          unmount: true,
+        });
+
+        if (isMounted) throw new Error(`NFS path ${nfsHostPath} is currently mounted. Please unmount before building.`);
 
         // Clean and create the NFS host path.
         shellExec(`sudo rm -rf ${nfsHostPath}/*`);
         shellExec(`mkdir -p ${nfsHostPath}`);
 
-        // Mount binfmt_misc filesystem.
-        UnderpostBaremetal.API.mountBinfmtMisc({ nfsHostPath });
-
         // Perform the first stage of debootstrap.
         {
           const { architecture, name } = workflowsConfig[workflowId].debootstrap.image;
@@ -477,6 +622,14 @@ rm -rf ${artifacts.join(' ')}`);
         shellExec(`podman ps -a`);
         shellExec(`file ${nfsHostPath}/bin/bash`); // Verify the bash executable in the chroot.
 
+        // Mount necessary filesystems and register binfmt for the second stage.
+        UnderpostBaremetal.API.nfsMountCallback({
+          hostname,
+          nfsHostPath,
+          workflowId,
+          mount: true,
+        });
+
         // Perform the second stage of debootstrap within the chroot environment.
         UnderpostBaremetal.API.crossArchRunner({
           nfsHostPath,
@@ -484,34 +637,7 @@ rm -rf ${artifacts.join(' ')}`);
           callbackMetaData,
           steps: [`/debootstrap/debootstrap --second-stage`],
         });
-
-        // Mount NFS if it's not already mounted after the build.
-        if (!isMounted) {
-          UnderpostBaremetal.API.nfsMountCallback({ hostname, workflowId, mount: true });
-        }
-
-        // Apply system provisioning steps (base, user, timezone, keyboard).
-        {
-          const { systemProvisioning, kernelLibVersion, chronyc } = workflowsConfig[workflowId];
-          const { timezone, chronyConfPath } = chronyc;
-
-          UnderpostBaremetal.API.crossArchRunner({
-            nfsHostPath,
-            debootstrapArch,
-            callbackMetaData,
-            steps: [
-              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].base({
-                kernelLibVersion,
-              }),
-              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].user(),
-              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].timezone({
-                timezone,
-                chronyConfPath,
-              }),
-              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].keyboard(),
-            ],
-          });
-        }
+        return;
       }
 
       // Fetch boot resources and machines if commissioning or listing.
@@ -544,14 +670,33 @@ rm -rf ${artifacts.join(' ')}`);
         console.table(machines);
       }
 
+      if (options.clearDiscovered) UnderpostBaremetal.API.removeDiscoveredMachines();
+
+      // Handle remove existing machines from MAAS.
+      if (options.removeMachines)
+        machines = UnderpostBaremetal.API.removeMachines({
+          machines: options.removeMachines === 'all' ? machines : options.removeMachines.split(','),
+          ignore: machine ? [machine.system_id] : [],
+        });
+
       // Handle commissioning tasks (placeholder for future implementation).
+
       if (options.commission === true) {
-        const { firmwares, networkInterfaceName, maas, netmask, menuentryStr } = workflowsConfig[workflowId];
+        let { firmwares, networkInterfaceName, maas, menuentryStr, type } = workflowsConfig[workflowId];
+
+        // Use commissioning config (Ubuntu ephemeral) for PXE boot resources
+        const commissioningImage = maas.commissioning;
         const resource = resources.find(
-          (o) => o.architecture === maas.image.architecture && o.name === maas.image.name,
+          (o) => o.architecture === commissioningImage.architecture && o.name === commissioningImage.name,
         );
         logger.info('Commissioning resource', resource);
 
+        if (type === 'iso-nfs') {
+          // Prepare NFS casper path if using NFS boot.
+          shellExec(`sudo rm -rf ${nfsHostPath}`);
+          shellExec(`mkdir -p ${nfsHostPath}/casper`);
+        }
+
         // Clean and create TFTP root path.
         shellExec(`sudo rm -rf ${tftpRootPath}`);
         shellExec(`mkdir -p ${tftpRootPath}/pxe`);
@@ -569,221 +714,1280 @@ rm -rf ${artifacts.join(' ')}`);
             shellExec(`sudo cp -a ${path}/* ${tftpRootPath}`); // Copy firmware files to TFTP root.
 
             if (gateway && subnet) {
-              fs.writeFileSync(
-                `${tftpRootPath}/boot_${name}.conf`,
-                UnderpostBaremetal.API.bootConfFactory({
-                  workflowId,
-                  tftpIp: callbackMetaData.runnerHost.ip,
-                  tftpPrefixStr: hostname,
-                  macAddress,
-                  clientIp: ipAddress,
-                  subnet,
-                  gateway,
-                }),
-                'utf8',
+              const bootConfSrc = UnderpostBaremetal.API.bootConfFactory({
+                workflowId,
+                tftpIp: callbackMetaData.runnerHost.ip,
+                tftpPrefixStr: hostname,
+                macAddress,
+                clientIp: ipAddress,
+                subnet,
+                gateway,
+              });
+              if (bootConfSrc) fs.writeFileSync(`${tftpRootPath}/boot_${name}.conf`, bootConfSrc, 'utf8');
+            }
+          }
+        }
+
+        // Configure GRUB for PXE boot.
+        {
+          // Fetch kernel and initrd paths from MAAS boot resource.
+          // Both NFS and disk-based commissioning use MAAS boot resources.
+          const { kernelFilesPaths, resourcesPath } = UnderpostBaremetal.API.kernelFactory({
+            resource,
+            type,
+            nfsHostPath,
+            isoUrl: options.isoUrl || workflowsConfig[workflowId].isoUrl,
+          });
+
+          const { cmd } = UnderpostBaremetal.API.kernelCmdBootParamsFactory({
+            ipClient: ipAddress,
+            ipDhcpServer: callbackMetaData.runnerHost.ip,
+            ipConfig,
+            ipFileServer,
+            netmask,
+            hostname,
+            dnsServer,
+            networkInterfaceName,
+            fileSystemUrl: kernelFilesPaths.isoUrl,
+            bootstrapHttpServerPort:
+              options.bootstrapHttpServerPort || workflowsConfig[workflowId].bootstrapHttpServerPort || 8888,
+            type,
+            macAddress,
+            cloudInit: options.cloudInit,
+            machine,
+          });
+
+          // Check if iPXE mode is enabled AND the iPXE EFI binary exists
+          let useIpxe = options.ipxe;
+          if (options.ipxe) {
+            const arch = commissioningImage.architecture.split('/')[0];
+            const ipxeScript = UnderpostBaremetal.API.ipxeScriptFactory({
+              maasIp: callbackMetaData.runnerHost.ip,
+              macAddress,
+              architecture: arch,
+              tftpPrefix,
+              kernelCmd: cmd,
+            });
+            fs.writeFileSync(`${tftpRootPath}/stable-id.ipxe`, ipxeScript, 'utf8');
+
+            // Create embedded boot script that does DHCP and chains to the main script
+            const embeddedScript = UnderpostBaremetal.API.ipxeEmbeddedScriptFactory({
+              tftpServer: callbackMetaData.runnerHost.ip,
+              scriptPath: `/${tftpPrefix}/stable-id.ipxe`,
+              macAddress: macAddress,
+            });
+            fs.writeFileSync(`${tftpRootPath}/boot.ipxe`, embeddedScript, 'utf8');
+
+            logger.info('✓ iPXE script generated for MAAS commissioning', {
+              registeredMAC: macAddress,
+              path: `${tftpRootPath}/stable-id.ipxe`,
+              embeddedPath: `${tftpRootPath}/boot.ipxe`,
+            });
+            if (macAddress === null) {
+              logger.info('ℹ Hardware MAC mode - device will use actual hardware MAC address');
+              logger.info('ℹ MAAS will identify the machine by its hardware MAC after discovery');
+            } else {
+              logger.info('ℹ Machine registered in MAAS with MAC:', macAddress);
+              if (macAddress !== '00:00:00:00:00:00') {
+                logger.info('ℹ MAAS will identify the machine by MAC:', macAddress);
+              } else {
+                logger.info('ℹ Device will boot with its actual hardware MAC address');
+                logger.info('ℹ MAAS will identify the machine by its hardware MAC');
+              }
+            }
+
+            // Rebuild iPXE with embedded boot script if requested or if binary doesn't exist
+            const embeddedScriptPath = `${tftpRootPath}/boot.ipxe`;
+            const shouldRebuild = options.ipxeRebuild || !fs.existsSync(`${tftpRootPath}/ipxe.efi`);
+
+            if (shouldRebuild && fs.existsSync(embeddedScriptPath)) {
+              logger.info('Rebuilding iPXE with embedded boot script...', {
+                embeddedScriptPath,
+                forced: options.ipxeRebuild,
+              });
+              shellExec(
+                `${underpostRoot}/scripts/ipxe-setup.sh ${tftpRootPath} --target-arch ${arch} --embed-script ${embeddedScriptPath} --rebuild`,
               );
+            } else if (shouldRebuild) {
+              logger.warn('⚠ Embedded script not found, building without embedded script');
+              shellExec(`${underpostRoot}/scripts/ipxe-setup.sh ${tftpRootPath} --target-arch ${arch}`);
+            } else {
+              logger.info('ℹ Using existing iPXE binary (use --ipxe-rebuild to force rebuild)');
             }
+
+            // Only use iPXE chainloading if the binary exists
+            if (fs.existsSync(`${tftpRootPath}/ipxe.efi`)) {
+              logger.info('✓ iPXE EFI binary found');
+            } else {
+              useIpxe = false;
+              logger.warn(`⚠ iPXE EFI binary not found at ${tftpRootPath}/ipxe.efi - falling back to direct GRUB boot`);
+              logger.warn('  The iPXE script was generated but cannot be used without the iPXE EFI binary.');
+              logger.warn('  Consider booting without --ipxe flag or providing the iPXE EFI binary.');
+            }
+          }
+
+          const { grubCfgSrc } = UnderpostBaremetal.API.grubFactory({
+            menuentryStr,
+            kernelPath: `/${tftpPrefix}/pxe/vmlinuz-efi`,
+            initrdPath: `/${tftpPrefix}/pxe/initrd.img`,
+            cmd,
+            tftpIp: callbackMetaData.runnerHost.ip,
+            ipxe: useIpxe,
+            ipxePath: `/${tftpPrefix}/ipxe.efi`,
+          });
+          UnderpostBaremetal.API.writeGrubConfigToFile({
+            grubCfgSrc: machine ? grubCfgSrc.replaceAll('system-id', machine.system_id) : grubCfgSrc,
+          });
+          if (machine) {
+            logger.info('✓ GRUB config written with system_id', { system_id: machine.system_id });
           }
+          UnderpostBaremetal.API.updateKernelFiles({
+            commissioningImage,
+            resourcesPath,
+            tftpRootPath,
+            kernelFilesPaths,
+          });
+        }
+
+        // Pass architecture from commissioning or deployment config
+        const grubArch = maas.commissioning.architecture;
+        UnderpostBaremetal.API.efiGrubModulesFactory({ image: { architecture: grubArch } });
+
+        // Set ownership and permissions for TFTP root.
+        shellExec(`sudo chown -R $(whoami):$(whoami) ${process.env.TFTP_ROOT}`);
+        shellExec(`sudo sudo chmod 755 ${process.env.TFTP_ROOT}`);
+
+        UnderpostBaremetal.API.httpBootstrapServerRunnerFactory({
+          hostname,
+          bootstrapHttpServerPath,
+          bootstrapHttpServerPort:
+            options.bootstrapHttpServerPort || workflowsConfig[workflowId].bootstrapHttpServerPort,
+        });
+      }
+
+      if (options.cloudInit || options.cloudInitUpdate) {
+        const { chronyc, networkInterfaceName } = workflowsConfig[workflowId];
+        const { timezone, chronyConfPath } = chronyc;
+        const authCredentials = UnderpostCloudInit.API.authCredentialsFactory();
+        const { cloudConfigSrc } = UnderpostCloudInit.API.configFactory(
+          {
+            controlServerIp: callbackMetaData.runnerHost.ip,
+            hostname,
+            commissioningDeviceIp: ipAddress,
+            gatewayip: callbackMetaData.runnerHost.ip,
+            mac: macAddress,
+            timezone,
+            chronyConfPath,
+            networkInterfaceName,
+            ubuntuToolsBuild: options.ubuntuToolsBuild,
+            bootcmd: options.bootcmd,
+            runcmd: options.runcmd,
+          },
+          authCredentials,
+        );
+
+        shellExec(`mkdir -p ${bootstrapHttpServerPath}`);
+        fs.writeFileSync(
+          `${bootstrapHttpServerPath}/${hostname}/cloud-init/user-data`,
+          `#cloud-config\n${cloudConfigSrc}`,
+          'utf8',
+        );
+        fs.writeFileSync(
+          `${bootstrapHttpServerPath}/${hostname}/cloud-init/meta-data`,
+          `instance-id: ${hostname}\nlocal-hostname: ${hostname}`,
+          'utf8',
+        );
+        fs.writeFileSync(`${bootstrapHttpServerPath}/${hostname}/cloud-init/vendor-data`, ``, 'utf8');
+
+        logger.info(`Cloud-init files written to ${bootstrapHttpServerPath}`);
+        if (options.cloudInitUpdate) return;
+      }
+
+      if (workflowsConfig[workflowId].type === 'chroot') {
+        if (options.ubuntuToolsBuild) {
+          UnderpostCloudInit.API.buildTools({
+            workflowId,
+            nfsHostPath,
+            hostname,
+            callbackMetaData,
+            dev: options.dev,
+          });
+
+          const { chronyc, keyboard } = workflowsConfig[workflowId];
+          const { timezone, chronyConfPath } = chronyc;
+          const systemProvisioning = 'ubuntu';
+
+          UnderpostBaremetal.API.crossArchRunner({
+            nfsHostPath,
+            debootstrapArch,
+            callbackMetaData,
+            steps: [
+              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].base(),
+              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].user(),
+              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].timezone({
+                timezone,
+                chronyConfPath,
+              }),
+              ...UnderpostBaremetal.API.systemProvisioningFactory[systemProvisioning].keyboard(keyboard.layout),
+            ],
+          });
         }
 
