Add Proxmox ISO builder, CSRF protection, boot-files integration

- Add build-proxmox-iso.sh: remaster Ubuntu ISO with autoinstall config,
  offline packages, playbook, webapp, and boot files for zero-touch
  Proxmox VM deployment
- Add boot-files/ directory for WinPE boot files (wimboot, boot.wim,
  BCD, ipxe.efi, etc.) sourced from WestJeff playbook
- Update build-usb.sh and test-vm.sh to bundle boot-files automatically
- Add usb_root variable to playbook, fix all file copy paths to use it
- Unify Apache VirtualHost config (merge default site + webapp proxy)
- Add CSRF token protection to all webapp POST forms and API endpoints
- Update README with Proxmox deployment instructions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test-vm.sh

@@ -22,7 +22,7 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 VM_NAME="pxe-test"
 VM_DISK="/var/lib/libvirt/images/${VM_NAME}.qcow2"
-CIDATA_ISO="/tmp/${VM_NAME}-cidata.iso"
+CIDATA_ISO="${SCRIPT_DIR}/.${VM_NAME}-cidata.iso"
 VM_RAM=4096
 VM_CPUS=2
 VM_DISK_SIZE=40  # GB
@@ -32,7 +32,7 @@ if [ "${1:-}" = "--destroy" ]; then
     echo "Destroying test environment..."
     virsh destroy "$VM_NAME" 2>/dev/null || true
     virsh undefine "$VM_NAME" 2>/dev/null || true
-    rm -f "$VM_DISK"
+    virsh vol-delete "${VM_NAME}.qcow2" --pool default 2>/dev/null || true
     rm -f "$CIDATA_ISO"
     rm -f "/tmp/${VM_NAME}-vmlinuz" "/tmp/${VM_NAME}-initrd"
     echo "Done."
@@ -95,6 +95,14 @@ elif [ -d "$SCRIPT_DIR/offline-packages/pip-wheels" ]; then
     echo "    Copied pip-wheels/ (from offline-packages/)"
 fi
 
+# WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.)
+if [ -d "$SCRIPT_DIR/boot-files" ]; then
+    for bf in "$SCRIPT_DIR/boot-files"/*; do
+        [ -f "$bf" ] && cp "$bf" "$CIDATA_DIR/"
+    done
+    echo "    Copied boot-files/ (wimboot, boot.wim, ipxe.efi, etc.)"
+fi
+
 # Boot tools
 if [ -d "$SCRIPT_DIR/boot-tools" ]; then
     cp -r "$SCRIPT_DIR/boot-tools" "$CIDATA_DIR/boot-tools"
@@ -110,23 +118,20 @@ rm -rf "$CIDATA_DIR"
 # --- Step 2: Create VM disk ---
 echo ""
 echo "[2/4] Creating VM disk (${VM_DISK_SIZE}GB)..."
-if [ -f "$VM_DISK" ]; then
+if virsh vol-info "$VM_NAME.qcow2" --pool default &>/dev/null; then
     echo "    Disk already exists. Destroy first with: $0 --destroy"
     exit 1
 fi
-qemu-img create -f qcow2 "$VM_DISK" "${VM_DISK_SIZE}G"
+virsh vol-create-as default "${VM_NAME}.qcow2" "${VM_DISK_SIZE}G" --format qcow2
 
 # --- Step 3: Extract kernel/initrd from ISO ---
 echo ""
 echo "[3/4] Extracting kernel and initrd from ISO..."
-ISO_MNT=$(mktemp -d)
-mount -o loop,ro "$UBUNTU_ISO" "$ISO_MNT"
 KERNEL="/tmp/${VM_NAME}-vmlinuz"
 INITRD="/tmp/${VM_NAME}-initrd"
-cp "$ISO_MNT/casper/vmlinuz" "$KERNEL"
-cp "$ISO_MNT/casper/initrd" "$INITRD"
-umount "$ISO_MNT"
-rmdir "$ISO_MNT"
+7z e -o/tmp -y "$UBUNTU_ISO" casper/vmlinuz casper/initrd 2>/dev/null
+mv /tmp/vmlinuz "$KERNEL"
+mv /tmp/initrd "$INITRD"
 echo "    Extracted vmlinuz and initrd from casper/"
 
 # --- Step 4: Launch VM ---