pxe: arch-aware NBP + undionly.kpxe for legacy BIOS clients

Legacy-BIOS PXE clients booting Blancco reported "NBP is too big to
fit in free base memory". Cause: dnsmasq unconditionally served
ipxe.efi (~675KB EFI binary) which legacy BIOS PXE ROMs cannot
execute and which exceeds their NBP cap.

Fix:
- Add undionly.kpxe (~70KB BIOS-mode iPXE, from boot.ipxe.org).
- dnsmasq: dhcp-match on option:client-arch,0 (BIOS) -> undionly.kpxe;
  default (everything else, including UEFI x86_64 arch 7 and 9) keeps
  getting ipxe.efi. Tag form is reversible: if the match fails to
  evaluate, fallback is the working EFI path, not the new binary.
- Ansible TFTP-copy loop: mirror undionly.kpxe alongside ipxe.efi.
- .gitignore exception: track the open-source kpxe binary so the
  air-gapped USB build stays self-contained.

UEFI clients unchanged. Blancco/Clonezilla/WinPE chain after the
iPXE menu is identical regardless of which iPXE variant delivered it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -30,6 +30,10 @@ boot-tools/
 
 # WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.)
 boot-files/
+# Exception: track undionly.kpxe (open-source iPXE BIOS-mode NBP for
+# legacy PXE clients, ~70KB, from boot.ipxe.org). Makes air-gapped USB
+# build self-contained without a separate fetch step.
+!boot-files/undionly.kpxe
 
 # Python wheels for offline install (built by download-packages.sh)
 pip-wheels/
@@ -77,6 +81,6 @@ secrets.yml
 *_secret
 *_secrets
 credentials.json
-
-# Pre-staged binary (142 MB) - track via LFS or stage on PXE server, not in regular git
-playbook/shopfloor-setup/Shopfloor/PrinterInstallerMap.exe
+
+# Pre-staged binary (142 MB) - track via LFS or stage on PXE server, not in regular git
+playbook/shopfloor-setup/Shopfloor/PrinterInstallerMap.exe