-        // Rebuild NFS server configuration.
+        if (options.ubuntuToolsTest)
+          UnderpostBaremetal.API.crossArchRunner({
+            nfsHostPath,
+            debootstrapArch,
+            callbackMetaData,
+            steps: [
+              `chmod +x /underpost/date.sh`,
+              `chmod +x /underpost/keyboard.sh`,
+              `chmod +x /underpost/dns.sh`,
+              `chmod +x /underpost/help.sh`,
+              `chmod +x /underpost/host.sh`,
+              `chmod +x /underpost/test.sh`,
+              `chmod +x /underpost/start.sh`,
+              `chmod +x /underpost/reset.sh`,
+              `chmod +x /underpost/shutdown.sh`,
+              `chmod +x /underpost/device_scan.sh`,
+              `chmod +x /underpost/mac.sh`,
+              `chmod +x /underpost/enlistment.sh`,
+              `sudo chmod 700 ~/.ssh/`, // Set secure permissions for .ssh directory.
+              `sudo chmod 600 ~/.ssh/authorized_keys`, // Set secure permissions for authorized_keys.
+              `sudo chmod 644 ~/.ssh/known_hosts`, // Set permissions for known_hosts.
+              `sudo chmod 600 ~/.ssh/id_rsa`, // Set secure permissions for private key.
+              `sudo chmod 600 /etc/ssh/ssh_host_ed25519_key`, // Set secure permissions for host key.
+              `chown -R root:root ~/.ssh`, // Ensure root owns the .ssh directory.
+              `/underpost/test.sh`,
+            ],
+          });
+      }
+
+      shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
+      // Rebuild NFS server configuration.
+      if (workflowsConfig[workflowId].type === 'iso-nfs' || workflowsConfig[workflowId].type === 'chroot')
         UnderpostBaremetal.API.rebuildNfsServer({
           nfsHostPath,
         });
 
