Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.

Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.

Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.

After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -23,7 +23,7 @@ Client PXE boot (UEFI Secure Boot)
 
 | Service     | Port      | Purpose                                  |
 |-------------|-----------|------------------------------------------|
-| dnsmasq     | 67/udp    | DHCP (10.9.100.10-100, 12h lease)        |
+| dnsmasq     | 67/udp    | DHCP (172.16.9.10-100, 12h lease)        |
 | dnsmasq     | 69/udp    | TFTP (serves ipxe.efi)                   |
 | Apache      | 80/tcp    | HTTP (wimboot, WinPE boot files, proxy)  |
 | Apache      | 4433/tcp  | iPXE boot script (GetPxeScript.aspx)     |
@@ -32,8 +32,8 @@ Client PXE boot (UEFI Secure Boot)
 
 ### Network
 
-- **PXE server IP:** `10.9.100.1/24`
-- **DHCP range:** `10.9.100.10` - `10.9.100.100`
+- **PXE server IP:** `172.16.9.1/24`
+- **DHCP range:** `172.16.9.10` - `172.16.9.100`
 - **Firewall:** UFW deny-by-default, only service ports open (22, 67, 69, 80, 445, 4433, 9009)
 
 ## Quick Start
@@ -85,12 +85,12 @@ Creates a bootable USB with two partitions:
 4. After reboot, the first-boot script:
    - Installs all offline .deb packages
    - Runs the Ansible playbook (configures dnsmasq, Apache, Samba, UFW, webapp)
-   - Configures static IP `10.9.100.1/24`
+   - Configures static IP `172.16.9.1/24`
 5. Move the server's wired NIC to the isolated PXE switch
 
 ### Step 5: Access the Web Interface
 
-Open `http://10.9.100.1:9009` from any machine on the isolated network.
+Open `http://172.16.9.1:9009` from any machine on the isolated network.
 
 ## Web Management Interface
 
@@ -213,11 +213,11 @@ This creates `pxe-server-proxmox.iso` containing the Ubuntu installer, autoinsta
 3. Attach the ISO as CD-ROM and start the VM
 4. Ubuntu auto-installs with zero interaction (~10-15 minutes)
 5. After reboot, first-boot configures all PXE services automatically
-6. Access the web interface at `http://10.9.100.1:9009`
+6. Access the web interface at `http://172.16.9.1:9009`
 
 ### Import WinPE Images
 
-After the server is running, import deployment images via the web interface at `http://10.9.100.1:9009/import` or by mounting a USB drive with WinPE content.
+After the server is running, import deployment images via the web interface at `http://172.16.9.1:9009/import` or by mounting a USB drive with WinPE content.
 
 ## Samba Shares
 
@@ -235,7 +235,7 @@ All shares use guest access (no authentication) for ease of use on the isolated
 
 Blancco Drive Eraser 7.15.1 boots via a native Ubuntu kernel with a custom initramfs (`blancco-init.sh`) that downloads and mounts the Blancco rootfs over HTTP. XML erasure reports are automatically saved to the PXE server's Samba share (`blancco-reports`). The server supports BMC cloud licensing for Blancco activation over WiFi.
 
-Reports are viewable and downloadable from the web interface at `http://10.9.100.1:9009/reports`.
+Reports are viewable and downloadable from the web interface at `http://172.16.9.1:9009/reports`.
 
 ## Notes