Add Proxmox ISO builder, CSRF protection, boot-files integration

- Add build-proxmox-iso.sh: remaster Ubuntu ISO with autoinstall config,
  offline packages, playbook, webapp, and boot files for zero-touch
  Proxmox VM deployment
- Add boot-files/ directory for WinPE boot files (wimboot, boot.wim,
  BCD, ipxe.efi, etc.) sourced from WestJeff playbook
- Update build-usb.sh and test-vm.sh to bundle boot-files automatically
- Add usb_root variable to playbook, fix all file copy paths to use it
- Unify Apache VirtualHost config (merge default site + webapp proxy)
- Add CSRF token protection to all webapp POST forms and API endpoints
- Update README with Proxmox deployment instructions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -157,6 +157,7 @@ pxe-server/
 ├── download-packages.sh          # Downloads offline .debs + pip wheels
 ├── build-usb.sh                  # Builds the installer USB (2-partition)
 ├── prepare-boot-tools.sh         # Extracts and patches boot tool files
+├── build-proxmox-iso.sh            # Builds self-contained Proxmox installer ISO
 ├── test-vm.sh                    # KVM test environment for validation
 ├── SETUP.md                      # Detailed setup guide
 └── setup-guide-original.txt      # Original manual setup notes (reference)
@@ -183,6 +184,41 @@ sudo ./test-vm.sh --destroy
 
 The test VM creates an isolated libvirt network (10.9.100.0/24) and runs the full autoinstall + Ansible provisioning.
 
+## Proxmox Deployment
+
+A single ISO can be built for deploying the PXE server in a Proxmox VM:
+
+### Build the ISO
+
+```bash
+# Prerequisites (on build workstation)
+sudo apt install xorriso p7zip-full
+
+# Build the installer ISO
+./build-proxmox-iso.sh /path/to/ubuntu-24.04-live-server-amd64.iso
+```
+
+This creates `pxe-server-proxmox.iso` containing the Ubuntu installer, autoinstall config, all offline packages, the Ansible playbook, webapp, and boot tools.
+
+### Deploy on Proxmox
+
+1. Upload `pxe-server-proxmox.iso` to Proxmox storage (Datacenter -> Storage -> ISO Images)
+2. Create a new VM:
+   - **OS:** Linux 6.x kernel
+   - **BIOS:** OVMF (UEFI) or SeaBIOS
+   - **Memory:** 4096 MB
+   - **CPU:** 2+ cores
+   - **Disk:** 40+ GB (VirtIO SCSI)
+   - **Network:** Bridge connected to your isolated PXE network
+3. Attach the ISO as CD-ROM and start the VM
+4. Ubuntu auto-installs with zero interaction (~10-15 minutes)
+5. After reboot, first-boot configures all PXE services automatically
+6. Access the web interface at `http://10.9.100.1:9009`
+
+### Import WinPE Images
+
+After the server is running, import deployment images via the web interface at `http://10.9.100.1:9009/import` or by mounting a USB drive with WinPE content.
+
 ## Samba Shares
 
 | Share           | Path                      | Purpose                        |
@@ -203,13 +239,10 @@ Blancco Drive Eraser is configured to automatically save XML erasure reports to
 
 Reports are viewable and downloadable from the web interface at `http://10.9.100.1:9009/reports`.
 
-## Known Issues / TODO
+## Notes
 
-- **wimtools** must be downloaded with `download-packages.sh` before building USB (used for startnet.cmd editing)
-- **Apache VirtualHost conflict**: Two VirtualHosts on port 80 (default site and pxe-webapp proxy) — should disable default or merge
-- **WinPE boot files** (wimboot, BCD, boot.sdi, bootx64.efi, boot.stl, boot.wim) must be manually placed on USB or sourced from the legacy `WestJeff` playbook folder
-- **CSRF protection** not yet implemented on webapp POST forms
-- Test VM requires re-download of Ubuntu ISO if `--destroy` is run (fixed in latest test-vm.sh)
+- Run `download-packages.sh` before building USB — it downloads all offline `.deb` packages including wimtools (needed for startnet.cmd editing)
+- The webapp uses session-based CSRF tokens on all POST forms and API endpoints
 
 ## Commit History