-        // Configure GRUB for PXE boot.
+      // Final commissioning steps.
+      if (options.commission === true) {
+        const { type } = workflowsConfig[workflowId];
+
+        if (type === 'chroot') {
+          const { isMounted } = UnderpostBaremetal.API.nfsMountCallback({
+            hostname,
+            nfsHostPath,
+            workflowId,
+            mount: true,
+          });
+          if (!isMounted) throw new Error('NFS root filesystem is not mounted');
+        }
+        const commissionMonitorPayload = {
+          macAddress,
+          ipAddress,
+          hostname,
+          maas: workflowsConfig[workflowId].maas,
+          machine,
+        };
+        logger.info('Waiting for commissioning...', {
+          ...commissionMonitorPayload,
+          machine: machine ? machine.system_id : null,
+        });
+
+        const { discovery } = await UnderpostBaremetal.API.commissionMonitor(commissionMonitorPayload);
+
+        if (type === 'chroot' && options.cloudInit === true) {
+          openTerminal(`node ${underpostRoot}/bin baremetal ${workflowId} ${ipAddress} ${hostname} --logs cloud-init`);
+          openTerminal(
+            `node ${underpostRoot}/bin baremetal ${workflowId} ${ipAddress} ${hostname} --logs cloud-init-machine`,
+          );
+          shellExec(
+            `node ${underpostRoot}/bin baremetal ${workflowId} ${ipAddress} ${hostname} --logs cloud-init-config`,
+          );
+        }
+      }
+    },
+
+    /**
+     * @method macAddressFactory
+     * @description Generates or returns a MAC address based on options.
+     * @param {object} options - Options for MAC address generation.
+     * @param {string} options.mac - 'random' for random MAC, 'hardware' to use device's actual MAC, specific MAC string, or empty for default.
+     * @returns {object} Object with mac property - null for 'hardware', generated/specified MAC otherwise.
+     * @memberof UnderpostBaremetal
+     */
+    macAddressFactory(options = { mac: '' }) {
+      const len = 6;
+      const defaultMac = range(1, len)
+        .map(() => '00')
+        .join(':');
+      if (options) {
+        if (!options.mac) options.mac = defaultMac;
+        if (options.mac === 'hardware') {
+          // Return null to indicate hardware MAC should be used (no spoofing)
+          options.mac = null;
+        } else if (options.mac === 'random') {
+          options.mac = range(1, len)
+            .map(() => s4().toLowerCase().substring(0, 2))
+            .join(':');
+        }
+      } else options = { mac: defaultMac };
+      return options;
+    },
+
+    /**
+     * @method downloadUbuntuLiveISO
+     * @description Downloads Ubuntu live ISO and extracts casper boot files for live boot.
+     * @param {object} params - Parameters for the method.
+     * @param {object} params.resource - The MAAS boot resource object.
+     * @param {string} params.architecture - The architecture (arm64 or amd64).
+     * @param {string} params.nfsHostPath - The NFS host path to store the ISO and extracted files.
+     * @returns {object} An object containing paths to the extracted kernel, initrd, and squashfs.
+     * @memberof UnderpostBaremetal
+     */
+    downloadUbuntuLiveISO({ resource, architecture, nfsHostPath, isoUrl }) {
+      const arch = architecture || resource.architecture.split('/')[0];
+      const osName = resource.name.split('/')[1]; // e.g., "focal", "jammy", "noble"
+
+      // Map Ubuntu codenames to versions - different versions available for different architectures
+      // ARM64 ISOs are hosted on cdimage.ubuntu.com, AMD64 on releases.ubuntu.com
+      const versionMap = {
+        arm64: {
+          focal: '20.04.5', // ARM64 focal only up to 20.04.5 on cdimage
+          jammy: '22.04.5',
+          noble: '24.04.3', // ubuntu-24.04.3-live-server-arm64+largemem.iso
+          bionic: '18.04.6',
+        },
+        amd64: {
+          focal: '20.04.6',
+          jammy: '22.04.5',
+          noble: '24.04.1',
+          bionic: '18.04.6',
+        },
+      };
+
+      shellExec(`mkdir -p ${nfsHostPath}/casper`);
+
+      const version = (versionMap[arch] && versionMap[arch][osName]) || '20.04.5';
+      const majorVersion = version.split('.').slice(0, 2).join('.');
+
+      // Determine ISO filename and URL based on architecture
+      // ARM64 ISOs are on cdimage.ubuntu.com, AMD64 on releases.ubuntu.com
+      let isoFilename;
+      if (arch === 'arm64') {
+        isoFilename = `ubuntu-${version}-live-server-arm64${osName === 'noble' ? '+largemem' : ''}.iso`;
+      } else {
+        isoFilename = `ubuntu-${version}-live-server-amd64.iso`;
+      }
+      if (!isoUrl) isoUrl = `https://cdimage.ubuntu.com/releases/${majorVersion}/release/${isoFilename}`;
+      else isoFilename = isoUrl.split('/').pop();
+
+      const isoPath = `/var/tmp/ubuntu-live-iso/${isoFilename}`;
+      const extractDir = `${nfsHostPath}/casper`;
+
+      if (!fs.existsSync(isoPath)) {
+        logger.info(`Downloading Ubuntu ${version} live ISO for ${arch}...`);
+        logger.info(`URL: ${isoUrl}`);
+        logger.info(`This may take a while (typically 1-2 GB)...`);
+        shellExec(`wget --progress=bar:force -O ${isoPath} "${isoUrl}"`, { silent: false });
+        // Verify download by checking file existence and size (not exit code, which can be unreliable)
+        if (!fs.existsSync(isoPath)) {
+          throw new Error(`Failed to download ISO from ${isoUrl} - file not created`);
+        }
+        const stats = fs.statSync(isoPath);
+        if (stats.size < 100 * 1024 * 1024) {
+          shellExec(`rm -f ${isoPath}`);
+          throw new Error(`Downloaded ISO is too small (${stats.size} bytes), download may have failed`);
+        }
+        logger.info(`Downloaded ISO to ${isoPath} (${(stats.size / 1024 / 1024 / 1024).toFixed(2)} GB)`);
+      }
+
+      // Mount ISO and extract casper files
+      const mountPoint = `${nfsHostPath}/mnt-${osName}-${arch}`;
+      shellExec(`mkdir -p ${mountPoint}`);
+
+      // Ensure mount point is not already mounted
+      shellExec(`sudo umount ${mountPoint} 2>/dev/null || true`, { silent: true });
+
+      try {
+        // Mount the ISO
+        shellExec(`sudo mount -o loop,ro ${isoPath} ${mountPoint}`, { silent: false });
+        // Verify mount succeeded by checking if casper directory exists
+        if (!fs.existsSync(`${mountPoint}/casper`)) {
+          throw new Error(`Failed to mount ISO or casper directory not found: ${isoPath}`);
+        }
+        logger.info(`Mounted ISO at ${mountPoint}`);
+
+        // List casper directory to see what's available
+        logger.info(`Checking casper directory contents...`);
+        shellExec(`ls -la ${mountPoint}/casper/ 2>/dev/null || echo "casper directory not found"`, { silent: false });
+
+        // Extract casper files
+        shellExec(`sudo cp -a ${mountPoint}/casper/* ${extractDir}/`);
+        shellExec(`sudo chown -R $(whoami):$(whoami) ${extractDir}`);
+        logger.info(`Extracted casper files from ISO`);
+
+        // Rename kernel and initrd to standard names if needed
+        if (!fs.existsSync(`${extractDir}/vmlinuz`)) {
+          const vmlinuz = shellExec(`ls ${extractDir}/vmlinuz* | head -1`, {
+            silent: true,
+            stdout: true,
+          }).stdout.trim();
+          if (vmlinuz) shellExec(`mv ${vmlinuz} ${extractDir}/vmlinuz`);
+        }
+        if (!fs.existsSync(`${extractDir}/initrd`)) {
+          const initrd = shellExec(`ls ${extractDir}/initrd* | head -1`, { silent: true, stdout: true }).stdout.trim();
+          if (initrd) shellExec(`mv ${initrd} ${extractDir}/initrd`);
+        }
+      } finally {
+        shellExec(`ls -la ${mountPoint}/`);
+
+        // Unmount ISO
+        shellExec(`sudo umount ${mountPoint}`, { silent: true });
+        logger.info(`Unmounted ISO`);
+        // Clean up temporary mount point
+        shellExec(`rmdir ${mountPoint}`, { silent: true });
+      }
+
+      return {
+        'vmlinuz-efi': `${extractDir}/vmlinuz`,
+        'initrd.img': `${extractDir}/initrd`,
+        isoUrl,
+      };
+    },
+
+    /**
+     * @method machineFactory
+     * @description Creates a new machine in MAAS with specified options.
+     * @param {object} options - Options for creating the machine.
+     * @param {string} options.macAddress - The MAC address of the machine.
+     * @param {string} options.hostname - The hostname for the machine.
+     * @param {string} options.ipAddress - The IP address for the machine.
+     * @param {string} options.powerType - The power type for the machine (default is 'manual').
+     * @param {object} options.maas - Additional MAAS-specific options.
+     * @returns {object} An object containing the created machine details.
+     * @memberof UnderpostBaremetal
+     */
+    machineFactory(
+      options = {
+        macAddress: '',
+        hostname: '',
+        ipAddress: '',
+        powerType: 'manual',
+        maas: {},
+      },
+    ) {
+      if (!options.powerType) options.powerType = 'manual';
+      const maas = options.maas || {};
+      const payload = {
+        architecture: (maas.commissioning?.architecture || 'arm64/generic').match('arm')
+          ? 'arm64/generic'
+          : 'amd64/generic',
+        mac_address: options.macAddress,
+        mac_addresses: options.macAddress,
+        hostname: options.hostname,
+        power_type: options.powerType,
+        ip: options.ipAddress,
+      };
+      logger.info('Creating MAAS machine', payload);
+      const machine = shellExec(
+        `maas ${process.env.MAAS_ADMIN_USERNAME} machines create ${Object.keys(payload)
+          .map((k) => `${k}="${payload[k]}"`)
+          .join(' ')}`,
         {
-          const resourceData = JSON.parse(
-            shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-resource read ${resource.id}`, {
-              stdout: true,
-              silent: true,
-              disableLog: true,
-            }),
+          silent: true,
+          stdout: true,
+        },
+      );
+      // console.log(machine);
+      try {
+        return { machine: JSON.parse(machine) };
+      } catch (error) {
+        console.log(error);
+        logger.error(error);
+        throw new Error(`Failed to create MAAS machine. Output:\n${machine}`);
+      }
+    },
+
+    /**
+     * @method kernelFactory
+     * @description Retrieves kernel, initrd, and root filesystem paths from a MAAS boot resource.
+     * @param {object} params - Parameters for the method.
+     * @param {object} params.resource - The MAAS boot resource object.
+     * @param {boolean} params.useLiveIso - Whether to use Ubuntu live ISO instead of MAAS boot resources.
+     * @param {string} params.nfsHostPath - The NFS host path for storing extracted files.
+     * @returns {object} An object containing paths to the kernel, initrd, and root filesystem.
+     * @memberof UnderpostBaremetal
+     */
+    kernelFactory({ resource, type, nfsHostPath, isoUrl }) {
+      // For disk-based commissioning (casper), use Ubuntu live ISO files
+      if (type === 'iso-ram' || type === 'iso-nfs') {
+        logger.info('Using Ubuntu live ISO for casper boot (disk-based commissioning)');
+        const arch = resource.architecture.split('/')[0];
+        const kernelFilesPaths = UnderpostBaremetal.API.downloadUbuntuLiveISO({
+          resource,
+          architecture: arch,
+          nfsHostPath,
+          isoUrl,
+        });
+        const resourcesPath = `/var/snap/maas/common/maas/image-storage/bootloaders/uefi/${arch}`;
+        return { kernelFilesPaths, resourcesPath };
+      }
+
+      const resourceData = JSON.parse(
+        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-resource read ${resource.id}`, {
+          stdout: true,
+          silent: true,
+          disableLog: true,
+        }),
+      );
+      let kernelFilesPaths = {};
+      const bootFiles = resourceData.sets[Object.keys(resourceData.sets)[0]].files;
+      const arch = resource.architecture.split('/')[0];
+      const resourcesPath = `/var/snap/maas/common/maas/image-storage/bootloaders/uefi/${arch}`;
+      const kernelPath = `/var/snap/maas/common/maas/image-storage`;
+
+      logger.info('Available boot files', Object.keys(bootFiles));
+      logger.info('Boot files info', {
+        id: resourceData.id,
+        type: resourceData.type,
+        name: resourceData.name,
+        architecture: resourceData.architecture,
+        bootFiles,
+        arch,
+        resourcesPath,
+        kernelPath,
+      });
+
+      // Try standard synced image structure (Ubuntu, CentOS from MAAS repos)
+      const _suffix = resource.architecture.match('xgene') ? '.xgene' : '';
+      if (bootFiles['boot-kernel' + _suffix] && bootFiles['boot-initrd' + _suffix] && bootFiles['squashfs']) {
+        kernelFilesPaths = {
+          'vmlinuz-efi': `${kernelPath}/${bootFiles['boot-kernel' + _suffix].filename_on_disk}`,
+          'initrd.img': `${kernelPath}/${bootFiles['boot-initrd' + _suffix].filename_on_disk}`,
+          squashfs: `${kernelPath}/${bootFiles['squashfs'].filename_on_disk}`,
+        };
+      }
+      // Try uploaded image structure (Packer-built images, custom uploads)
+      else if (bootFiles['boot-kernel'] && bootFiles['boot-initrd'] && bootFiles['root-tgz']) {
+        kernelFilesPaths = {
+          'vmlinuz-efi': `${kernelPath}/${bootFiles['boot-kernel'].filename_on_disk}`,
+          'initrd.img': `${kernelPath}/${bootFiles['boot-initrd'].filename_on_disk}`,
+          squashfs: `${kernelPath}/${bootFiles['root-tgz'].filename_on_disk}`,
+        };
+      }
+      // Try alternative uploaded structure with root-image-xz
+      else if (bootFiles['boot-kernel'] && bootFiles['boot-initrd'] && bootFiles['root-image-xz']) {
+        kernelFilesPaths = {
+          'vmlinuz-efi': `${kernelPath}/${bootFiles['boot-kernel'].filename_on_disk}`,
+          'initrd.img': `${kernelPath}/${bootFiles['boot-initrd'].filename_on_disk}`,
+          squashfs: `${kernelPath}/${bootFiles['root-image-xz'].filename_on_disk}`,
+        };
+      }
+      // Fallback: try to find any kernel, initrd, and root image
+      else {
+        logger.warn('Non-standard boot file structure detected. Available files', Object.keys(bootFiles));
+
+        const rootArchiveKey = Object.keys(bootFiles).find(
+          (k) => k.includes('root') && (k.includes('tgz') || k.includes('tar.gz')),
+        );
+        const explicitKernel = Object.keys(bootFiles).find((k) => k.includes('kernel'));
+        const explicitInitrd = Object.keys(bootFiles).find((k) => k.includes('initrd'));
+
+        if (rootArchiveKey && (!explicitKernel || !explicitInitrd)) {
+          logger.info(`Root archive found (${rootArchiveKey}) and missing kernel/initrd. Attempting to extract.`);
+          const rootArchivePath = `${kernelPath}/${bootFiles[rootArchiveKey].filename_on_disk}`;
+          const tempExtractDir = `/tmp/maas-extract-${resource.id}`;
+          shellExec(`mkdir -p ${tempExtractDir}`);
+
+          // List files in archive to find kernel and initrd
+          const tarList = shellExec(`tar -tf ${rootArchivePath}`, { silent: true }).stdout.split('\n');
+
+          // Look for boot/vmlinuz* and boot/initrd* (handling potential leading ./)
+          // Skip rescue, kdump, and other special images
+          const vmlinuzPaths = tarList.filter(
+            (f) => f.match(/(\.\/)?boot\/vmlinuz-[0-9]/) && !f.includes('rescue') && !f.includes('kdump'),
           );
-          const bootFiles = resourceData.sets[Object.keys(resourceData.sets)[0]].files;
-          const suffix = resource.architecture.match('xgene') ? '.xgene' : '';
-          const resourcesPath = `/var/snap/maas/common/maas/image-storage/bootloaders/uefi/arm64`;
-          const kernelPath = `/var/snap/maas/common/maas/image-storage`;
-          const kernelFilesPaths = {
-            'vmlinuz-efi': `${kernelPath}/${bootFiles['boot-kernel' + suffix].filename_on_disk}`,
-            'initrd.img': `${kernelPath}/${bootFiles['boot-initrd' + suffix].filename_on_disk}`,
-            squashfs: `${kernelPath}/${bootFiles['squashfs'].filename_on_disk}`,
-          };
-          // Construct kernel command line arguments for NFS boot.
-          const cmd = [
-            `console=serial0,115200`,
-            // `console=ttyAMA0,115200`,
-            `console=tty1`,
-            // `initrd=-1`,
-            // `net.ifnames=0`,
-            // `dwc_otg.lpm_enable=0`,
-            // `elevator=deadline`,
-            `root=/dev/nfs`,
-            `nfsroot=${callbackMetaData.runnerHost.ip}:${process.env.NFS_EXPORT_PATH}/rpi4mb,${[
-              'tcp',
-              'vers=3',
-              'nfsvers=3',
-              'nolock',
-              // 'protocol=tcp',
-              // 'hard=true',
-              'port=2049',
-              // 'sec=none',
-              'rw',
-              'hard',
-              'intr',
-              'rsize=32768',
-              'wsize=32768',
-              'acregmin=0',
-              'acregmax=0',
-              'acdirmin=0',
-              'acdirmax=0',
-              'noac',
-              // 'nodev',
-              // 'nosuid',
-            ]}`,
-            `ip=${ipAddress}:${callbackMetaData.runnerHost.ip}:${callbackMetaData.runnerHost.ip}:${netmask}:${hostname}:${networkInterfaceName}:static`,
-            `rootfstype=nfs`,
-            `rw`,
-            `rootwait`,
-            `fixrtc`,
-            'initrd=initrd.img',
-            // 'boot=casper',
-            // 'ro',
-            'netboot=nfs',
-            `init=/sbin/init`,
-            // `cloud-config-url=/dev/null`,
-            // 'ip=dhcp',
-            // 'ip=dfcp',
-            // 'autoinstall',
-            // 'rd.break',
-
-            // Disable services that not apply over nfs
-            `systemd.mask=systemd-network-generator.service`,
-            `systemd.mask=systemd-networkd.service`,
-            `systemd.mask=systemd-fsck-root.service`,
-            `systemd.mask=systemd-udev-trigger.service`,
-          ];
-          const nfsConnectStr = cmd.join(' ');
-
-          // Copy EFI bootloaders to TFTP path.
-          for (const file of ['bootaa64.efi', 'grubaa64.efi']) {
-            shellExec(`sudo cp -a ${resourcesPath}/${file} ${tftpRootPath}/pxe/${file}`);
+          const initrdPaths = tarList.filter(
+            (f) =>
+              f.match(/(\.\/)?boot\/(initrd|initramfs)-[0-9]/) &&
+              !f.includes('rescue') &&
+              !f.includes('kdump') &&
+              f.includes('.img'),
+          );
+
+          logger.info(`Found kernel candidates:`, { vmlinuzPaths, initrdPaths });
+
+          // Try to match kernel and initrd by version number
+          let vmlinuzPath = null;
+          let initrdPath = null;
+
+          if (vmlinuzPaths.length > 0 && initrdPaths.length > 0) {
+            // Extract version from kernel filename (e.g., "5.14.0-611.11.1.el9_7.aarch64")
+            for (const kernelPath of vmlinuzPaths.sort().reverse()) {
+              const kernelVersion = kernelPath.match(/vmlinuz-(.+)$/)?.[1];
+              if (kernelVersion) {
+                // Look for matching initrd
+                const matchingInitrd = initrdPaths.find((p) => p.includes(kernelVersion));
+                if (matchingInitrd) {
+                  vmlinuzPath = kernelPath;
+                  initrdPath = matchingInitrd;
+                  logger.info(`Matched kernel and initrd by version: ${kernelVersion}`);
+                  break;
+                }
+              }
+            }
           }
-          // Copy kernel and initrd images to TFTP path.
-          for (const file of Object.keys(kernelFilesPaths)) {
-            shellExec(`sudo cp -a ${kernelFilesPaths[file]} ${tftpRootPath}/pxe/${file}`);
+
+          // Fallback: use newest versions if no match found
+          if (!vmlinuzPath && vmlinuzPaths.length > 0) {
+            vmlinuzPath = vmlinuzPaths.sort().pop();
+          }
+          if (!initrdPath && initrdPaths.length > 0) {
+            initrdPath = initrdPaths.sort().pop();
           }
 
