Harden cloud-init disable and rebuild ISO properly in build-usb

Autoinstall user-data now disables cloud-init in multiple stages
(late-commands + runcmd + systemd masks) to prevent post-install
hangs. Also disables networkd-wait-online for air-gapped networks.
build-usb.sh switched from in-place ISO patching to full extract
and rebuild with xorriso mkisofs for reliable UEFI boot.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

autoinstall/user-data

@@ -35,7 +35,7 @@ autoinstall:
   identity:
     hostname: pxeserver
     username: pxe
-    password: "$6$rounds=656000$TpsuBw0N85085mpx$KtKsCwFlowg4NY41gUqx5ljef8cJ8uPFfgg43MyCPWByfXkhM5XushcdtkNps6lKeQFQZtli/QU.s52AUc7XC."
+    password: '$6$8AerqUockJh6ycgl$HJFBYjiFqXpzgcU9edto4CMrnaDpEX71Epin.kNTpj57GVjimIDHhcQs0AC4tmkEkKUaj.S/55wsBfMsV0KC71'
 
   # Enable SSH
   ssh:
@@ -44,7 +44,7 @@ autoinstall:
 
   # Installer-stage late commands
   late-commands:
-    # Install deb packages from CIDATA USB
+    # Install deb packages from CIDATA USB, then disable cloud-init
     - |
       curtin in-target --target=/target -- bash -c '
       mkdir -p /mnt/cidata
@@ -61,11 +61,25 @@ autoinstall:
         fi
         umount /mnt/cidata
       fi
+      # Disable cloud-init AFTER dpkg (dpkg may overwrite earlier disables)
+      mkdir -p /etc/cloud
+      touch /etc/cloud/cloud-init.disabled
+      ln -sf /dev/null /etc/systemd/system/cloud-init.service
+      ln -sf /dev/null /etc/systemd/system/cloud-init-local.service
+      ln -sf /dev/null /etc/systemd/system/cloud-config.service
+      ln -sf /dev/null /etc/systemd/system/cloud-final.service
+      ln -sf /dev/null /etc/systemd/system/cloud-init.target
+      # Disable networkd-wait-online (no gateway on air-gapped network, causes 2min hang)
+      ln -sf /dev/null /etc/systemd/system/systemd-networkd-wait-online.service
       '
 
-    # Create first-boot.sh
+    # Create first-boot.sh + disable cloud-init (in same block we know works)
     - |
       curtin in-target --target=/target -- bash -c '
+      mkdir -p /etc/cloud/cloud.cfg.d
+      echo "datasource_list: [None]" > /etc/cloud/cloud.cfg.d/99-nocloud.cfg
+      touch /etc/cloud/cloud-init.disabled
+      ln -sf /dev/null /etc/systemd/system/systemd-networkd-wait-online.service
       cat <<"EOF" > /opt/first-boot.sh
       #!/bin/bash
       CIDATA_DEV=$(blkid -L CIDATA)
@@ -102,13 +116,12 @@ autoinstall:
       '
     - curtin in-target --target=/target -- chmod +x /etc/rc.local
 
-    # Disable cloud-init on the installed system (no longer needed after autoinstall)
-    - curtin in-target --target=/target -- touch /etc/cloud/cloud-init.disabled
-    - curtin in-target --target=/target -- dpkg --configure -a
-    - curtin in-target --target=/target -- apt-get remove -y cloud-init cloud-guest-utils
-
   user-data:
     disable_root: false
+    runcmd:
+      - touch /etc/cloud/cloud-init.disabled
+      - systemctl disable cloud-init.service cloud-init-local.service cloud-config.service cloud-final.service
+      - systemctl mask cloud-init.service cloud-init-local.service cloud-config.service cloud-final.service
 
   refresh-installer:
     update: no