-          // Write GRUB configuration file.
-          fs.writeFileSync(
-            `${process.env.TFTP_ROOT}/grub/grub.cfg`,
-            `
-insmod gzio
-insmod http
-insmod nfs
-set timeout=5
-set default=0
-
-menuentry '${menuentryStr}' {
-  set root=(tftp,${callbackMetaData.runnerHost.ip})
-  linux /${hostname}/pxe/vmlinuz-efi ${nfsConnectStr}
-  initrd /${hostname}/pxe/initrd.img
-  boot
-}
+          logger.info(`Selected kernel: ${vmlinuzPath}, initrd: ${initrdPath}`);
 
-    `,
-            'utf8',
-          );
+          if (vmlinuzPath && initrdPath) {
+            // Extract specific files
+            // Extract all files in boot/ to ensure symlinks resolve
+            shellExec(`tar -xf ${rootArchivePath} -C ${tempExtractDir} --wildcards '*boot/*'`);
+
+            kernelFilesPaths = {
+              'vmlinuz-efi': `${tempExtractDir}/${vmlinuzPath}`,
+              'initrd.img': `${tempExtractDir}/${initrdPath}`,
+              squashfs: rootArchivePath,
+            };
+            logger.info('Extracted kernel and initrd from root archive.');
+          } else {
+            logger.error(
+              `Failed to find kernel/initrd in archive. Contents of boot/ directory:`,
+              tarList.filter((f) => f.includes('boot/')),
+            );
+            throw new Error(`Could not find kernel or initrd in ${rootArchiveKey}`);
+          }
+        } else {
+          const kernelFile = Object.keys(bootFiles).find((k) => k.includes('kernel')) || Object.keys(bootFiles)[0];
+          const initrdFile = Object.keys(bootFiles).find((k) => k.includes('initrd')) || Object.keys(bootFiles)[1];
+          const rootFile =
+            Object.keys(bootFiles).find(
+              (k) => k.includes('root') || k.includes('squashfs') || k.includes('tgz') || k.includes('xz'),
+            ) || Object.keys(bootFiles)[2];
+
+          if (kernelFile && initrdFile && rootFile) {
+            kernelFilesPaths = {
+              'vmlinuz-efi': `${kernelPath}/${bootFiles[kernelFile].filename_on_disk}`,
+              'initrd.img': `${kernelPath}/${bootFiles[initrdFile].filename_on_disk}`,
+              squashfs: `${kernelPath}/${bootFiles[rootFile].filename_on_disk}`,
+            };
+            logger.info('Using detected files', { kernel: kernelFile, initrd: initrdFile, root: rootFile });
+          } else {
+            throw new Error(`Cannot identify boot files. Available: ${Object.keys(bootFiles).join(', ')}`);
+          }
         }
+      }
+      return {
+        resource,
+        bootFiles,
+        arch,
+        resourcesPath,
+        kernelPath,
+        resourceData,
+        kernelFilesPaths,
+      };
+    },
+
+    /**
+     * @method writeGrubConfigToFile
+     * @description Writes the GRUB configuration content to the grub.cfg file in the TFTP root.
+     * @param {object} params - Parameters for the method.
+     * @param {string} params.grubCfgSrc - The GRUB configuration content to write.
+     * @memberof UnderpostBaremetal
+     * @returns {void}
+     */
+    writeGrubConfigToFile({ grubCfgSrc = '' }) {
+      shellExec(`mkdir -p ${process.env.TFTP_ROOT}/grub`, {
+        disableLog: true,
+      });
+      return fs.writeFileSync(`${process.env.TFTP_ROOT}/grub/grub.cfg`, grubCfgSrc, 'utf8');
+    },
+
+    /**
+     * @method getGrubConfigFromFile
+     * @description Reads the GRUB configuration content from the grub.cfg file in the TFTP root.
+     * @memberof UnderpostBaremetal
+     * @returns {string} The GRUB configuration content.
+     */
+    getGrubConfigFromFile() {
+      const grubCfgPath = `${process.env.TFTP_ROOT}/grub/grub.cfg`;
+      const grubCfgSrc = fs.readFileSync(grubCfgPath, 'utf8');
+      return { grubCfgPath, grubCfgSrc };
+    },
+
+    /**
+     * @method removeDiscoveredMachines
+     * @description Removes all machines in the 'discovered' status from MAAS.
+     * @memberof UnderpostBaremetal
+     * @returns {void}
+     */
+    removeDiscoveredMachines() {
+      logger.info('Removing all discovered machines from MAAS...');
+      shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} discoveries clear all=true`);
+    },
 
+    /**
+     * @method efiGrubModulesFactory
+     * @description Copies the appropriate EFI GRUB modules to the TFTP root based on the image architecture.
+     * @param {object} options - Options for determining which GRUB modules to copy.
+     * @param {object} options.image - Image configuration object.
+     * @param {string} options.image.architecture - The architecture of the image ('amd64' or 'arm64').
+     * @memberof UnderpostBaremetal
+     * @returns {void}
+     */
+    efiGrubModulesFactory(options = { image: { architecture: 'amd64' } }) {
+      if (options.image.architecture.match('arm64')) {
         // Copy ARM64 EFI GRUB modules.
         const arm64EfiPath = `${process.env.TFTP_ROOT}/grub/arm64-efi`;
         if (fs.existsSync(arm64EfiPath)) shellExec(`sudo rm -rf ${arm64EfiPath}`);
         shellExec(`sudo cp -a /usr/lib/grub/arm64-efi ${arm64EfiPath}`);
-
-        // Set ownership and permissions for TFTP root.
-        shellExec(`sudo chown -R root:root ${process.env.TFTP_ROOT}`);
-        shellExec(`sudo sudo chmod 755 ${process.env.TFTP_ROOT}`);
+      } else {
+        // Copy AMD64 EFI GRUB modules.
+        const amd64EfiPath = `${process.env.TFTP_ROOT}/grub/x86_64-efi`;
+        if (fs.existsSync(amd64EfiPath)) shellExec(`sudo rm -rf ${amd64EfiPath}`);
+        shellExec(`sudo cp -a /usr/lib/grub/x86_64-efi ${amd64EfiPath}`);
       }
+    },
 
-      // Final commissioning steps.
-      if (options.commission === true || options.cloudInitUpdate === true) {
-        const { debootstrap, networkInterfaceName, chronyc, maas } = workflowsConfig[workflowId];
-        const { timezone, chronyConfPath } = chronyc;
+    /**
+     * @method ipxeEmbeddedScriptFactory
+     * @description Generates the embedded iPXE boot script that performs DHCP and chains to the main script.
+     * This script is embedded into the iPXE binary or loaded first by GRUB.
+     * Supports MAC address spoofing for baremetal commissioning workflows.
+     * @param {object} params - The parameters for generating the script.
+     * @param {string} params.tftpServer - The IP address of the TFTP server.
+     * @param {string} params.scriptPath - The path to the main iPXE script on TFTP server.
+     * @param {string} [params.macAddress] - Optional MAC address to spoof for MAAS registration.
+     * @returns {string} The embedded iPXE script content.
+     * @memberof UnderpostBaremetal
+     */
+    ipxeEmbeddedScriptFactory({ tftpServer, scriptPath, macAddress = null }) {
+      const macSpoofingBlock =
+        macAddress && macAddress !== '00:00:00:00:00:00'
+          ? `
+# MAC Address Information
+echo ========================================
+echo Target MAC for MAAS: ${macAddress}
+echo Hardware MAC: \${net0/mac}
+echo ========================================
+echo NOTE: iPXE MAC spoofing does NOT persist to kernel
+echo The kernel will receive MAC via ifname= parameter
+echo ========================================
+`
+          : `
+# Using hardware MAC address
+echo ========================================
+echo Using device hardware MAC address
+echo Hardware MAC: \${net0/mac}
+echo MAC spoofing disabled - device uses actual MAC
+echo ========================================
+`;
+
+      return `#!ipxe
+# Embedded iPXE Boot Script
+# This script performs DHCP configuration and chains to the main boot script
+
+echo ========================================
+echo iPXE Embedded Boot Loader
+echo ========================================
+echo TFTP Server: ${tftpServer}
+echo Script Path: ${scriptPath}
+echo ========================================
+
+${macSpoofingBlock}
+
+# Show network interface info before DHCP
+echo Network Interface Info (before DHCP):
+echo Interface: net0
+echo MAC: \${net0/mac}
+ifstat
+
+# Perform DHCP to get network configuration
+echo ========================================
+echo Performing DHCP configuration...
+echo ========================================
+dhcp net0 || goto dhcp_retry
+
+echo DHCP configuration successful
+echo IP Address: \${net0/ip}
+echo Netmask: \${net0/netmask}
+echo Gateway: \${net0/gateway}
+echo DNS: \${net0/dns}
+echo TFTP Server: \${next-server}
+echo MAC used by DHCP: \${net0/mac}
+
+# Chain to the main iPXE script
+echo ========================================
+echo Chainloading main boot script...
+echo Script: tftp://${tftpServer}${scriptPath}
+echo ========================================
+chain tftp://${tftpServer}${scriptPath} || goto chain_failed
+
+:dhcp_retry
+echo DHCP failed, retrying in 5 seconds...
+sleep 5
+dhcp net0 || goto dhcp_retry
+goto dhcp_success
+
+:dhcp_success
+echo DHCP retry successful
+echo IP Address: \${net0/ip}
+echo MAC: \${net0/mac}
+chain tftp://${tftpServer}${scriptPath} || goto chain_failed
+
+:chain_failed
+echo ========================================
+echo ERROR: Failed to chain to main script
+echo TFTP Server: ${tftpServer}
+echo Script Path: ${scriptPath}
+echo ========================================
+echo Retrying in 10 seconds...
+sleep 10
+chain tftp://${tftpServer}${scriptPath} || goto shell_debug
+
+:shell_debug
+echo Dropping to iPXE shell for manual debugging
+echo Try: chain tftp://${tftpServer}${scriptPath}
+shell
+`;
+    },
 
-        // Build cloud-init tools.
-        UnderpostCloudInit.API.buildTools({
-          workflowId,
-          nfsHostPath,
-          hostname,
-          callbackMetaData,
-          dev: options.dev,
-        });
+    /**
+     * @method ipxeScriptFactory
+     * @description Generates the iPXE script content for stable identity.
+     * This iPXE script uses directly boots kernel/initrd via TFTP.
+     * @param {object} params - The parameters for generating the script.
+     * @param {string} params.maasIp - The IP address of the MAAS server.
+     * @param {string} [params.macAddress] - The MAC address registered in MAAS (for display only).
+     * @param {string} params.architecture - The architecture (arm64/amd64).
+     * @param {string} params.tftpPrefix - The TFTP prefix path (e.g., 'rpi4mb').
+     * @param {string} params.kernelCmd - The kernel command line parameters.
+     * @returns {string} The iPXE script content.
+     * @memberof UnderpostBaremetal
+     */
+    ipxeScriptFactory({ maasIp, macAddress, architecture, tftpPrefix, kernelCmd }) {
+      const macInfo =
+        macAddress && macAddress !== '00:00:00:00:00:00'
+          ? `echo Registered MAC: ${macAddress}`
+          : `echo Using hardware MAC address`;
+
+      // Construct the full TFTP paths for kernel and initrd
+      const kernelPath = `${tftpPrefix}/pxe/vmlinuz-efi`;
+      const initrdPath = `${tftpPrefix}/pxe/initrd.img`;
+      const grubBootloader = architecture === 'arm64' ? 'grubaa64.efi' : 'grubx64.efi';
+      const grubPath = `${tftpPrefix}/pxe/${grubBootloader}`;
+
+      return `#!ipxe
+echo ========================================
+echo iPXE Network Boot
+echo ========================================
+echo MAAS Server: ${maasIp}
+echo Architecture: ${architecture}
+${macInfo}
+echo ========================================
+
+# Show current network configuration
+echo Current Network Configuration:
+ifstat
+
+# Display MAC address information
+echo MAC Address: \${net0/mac}
+echo IP Address: \${net0/ip}
+echo Gateway: \${net0/gateway}
+echo DNS: \${net0/dns}
+${macAddress && macAddress !== '00:00:00:00:00:00' ? `echo Target MAC for kernel: ${macAddress}` : ''}
+
+# Direct kernel/initrd boot via TFTP
+# Modern simplified approach: Direct kernel/initrd boot via TFTP
+echo ========================================
+echo Loading kernel and initrd via TFTP...
+echo Kernel: tftp://${maasIp}/${kernelPath}
+echo Initrd: tftp://${maasIp}/${initrdPath}
+${macAddress && macAddress !== '00:00:00:00:00:00' ? `echo Kernel will use MAC: ${macAddress} (via ifname parameter)` : 'echo Kernel will use hardware MAC'}
+echo ========================================
+
+# Load kernel via TFTP
+kernel tftp://${maasIp}/${kernelPath} ${kernelCmd || 'console=ttyS0,115200'} || goto grub_fallback
+echo Kernel loaded successfully
+
+# Load initrd via TFTP
+initrd tftp://${maasIp}/${initrdPath} || goto grub_fallback
+echo Initrd loaded successfully
+
+# Boot the kernel
+echo Booting kernel...
+boot
+
+:grub_fallback
+echo ========================================
+echo Direct kernel boot failed, falling back to GRUB chainload...
+echo TFTP Path: tftp://${maasIp}/${grubPath}
+echo ========================================
+
+# Fallback: Chain to GRUB via TFTP (avoids malformed HTTP bootloader issues)
+chain tftp://${maasIp}/${grubPath} || goto http_fallback
+
+:http_fallback
+echo TFTP GRUB chainload failed, trying HTTP fallback...
+echo ========================================
+
+# Fallback: Try MAAS HTTP bootloader (may have certificate issues)
+set boot-url http://${maasIp}:5248/images/bootloader
+echo Boot URL: \${boot-url}
+chain \${boot-url}/uefi/${architecture}/${grubBootloader === 'grubaa64.efi' ? 'bootaa64.efi' : 'bootx64.efi'} || goto error
+
+:error
+echo ========================================
+echo ERROR: All boot methods failed
+echo ========================================
+echo MAAS IP: ${maasIp}
+echo Architecture: ${architecture}
+echo MAC: \${net0/mac}
+echo IP: \${net0/ip}
+echo ========================================
+echo Retrying GRUB TFTP in 10 seconds...
+sleep 10
+chain tftp://${maasIp}/${grubPath} || goto shell_debug
+
+:shell_debug
+echo Dropping to iPXE shell for manual intervention
+shell
+`;
+    },
 
-        // Run cloud-init reset and configure cloud-init.
-        UnderpostBaremetal.API.crossArchRunner({
-          nfsHostPath,
-          debootstrapArch: debootstrap.image.architecture,
-          callbackMetaData,
-          steps: [
-            options.cloudInitUpdate === true ? '' : `/underpost/reset.sh`,
-            `chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo`,
-            UnderpostCloudInit.API.configFactory({
-              controlServerIp: callbackMetaData.runnerHost.ip,
-              hostname,
-              commissioningDeviceIp: ipAddress,
-              gatewayip: callbackMetaData.runnerHost.ip,
-              mac: macAddress, // Initial MAC, will be updated.
-              timezone,
-              chronyConfPath,
-              networkInterfaceName,
-            }),
-          ],
-        });
+    /**
+     * @method grubFactory
+     * @description Generates the GRUB configuration file content.
+     * @param {object} params - The parameters for generating the configuration.
+     * @param {string} params.menuentryStr - The title of the menu entry.
+     * @param {string} params.kernelPath - The path to the kernel file (relative to TFTP root).
+     * @param {string} params.initrdPath - The path to the initrd file (relative to TFTP root).
+     * @param {string} params.cmd - The kernel command line parameters.
+     * @param {string} params.tftpIp - The IP address of the TFTP server.
+     * @param {boolean} [params.ipxe] - Flag to enable iPXE chainloading.
+     * @param {string} [params.ipxePath] - The path to the iPXE binary.
+     * @returns {object} An object containing 'grubCfgSrc' the GRUB configuration source string.
+     * @memberof UnderpostBaremetal
+     */
+    grubFactory({ menuentryStr, kernelPath, initrdPath, cmd, tftpIp, ipxe, ipxePath }) {
+      if (ipxe) {
+        return {
+          grubCfgSrc: `
+  set default="0"
+  set timeout=10
+  insmod tftp
+  set root=(tftp,${tftpIp})
+
+  menuentry 'iPXE ${menuentryStr}' {
+      echo "Loading iPXE with embedded script..."
+      echo "[INFO] TFTP Server: ${tftpIp}"
+      echo "[INFO] iPXE Binary: ${ipxePath}"
+      echo "[INFO] iPXE will execute embedded script (dhcp + chain)"
+      chainloader ${ipxePath}
+      boot
+  }
+  `,
+        };
+      }
+      return {
+        grubCfgSrc: `
+  set default="0"
+  set timeout=10
+  insmod nfs
+  insmod gzio
+  insmod http
+  insmod tftp
+  set root=(tftp,${tftpIp})
+
+  menuentry '${menuentryStr}' {
+      echo "${menuentryStr}"
+      echo " ${Underpost.version}"
+      echo "Date: ${new Date().toISOString()}"
+      ${cmd.match('/MAAS/metadata/by-id/') ? `echo "System ID: ${cmd.split('/MAAS/metadata/by-id/')[1].split('/')[0]}"` : ''}
+      echo "TFTP server: ${tftpIp}"
+      echo "Kernel path: ${kernelPath}"
+      echo "Initrd path: ${initrdPath}"
+      echo "Starting boot process..."
+      echo "Loading kernel..."
+      linux /${kernelPath} ${cmd}
+      echo "Loading initrd..."
+      initrd /${initrdPath}
+      echo "Booting..."
+      boot
+  }
+  `,
+      };
+    },
 
-        if (options.cloudInitUpdate === true) return;
+    /**
+     * @method httpBootstrapServerRunnerFactory
+     * @description Starts a simple HTTP server to serve boot files for network booting.
+     * @param {object} options - Options for the HTTP server.
+     * @param {string} hostname - The hostname of the client machine.
+     * @param {string} options.bootstrapHttpServerPath - The path to serve files from (default: './public/localhost').
+     * @param {number} options.bootstrapHttpServerPort - The port on which to start the HTTP server (default: 8888).
+     * @memberof UnderpostBaremetal
+     * @returns {void}
+     */
+    httpBootstrapServerRunnerFactory(
+      options = { hostname: 'localhost', bootstrapHttpServerPath: './public/localhost', bootstrapHttpServerPort: 8888 },
+    ) {
+      const port = options.bootstrapHttpServerPort || 8888;
+      const bootstrapHttpServerPath = options.bootstrapHttpServerPath || './public/localhost';
+      const hostname = options.hostname || 'localhost';
 
-        // Apply NAT iptables rules.
-        shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
+      shellExec(`mkdir -p ${bootstrapHttpServerPath}/${hostname}/cloud-init`);
 
-        // Wait for MAC address assignment.
-        logger.info('Waiting for MAC assignment...');
-        fs.removeSync(`${nfsHostPath}/underpost/mac`); // Clear previous MAC.
-        await UnderpostBaremetal.API.macMonitor({ nfsHostPath }); // Monitor for MAC file.
-        macAddress = fs.readFileSync(`${nfsHostPath}/underpost/mac`, 'utf8').trim(); // Read assigned MAC.
+      // Kill any existing HTTP server
+      shellExec(`sudo pkill -f 'python3 -m http.server ${port}' || true`, { silent: true });
 
-        // Re-run cloud-init config factory with the newly assigned MAC address.
-        UnderpostBaremetal.API.crossArchRunner({
-          nfsHostPath,
-          debootstrapArch: debootstrap.image.architecture,
-          callbackMetaData,
-          steps: [
-            UnderpostCloudInit.API.configFactory({
-              controlServerIp: callbackMetaData.runnerHost.ip,
-              hostname,
-              commissioningDeviceIp: ipAddress,
-              gatewayip: callbackMetaData.runnerHost.ip,
-              mac: macAddress, // Updated MAC address.
-              timezone,
-              chronyConfPath,
-              networkInterfaceName,
-            }),
-          ],
-        });
+      shellExec(
+        `cd ${bootstrapHttpServerPath} && nohup python3 -m http.server ${port} --bind 0.0.0.0 > /tmp/http-boot-server.log 2>&1 &`,
+        { silent: true, async: true },
+      );
 
-        // Remove existing machines from MAAS.
-        machines = UnderpostBaremetal.API.removeMachines({ machines });
+      // Configure iptables to allow incoming LAN connections
+      shellExec(
+        `sudo iptables -I INPUT 1 -p tcp -s 192.168.1.0/24 --dport ${port} -m conntrack --ctstate NEW -j ACCEPT`,
+      );
+      // Option for any host:
+      // sudo iptables -I INPUT 1 -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT
+      shellExec(`sudo chown -R $(whoami):$(whoami) ${bootstrapHttpServerPath}`);
+      shellExec(`sudo sudo chmod 755 ${bootstrapHttpServerPath}`);
 
-        // Monitor commissioning process.
-        UnderpostBaremetal.API.commissionMonitor({
-          macAddress,
-          nfsHostPath,
-          underpostRoot,
-          hostname,
-          maas,
-          networkInterfaceName,
-        });
+      logger.info(`Started Bootstrap Http Server on port ${port}`);
+    },
+
+    /**
+     * @method updateKernelFiles
+     * @description Copies EFI bootloaders, kernel, and initrd images to the TFTP root path.
+     * It also handles decompression of the kernel if necessary for ARM64 compatibility.
+     * @param {object} params - The parameters for the function.
+     * @param {object} params.commissioningImage - The commissioning image configuration.
+     * @param {string} params.resourcesPath - The path where resources are located.
+     * @param {string} params.tftpRootPath - The TFTP root path.
+     * @param {object} params.kernelFilesPaths - Paths to kernel files.
+     * @memberof UnderpostBaremetal
+     * @returns {void}
+     */
+    updateKernelFiles({ commissioningImage, resourcesPath, tftpRootPath, kernelFilesPaths }) {
+      // Copy EFI bootloaders to TFTP path.
+      const efiFiles = commissioningImage.architecture.match('arm64')
+        ? ['bootaa64.efi', 'grubaa64.efi']
+        : ['bootx64.efi', 'grubx64.efi'];
+      for (const file of efiFiles) {
+        shellExec(`sudo cp -a ${resourcesPath}/${file} ${tftpRootPath}/pxe/${file}`);
+      }
+      // Copy kernel and initrd images to TFTP path.
+      for (const file of Object.keys(kernelFilesPaths)) {
+        if (file == 'isoUrl') continue; // Skip URL entries
+        shellExec(`sudo cp -a ${kernelFilesPaths[file]} ${tftpRootPath}/pxe/${file}`);
+        // If the file is a kernel (vmlinuz-efi) and is gzipped, unzip it for GRUB compatibility on ARM64.
+        // GRUB on ARM64 often crashes with synchronous exception (0x200) if handling large compressed kernels directly.
+        if (file === 'vmlinuz-efi') {
+          const kernelDest = `${tftpRootPath}/pxe/${file}`;
+          const fileType = shellExec(`file ${kernelDest}`, { silent: true }).stdout;
+          if (fileType.includes('gzip compressed data')) {
+            logger.info(`Decompressing kernel ${file} for ARM64 UEFI compatibility...`);
+            shellExec(`sudo mv ${kernelDest} ${kernelDest}.gz`);
+            shellExec(`sudo gunzip ${kernelDest}.gz`);
+          }
+        }
+      }
+    },
+
+    /**
+     * @method kernelCmdBootParamsFactory
+     * @description Constructs kernel command line parameters for NFS booting.
+     * @param {object} options - Options for constructing the command line.
+     * @param {string} options.ipClient - The IP address of the client.
+     * @param {string} options.ipDhcpServer - The IP address of the DHCP server.
+     * @param {string} options.ipFileServer - The IP address of the file server.
+     * @param {string} options.ipConfig - The IP configuration method (e.g., 'dhcp').
+     * @param {string} options.netmask - The network mask.
+     * @param {string} options.hostname - The hostname of the client.
+     * @param {string} options.dnsServer - The DNS server address.
+     * @param {string} options.networkInterfaceName - The name of the network interface.
+     * @param {string} options.fileSystemUrl - The URL of the root filesystem.
+     * @param {number} options.bootstrapHttpServerPort - The port of the bootstrap HTTP server.
+     * @param {string} options.type - The type of boot ('iso-ram', 'chroot', 'iso-nfs', etc.).
+     * @param {string} options.macAddress - The MAC address of the client.
+     * @param {boolean} options.cloudInit - Whether to include cloud-init parameters.
+     * @param {object} options.machine - The machine object containing system_id.
+     * @returns {object} An object containing the constructed command line string.
+     * @memberof UnderpostBaremetal
+     */
+    kernelCmdBootParamsFactory(
+      options = {
+        ipClient: '',
+        ipDhcpServer: '',
+        ipFileServer: '',
+        ipConfig: '',
+        netmask: '',
+        hostname: '',
+        dnsServer: '',
+        networkInterfaceName: '',
+        fileSystemUrl: '',
+        bootstrapHttpServerPort: 8888,
+        type: '',
+        macAddress: '',
+        cloudInit: false,
+        machine: { system_id: '' },
+      },
+    ) {
+      // Construct kernel command line arguments for NFS boot.
+      const {
+        ipClient,
+        ipDhcpServer,
+        ipFileServer,
+        ipConfig,
+        netmask,
+        hostname,
+        dnsServer,
+        networkInterfaceName,
+        fileSystemUrl,
+        bootstrapHttpServerPort,
+        type,
+        macAddress,
+        cloudInit,
+      } = options;
+
+      const ipParam = true
+        ? `ip=${ipClient}:${ipFileServer}:${ipDhcpServer}:${netmask}:${hostname}` +
+          `:${networkInterfaceName ? networkInterfaceName : 'eth0'}:${ipConfig}:${dnsServer}`
+        : 'ip=dhcp';
+
+      const nfsOptions = `${
+        type === 'chroot'
+          ? [
+              'tcp',
+              'nfsvers=3',
+              'nolock',
+              'vers=3',
+              // 'protocol=tcp',
+              // 'hard=true',
+              'port=2049',
+              // 'sec=none',
+              'hard',
+              'intr',
+              'rsize=32768',
+              'wsize=32768',
+              'acregmin=0',
+              'acregmax=0',
+              'acdirmin=0',
+              'acdirmax=0',
+              'noac',
+              // 'nodev',
+              // 'nosuid',
+            ]
+          : []
+      }`;
+
+      const nfsRootParam = `nfsroot=${ipFileServer}:${process.env.NFS_EXPORT_PATH}/${hostname}${nfsOptions ? `,${nfsOptions}` : ''}`;
+
+      const permissionsParams = [
+        `rw`,
+        // `ro`
+      ];
+
+      const kernelParams = [
+        ...permissionsParams,
+        `ignore_uuid`,
+        `rootwait`,
+        `ipv6.disable=1`,
+        `fixrtc`,
+        // `console=serial0,115200`,
+        // `console=tty1`,
+        // `layerfs-path=filesystem.squashfs`,
+        // `root=/dev/ram0`,
+        // `toram`,
+        'nomodeset',
+        `editable_rootfs=tmpfs`,
+        `ramdisk_size=3550000`,
+        // `root=/dev/sda1`, // rpi4 usb port unit
+        'apparmor=0', // Disable AppArmor security
+        ...(networkInterfaceName === 'eth0'
+          ? [
+              'net.ifnames=0', // Disable predictable network interface names
+              'biosdevname=0', // Disable BIOS device naming
+            ]
+          : []),
+      ];
+
+      const performanceParams = [
+        // --- Boot Automation & Stability ---
+        'auto=true', // Enable automated installation/configuration
+        'noeject', // Do not attempt to eject boot media on reboot
+        `casper-getty`, // Enable console login for live sessions
+        'nowatchdog', // Disable watchdog timers to prevent unexpected reboots
+        'noprompt', // Don't wait for "Press Enter" during boot/reboot
+
+        // --- CPU & System Performance ---
+        'mitigations=off', // Disable CPU security mitigations for maximum speed
+        'clocksource=tsc', // Use fastest available hardware clock
+        'tsc=reliable', // Trust CPU clock without extra verification
+        'hpet=disable', // Disable legacy slow timer
+        'nohz=on', // Reduce overhead by disabling timer ticks on idle CPUs
+
+        // --- Memory & Hardware Optimization ---
+        'cma=40M', // Reserve contiguous RAM for RPi hardware/video
+        'zswap.enabled=1', // Use compressed RAM cache (vital for NFS/SD)
+        'zswap.compressor=zstd', // Best balance of speed and compression
+        'zswap.max_pool_percent=30', // Use max 30% of RAM as compressed storage
+        'zswap.zpool=zsmalloc', // Efficient memory management for zswap
+        'fsck.mode=skip', // Skip disk checks to accelerate boot
+        'max_loop=255', // Ensure enough loop devices for squashfs/snaps
+
+        // --- Immutable Filesystem ---
+        'overlayroot=tmpfs', // Run entire OS in RAM to protect storage
+        'overlayroot_cfgdisk=disabled', // Ignore external overlay configurations
+      ];
+
+      const baseNfsParams = [`netboot=nfs`];
+
+      let cmd = [];
+      if (type === 'iso-ram') {
+        const netBootParams = [`netboot=url`];
+        if (fileSystemUrl) netBootParams.push(`url=${fileSystemUrl.replace('https', 'http')}`);
+        cmd = [ipParam, `boot=casper`, ...netBootParams, ...kernelParams];
+      } else if (type === 'chroot') {
+        const qemuNfsRootParams = [`root=/dev/nfs`, `rootfstype=nfs`, `initrd=initrd.img`, `init=/sbin/init`];
+        cmd = [ipParam, ...baseNfsParams, ...qemuNfsRootParams, nfsRootParam, ...kernelParams];
+      } else {
+        // 'iso-nfs'
+        cmd = [ipParam, ...baseNfsParams, nfsRootParam, ...kernelParams, ...performanceParams];
+
+        cmd.push(`ifname=${networkInterfaceName}:${macAddress}`);
+
+        if (cloudInit) {
+          const cloudInitPreseedUrl = `http://${ipDhcpServer}:5248/MAAS/metadata/by-id/${options.machine?.system_id ? options.machine.system_id : 'system-id'}/?op=get_preseed`;
+          cmd = cmd.concat([
+            `cloud-init=enabled`,
+            'autoinstall',
+            `cloud-config-url=${cloudInitPreseedUrl}`,
+            `ds=nocloud-net;s=${cloudInitPreseedUrl}`,
+            `log_host=${ipDhcpServer}`,
+            `log_port=5247`,
+            // `BOOTIF=${macAddress}`,
+            // `cc:{'datasource_list': ['MAAS']}end_cc`,
+          ]);
+        }
       }
+      // cmd.push('---');
+      const cmdStr = cmd.join(' ');
+      logger.info('Constructed kernel command line');
+      console.log(newInstance(cmdStr).bgRed.bold.black);
+      return { cmd: cmdStr };
     },
 
     /**
@@ -792,25 +1996,15 @@ menuentry '${menuentryStr}' {
      * once a matching MAC address is found. It also opens terminal windows for live logs.
      * @param {object} params - The parameters for the function.
      * @param {string} params.macAddress - The MAC address to monitor for.
-     * @param {string} params.nfsHostPath - The NFS host path for storing system-id and auth tokens.
-     * @param {string} params.underpostRoot - The root directory of the Underpost project.
-     * @param {string} params.hostname - The desired hostname for the new machine.
-     * @param {object} params.maas - MAAS configuration details.
-     * @param {string} params.networkInterfaceName - The name of the network interface.
+     * @param {string} params.ipAddress - The IP address of the machine (used if MAC is all zeros).
+     * @param {string} [params.hostname] - The hostname for the machine (optional).
+     * @param {object} [params.maas] - Additional MAAS-specific options (optional).
+     * @param {object} [params.machine] - Existing machine payload to use (optional).
      * @returns {Promise<void>} A promise that resolves when commissioning is initiated or after a delay.
      * @memberof UnderpostBaremetal
      */
-    async commissionMonitor({ macAddress, nfsHostPath, underpostRoot, hostname, maas, networkInterfaceName }) {
+    async commissionMonitor({ macAddress, ipAddress, hostname, maas, machine }) {
       {
-        logger.info('Waiting for commissioning...', {
-          macAddress,
-          nfsHostPath,
-          underpostRoot,
-          hostname,
-          maas,
-          networkInterfaceName,
-        });
-
         // Query observed discoveries from MAAS.
         const discoveries = JSON.parse(
           shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} discoveries read`, {
@@ -819,131 +2013,95 @@ menuentry '${menuentryStr}' {
           }),
         );
 
-        //   {
-        //     "discovery_id": "",
-        //     "ip": "192.168.1.189",
-        //     "mac_address": "00:00:00:00:00:00",
-        //     "last_seen": "2025-05-05T14:17:37.354",
-        //     "hostname": null,
-        //     "fabric_name": "",
-        //     "vid": null,
-        //     "mac_organization": "",
-        //     "observer": {
-        //         "system_id": "",
-        //         "hostname": "",
-        //         "interface_id": 1,
-        //         "interface_name": ""
-        //     },
-        //     "resource_uri": "/MAAS/api/2.0/discovery/MTkyLjE2OC4xLjE4OSwwMDowMDowMDowMDowMDowMA==/"
-        // },
-
-        // Log discovered IPs for visibility.
-        console.log(discoveries.map((d) => d.ip).join(' | '));
-
-        // Iterate through discoveries to find a matching MAC address.
         for (const discovery of discoveries) {
-          const machine = {
-            architecture: maas.image.architecture.match('amd') ? 'amd64/generic' : 'arm64/generic',
-            mac_address: discovery.mac_address,
-            hostname: discovery.hostname
-              ? discovery.hostname
-              : discovery.mac_organization
-                ? discovery.mac_organization
-                : discovery.domain
-                  ? discovery.domain
-                  : `generic-host-${s4()}${s4()}`,
-            power_type: 'manual',
-            mac_addresses: discovery.mac_address,
-            ip: discovery.ip,
-          };
-          machine.hostname = machine.hostname.replaceAll(' ', '').replaceAll('.', ''); // Sanitize hostname.
-
-          if (machine.mac_addresses === macAddress)
-            try {
-              machine.hostname = hostname;
-              machine.mac_address = macAddress;
-              // Create a new machine in MAAS.
-              let newMachine = shellExec(
-                `maas ${process.env.MAAS_ADMIN_USERNAME} machines create ${Object.keys(machine)
-                  .map((k) => `${k}="${machine[k]}"`)
-                  .join(' ')}`,
-                {
+          const dicoverHostname = discovery.hostname
+            ? discovery.hostname
+            : discovery.mac_organization
+              ? discovery.mac_organization
+              : discovery.domain
+                ? discovery.domain
+                : `generic-host-${s4()}${s4()}`;
+
+          console.log(dicoverHostname.bgBlue.bold.white);
+          console.log('ip target:'.green + ipAddress, 'ip discovered:'.green + discovery.ip);
+          console.log('mac target:'.green + macAddress, 'mac discovered:'.green + discovery.mac_address);
+
+          if (discovery.ip === ipAddress) {
+            logger.info('Machine discovered!', discovery);
+            if (!machine) {
+              logger.info('Creating new machine with discovered hardware MAC...', {
+                discoveredMAC: discovery.mac_address,
+                ipAddress,
+                hostname,
+              });
+              machine = UnderpostBaremetal.API.machineFactory({
+                ipAddress,
+                macAddress: discovery.mac_address,
+                hostname,
+                maas,
+              }).machine;
+              console.log('New machine system id:', machine.system_id.bgYellow.bold.black);
+              UnderpostBaremetal.API.writeGrubConfigToFile({
+                grubCfgSrc: UnderpostBaremetal.API.getGrubConfigFromFile().grubCfgSrc.replaceAll(
+                  'system-id',
+                  machine.system_id,
+                ),
+              });
+            } else {
+              const systemId = machine.system_id;
+              console.log('Using pre-registered machine system_id:', systemId.bgYellow.bold.black);
+
+              // Update the boot interface MAC if hardware MAC differs from pre-registered MAC
+              // This handles both hardware mode (macAddress is null) and MAC mismatch scenarios
+              if (macAddress === null || macAddress !== discovery.mac_address) {
+                logger.info('Updating machine interface with discovered hardware MAC...', {
+                  preRegisteredMAC: macAddress || 'none (hardware mode)',
+                  discoveredMAC: discovery.mac_address,
+                });
+
+                shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine mark-broken ${systemId}`, {
                   silent: true,
-                  stdout: true,
-                },
-              );
-              newMachine = { discovery, machine: JSON.parse(newMachine) };
-              console.log(newMachine);
-
-              const discoverInterfaceName = 'eth0'; // Default interface name for discovery.
+                });
 
-              // Read interface data.
-              const interfaceData = JSON.parse(
                 shellExec(
-                  `maas ${process.env.MAAS_ADMIN_USERNAME} interface read ${newMachine.machine.boot_interface.system_id} ${discoverInterfaceName}`,
+                  // name=${networkInterfaceName}
+                  `maas ${process.env.MAAS_ADMIN_USERNAME} interface update ${systemId} ${machine.boot_interface.id}` +
+                    ` mac_address=${discovery.mac_address}`,
                   {
                     silent: true,
-                    stdout: true,
                   },
-                ),
-              );
-
-              logger.info('Interface', interfaceData);
-
-              // Mark machine as broken, update interface name, then mark as fixed.
-              shellExec(
-                `maas ${process.env.MAAS_ADMIN_USERNAME} machine mark-broken ${newMachine.machine.boot_interface.system_id}`,
-              );
-
-              shellExec(
-                `maas ${process.env.MAAS_ADMIN_USERNAME} interface update ${newMachine.machine.boot_interface.system_id} ${interfaceData.id} name=${networkInterfaceName}`,
-              );
-
-              shellExec(
-                `maas ${process.env.MAAS_ADMIN_USERNAME} machine mark-fixed ${newMachine.machine.boot_interface.system_id}`,
-              );
-
-              // commissioning_scripts=90-verify-user.sh
-              // shellExec(
-              //   `maas ${process.env.MAAS_ADMIN_USERNAME} machine commission --debug --insecure ${newMachine.machine.boot_interface.system_id} enable_ssh=1 skip_bmc_config=1 skip_networking=1 skip_storage=1`,
-              //   {
-              //     silent: true,
-              //   },
-              // );
-
-              // Save system-id for enlistment.
-              logger.info('system-id', newMachine.machine.boot_interface.system_id);
-              fs.writeFileSync(
-                `${nfsHostPath}/underpost/system-id`,
-                newMachine.machine.boot_interface.system_id,
-                'utf8',
-              );
+                );
 
-              // Get and save MAAS authentication credentials.
-              const { consumer_key, token_key, token_secret } = UnderpostCloudInit.API.authCredentialsFactory();
-
-              fs.writeFileSync(`${nfsHostPath}/underpost/consumer-key`, consumer_key, 'utf8');
-              fs.writeFileSync(`${nfsHostPath}/underpost/token-key`, token_key, 'utf8');
-              fs.writeFileSync(`${nfsHostPath}/underpost/token-secret`, token_secret, 'utf8');
-
-              // Open new terminals for live cloud-init logs.
-              openTerminal(`node ${underpostRoot}/bin baremetal --logs cloud`);
-              openTerminal(`node ${underpostRoot}/bin baremetal --logs machine`);
-            } catch (error) {
-              logger.error(error, error.stack);
-            } finally {
-              process.exit(0);
+                shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine mark-fixed ${systemId}`, {
+                  silent: true,
+                });
+
+                logger.info('✓ Machine interface MAC address updated successfully');
+
+                // commissioning_scripts=90-verify-user.sh
+                machine = JSON.parse(
+                  shellExec(
+                    `maas ${process.env.MAAS_ADMIN_USERNAME} machine commission --debug --insecure ${systemId} enable_ssh=1 skip_bmc_config=1 skip_networking=1 skip_storage=1`,
+                    {
+                      silent: true,
+                    },
+                  ),
+                );
+              }
+              logger.info('Machine resource uri', machine.resource_uri);
+              for (const iface of machine.interface_set)
+                logger.info('Interface info', {
+                  name: iface.name,
+                  mac_address: iface.mac_address,
+                  resource_uri: iface.resource_uri,
+                });
             }
+
+            return { discovery, machine };
+          }
         }
         await timer(1000);
-        UnderpostBaremetal.API.commissionMonitor({
-          macAddress,
-          nfsHostPath,
-          underpostRoot,
-          hostname,
-          maas,
-          networkInterfaceName,
-        });
+        return await UnderpostBaremetal.API.commissionMonitor({ macAddress, ipAddress, hostname, maas, machine });
       }
     },
 
@@ -952,11 +2110,10 @@ menuentry '${menuentryStr}' {
      * @description Mounts the binfmt_misc filesystem to enable QEMU user-static binfmt support.
      * This is necessary for cross-architecture execution within a chroot environment.
      * @param {object} params - The parameters for the function.
-     * @param {string} params.nfsHostPath - The path to the NFS root filesystem on the host.
      * @memberof UnderpostBaremetal
      * @returns {void}
      */
-    mountBinfmtMisc({ nfsHostPath }) {
+    mountBinfmtMisc() {
       // Install necessary packages for debootstrap and QEMU.
       shellExec(`sudo dnf install -y iptables-legacy`);
       shellExec(`sudo dnf install -y debootstrap`);
@@ -966,9 +2123,6 @@ menuentry '${menuentryStr}' {
       // Mount binfmt_misc filesystem.
       shellExec(`sudo modprobe binfmt_misc`);
       shellExec(`sudo mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc`);
-      // Set ownership and permissions for the NFS host path.
-      shellExec(`sudo chown -R root:root ${nfsHostPath}`);
-      shellExec(`sudo chmod 755 ${nfsHostPath}`);
     },
 
     /**
@@ -976,12 +2130,17 @@ menuentry '${menuentryStr}' {
      * @description Deletes all specified machines from MAAS.
      * @param {object} params - The parameters for the function.
      * @param {Array<object>} params.machines - An array of machine objects, each with a `system_id`.
+     * @param {Array<string>} [params.ignore] - An optional array of system IDs to ignore during deletion.
      * @memberof UnderpostBaremetal
      * @returns {Array<object>} An empty array after machines are removed.
      */
-    removeMachines({ machines }) {
+    removeMachines({ machines, ignore }) {
       for (const machine of machines) {
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine delete ${machine.system_id}`);
+        // Handle both string system_ids and machine objects
+        const systemId = typeof machine === 'string' ? machine : machine.system_id;
+        if (ignore && ignore.find((mId) => mId === systemId)) continue;
+        logger.info(`Removing machine: ${systemId}`);
+        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine delete ${systemId}`);
       }
       return [];
     },
@@ -1124,45 +2283,66 @@ EOF`);
      * It checks the mount status and performs mount/unmount operations as requested.
      * @param {object} params - The parameters for the function.
      * @param {string} params.hostname - The hostname of the target machine.
+     * @param {string} params.nfsHostPath - The NFS host path for the target machine.
      * @param {string} params.workflowId - The identifier for the workflow configuration.
      * @param {boolean} [params.mount] - If true, attempts to mount the NFS paths.
      * @param {boolean} [params.unmount] - If true, attempts to unmount the NFS paths.
      * @memberof UnderpostBaremetal
      * @returns {{isMounted: boolean}} An object indicating whether any NFS path is currently mounted.
      */
-    nfsMountCallback({ hostname, workflowId, mount, unmount }) {
+    nfsMountCallback({ hostname, nfsHostPath, workflowId, mount, unmount }) {
+      // Mount binfmt_misc filesystem.
+      if (mount) UnderpostBaremetal.API.mountBinfmtMisc();
       let isMounted = false;
+      const mountCmds = [];
+      const currentMounts = [];
       const workflowsConfig = UnderpostBaremetal.API.loadWorkflowsConfig();
       if (!workflowsConfig[workflowId]) {
         throw new Error(`Workflow configuration not found for ID: ${workflowId}`);
       }
-      // Iterate through defined NFS mounts in the workflow configuration.
-      for (const mountCmd of Object.keys(workflowsConfig[workflowId].nfs.mounts)) {
-        for (const mountPath of workflowsConfig[workflowId].nfs.mounts[mountCmd]) {
-          const hostMountPath = `${process.env.NFS_EXPORT_PATH}/${hostname}${mountPath}`;
-          // Check if the path is already mounted using `mountpoint` command.
-          const isPathMounted = !shellExec(`mountpoint ${hostMountPath}`, { silent: true, stdout: true }).match(
-            'not a mountpoint',
-          );
+      if (workflowsConfig[workflowId].type === 'chroot') {
+        const mounts = {
+          bind: ['/proc', '/sys', '/run'],
+          rbind: ['/dev'],
+        };
+
+        for (const mountCmd of Object.keys(mounts)) {
+          for (const mountPath of mounts[mountCmd]) {
+            const hostMountPath = `${process.env.NFS_EXPORT_PATH}/${hostname}${mountPath}`;
+            // Check if the path is already mounted using `mountpoint` command.
+            const isPathMounted = !shellExec(`mountpoint ${hostMountPath}`, { silent: true, stdout: true }).match(
+              'not a mountpoint',
+            );
 
-          if (isPathMounted) {
-            if (!isMounted) isMounted = true; // Set overall mounted status.
-            logger.warn('Nfs path already mounted', mountPath);
-            if (unmount === true) {
-              // Unmount if requested.
-              shellExec(`sudo umount ${hostMountPath}`);
-            }
-          } else {
-            if (mount === true) {
-              // Mount if requested and not already mounted.
-              shellExec(`sudo mount --${mountCmd} ${mountPath} ${hostMountPath}`);
+            if (isPathMounted) {
+              currentMounts.push(mountPath);
+              if (!isMounted) isMounted = true; // Set overall mounted status.
+              logger.warn('Nfs path already mounted', mountPath);
+              if (unmount === true) {
+                // Unmount if requested.
+                mountCmds.push(`sudo umount ${hostMountPath}`);
+              }
             } else {
-              logger.warn('Nfs path not mounted', mountPath);
+              if (mount === true) {
+                // Mount if requested and not already mounted.
+                mountCmds.push(`sudo mount --${mountCmd} ${mountPath} ${hostMountPath}`);
+              } else {
+                logger.warn('Nfs path not mounted', mountPath);
+              }
             }
           }
         }
+
+        if (!isMounted) {
+          // if all path unmounted, set ownership and permissions for the NFS host path.
+          shellExec(`sudo chown -R $(whoami):$(whoami) ${nfsHostPath}`);
+          shellExec(`sudo chmod -R 755 ${nfsHostPath}`);
+        }
+        for (const mountCmd of mountCmds) shellExec(mountCmd);
+        if (mount) isMounted = true;
+        logger.info('Current mounts', currentMounts);
       }
-      return { isMounted };
+      return { isMounted, currentMounts };
     },
 
     /**
@@ -1203,11 +2383,10 @@ EOF`);
          * This includes updating package lists, installing essential build tools,
          * kernel modules, cloud-init, SSH server, and other core utilities.
          * @param {object} params - The parameters for the function.
-         * @param {string} params.kernelLibVersion - The specific kernel library version to install.
          * @memberof UnderpostBaremetal.systemProvisioningFactory.ubuntu
          * @returns {string[]} An array of shell commands.
          */
-        base: ({ kernelLibVersion }) => [
+        base: () => [
           // Configure APT sources for Ubuntu ports.
           `cat <<SOURCES | tee /etc/apt/sources.list
 deb http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse
@@ -1221,12 +2400,9 @@ SOURCES`,
           // Install essential development and system utilities.
           `apt install -y build-essential xinput x11-xkb-utils usbutils uuid-runtime`,
           'apt install -y linux-image-generic',
-          // Install specific kernel modules.
-          `apt install -y linux-modules-${kernelLibVersion} linux-modules-extra-${kernelLibVersion}`,
 
-          `depmod -a ${kernelLibVersion}`, // Update kernel module dependencies.
           // Install cloud-init, systemd, SSH, sudo, locales, udev, and networking tools.
-          `apt install -y cloud-init systemd-sysv openssh-server sudo locales udev util-linux systemd-sysv iproute2 netplan.io ca-certificates curl wget chrony`,
+          `apt install -y systemd-sysv openssh-server sudo locales udev util-linux systemd-sysv iproute2 netplan.io ca-certificates curl wget chrony`,
           `ln -sf /lib/systemd/systemd /sbin/init`, // Ensure systemd is the init system.
 
           `apt-get update`,
@@ -1336,15 +2512,16 @@ logdir /var/log/chrony
          * @method keyboard
          * @description Generates shell commands for configuring the keyboard layout.
          * This ensures correct input behavior on the provisioned system.
+         * @param {string} [keyCode='en'] - The keyboard layout code (e.g., 'en', 'es').
          * @memberof UnderpostBaremetal.systemProvisioningFactory.ubuntu
          * @returns {string[]} An array of shell commands.
          */
-        keyboard: () => [
-          `sudo locale-gen en_US.UTF-8`, // Generate the specified locale.
-          `sudo update-locale LANG=en_US.UTF-8`, // Update system locale.
-          `sudo sed -i 's/XKBLAYOUT="us"/XKBLAYOUT="es"/' /etc/default/keyboard`, // Change keyboard layout to Spanish.
-          `sudo dpkg-reconfigure --frontend noninteractive keyboard-configuration`, // Reconfigure keyboard non-interactively.
-          `sudo systemctl restart keyboard-setup.service`, // Restart keyboard setup service.
+        keyboard: (keyCode = 'en') => [
+          `sudo locale-gen en_US.UTF-8`,
+          `sudo update-locale LANG=en_US.UTF-8`,
+          `sudo sed -i 's/XKBLAYOUT="us"/XKBLAYOUT="${keyCode}"/' /etc/default/keyboard`,
+          `sudo dpkg-reconfigure --frontend noninteractive keyboard-configuration`,
+          `sudo systemctl restart keyboard-setup.service`,
         ],
       },
     },
@@ -1354,7 +2531,7 @@ logdir /var/log/chrony
      * @description Configures and restarts the NFS server to export the specified path.
      * This is crucial for allowing baremetal machines to boot via NFS.
      * @param {object} params - The parameters for the function.
-     * @param {string} params.nfsHostPath - The path to be exported by the NFS server.
+     * @param {string} params.nfsHostPath - The path to the NFS server export.
      * @memberof UnderpostBaremetal
      * @param {string} [params.subnet='192.168.1.0/24'] - The subnet allowed to access the NFS export.
      * @returns {void}
@@ -1403,7 +2580,7 @@ udp-port = 32766
       shellExec(`sudo exportfs -rav`);
 
       // Display the currently active NFS exports for verification.
-      logger.info('Displaying active NFS exports:');
+      logger.info('Displaying active NFS exports');
       shellExec(`sudo exportfs -s`);
 
       // Restart the nfs-server service to apply all configuration changes,
@@ -1505,9 +2682,14 @@ udp-port = 32766
      * @throws {Error} If an invalid workflow ID is provided.
      */
     bootConfFactory({ workflowId, tftpIp, tftpPrefixStr, macAddress, clientIp, subnet, gateway }) {
-      switch (workflowId) {
-        case 'rpi4mb':
-          return `[all]
+      if (workflowId.startsWith('rpi4mb')) {
+        // Instructions: Flash sd with Raspberry Pi OS lite and update:
+        // EEPROM (Electrically Erasable Programmable Read-Only Memory) like microcontrollers
+        // sudo rpi-eeprom-config --apply /boot/firmware/boot.conf
+        // sudo reboot
+        // vcgencmd bootloader_config
+        // shutdown -h now
+        return `[all]
 BOOT_UART=0
 WAKE_ON_GPIO=1
 POWER_OFF_ON_HALT=0
@@ -1540,7 +2722,7 @@ TFTP_PREFIX_STR=${tftpPrefixStr}/
 # Manually override Ethernet MAC address
 # ─────────────────────────────────────────────────────────────
 
-MAC_ADDRESS=${macAddress}
+#MAC_ADDRESS=${macAddress}
 
 # OTP MAC address override
 #MAC_ADDRESS_OTP=0,1
@@ -1548,18 +2730,14 @@ MAC_ADDRESS=${macAddress}
 # ─────────────────────────────────────────────────────────────
 # Static IP configuration (bypasses DHCP completely)
 # ─────────────────────────────────────────────────────────────
-CLIENT_IP=${clientIp}
+#CLIENT_IP=${clientIp}
 SUBNET=${subnet}
 GATEWAY=${gateway}`;
-
-        default:
-          throw new Error('Boot conf factory invalid workflow ID:' + workflowId);
-      }
+      } else logger.warn(`No boot configuration factory defined for workflow ID: ${workflowId}`);
     },
 
     /**
      * @method loadWorkflowsConfig
-     * @namespace UnderpostBaremetal.API
      * @description Loads the commission workflows configuration from commission-workflows.json.
      * Each workflow defines specific parameters like system provisioning type,
      * kernel version, Chrony settings, debootstrap image details, and NFS mounts.     *