diff --git a/.gitignore b/.gitignore
index 9d2e47e..3bf7461 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,5 @@
 
 debian-isos/
 
-debian.pkrvars.hcl
\ No newline at end of file
+debian.pkrvars.hcl
+packages.iso
\ No newline at end of file
diff --git a/common/build/build-debian-iso.sh b/common/build/build-debian-iso.sh
index 5565ff8..8159e23 100644
--- a/common/build/build-debian-iso.sh
+++ b/common/build/build-debian-iso.sh
@@ -26,9 +26,10 @@ die() { echo "ERROR: $*" >&2; exit 1; }
 
 usage() {
     cat <<EOF
-Usage: $(basename "$0") [OPTIONS]
+Usage: $(basename "$0") [OPTIONS] [BD-NUMBER...]
 
-Build all Debian amd64 BD ISOs from jigdo files without using jigdo-lite.
+Build Debian amd64 BD ISOs from jigdo files without using jigdo-lite.
+If no BD numbers are given, all available BDs are built.
 
 Options:
   -o DIR   Output directory  (default: ./debian-isos, or \$OUTPUT_DIR)
@@ -36,14 +37,18 @@ Options:
   -s DIR   Scan DIR for locally cached .deb packages to reuse
   -h       Show this help
 
+Arguments:
+  BD-NUMBER  One or more disc numbers to build (1-6).  Multiple allowed.
+
 Environment:
   FETCH_BATCH_SIZE  Number of package URLs fetched per batch (default: 30)
 
 Examples:
-  $(basename "$0")
-  $(basename "$0") -o /data/isos
-  $(basename "$0") -s /var/cache/apt/archives
-  $(basename "$0") -m http://ftp.de.debian.org/debian
+  $(basename "$0")              # build all BDs
+  $(basename "$0") 1            # build BD-1 only
+  $(basename "$0") 1 2 3        # build BD-1, BD-2, BD-3
+  $(basename "$0") -o /data/isos 1 2
+  $(basename "$0") -s /var/cache/apt/archives 1
 EOF
 }
 
@@ -281,12 +286,15 @@ build_image() {
 }
 
 main() {
+    local -a selected_nums=()
+
     while [[ $# -gt 0 ]]; do
         case "$1" in
             -h|--help)   usage; exit 0 ;;
             -o|--output) OUTPUT_DIR="$2"; shift 2 ;;
             -m|--mirror) MIRROR="$2";     shift 2 ;;
             -s|--scan)   SCAN_DIR="$2";   shift 2 ;;
+            [1-6])       selected_nums+=("$1"); shift ;;
             *) die "Unknown option: $1" ;;
         esac
     done
@@ -295,9 +303,9 @@ main() {
     mkdir -p "$OUTPUT_DIR"
     [[ -n "$SCAN_DIR" && ! -d "$SCAN_DIR" ]] && die "Scan directory not found: $SCAN_DIR"
 
-    local -a images=()
+    local -a all_images=()
     while IFS= read -r name; do
-        images+=("${name%.jigdo}")
+        all_images+=("${name%.jigdo}")
     done < <(
         wget -qO- "${JIGDO_URL}/" \
             | grep -oP 'href="debian-[^"]+BD-[0-9]+\.jigdo"' \
@@ -306,7 +314,19 @@ main() {
             | sort -uV
     )
 
-    (( ${#images[@]} > 0 )) || die "No BD jigdo files found at $JIGDO_URL"
+    (( ${#all_images[@]} > 0 )) || die "No BD jigdo files found at $JIGDO_URL"
+
+    local -a images=()
+    if (( ${#selected_nums[@]} == 0 )); then
+        images=("${all_images[@]}")
+    else
+        for n in "${selected_nums[@]}"; do
+            local match
+            match=$(printf '%s\n' "${all_images[@]}" | grep -i "BD-${n}\b" | head -1)
+            [[ -n "$match" ]] || die "BD-${n} not found in jigdo index"
+            images+=("$match")
+        done
+    fi
 
     echo "Mirror: $(normalize_mirror "$MIRROR")"
     echo "Output: $OUTPUT_DIR"
diff --git a/common/template/debian13-gui/debian.pkr.hcl b/common/template/debian13-gui/debian.pkr.hcl
index 8934739..4e83ae3 100644
--- a/common/template/debian13-gui/debian.pkr.hcl
+++ b/common/template/debian13-gui/debian.pkr.hcl
@@ -241,6 +241,38 @@ build {
   name    = "debian-13-gui-template"
   sources = ["source.vsphere-iso.debian"]
 
+  # Install VS Code + YAML extension and Zeal docsets (requires internet via DHCP)
+  provisioner "shell" {
+    inline = [
+      "set -e",
+      # BDs are mounted at boot via fstab (installer keeps trays closed via
+      # cdrom-detect/eject=false in preseed).
+      "for n in 1 2 3 4 5 6; do mountpoint -q /mnt/bd$n || mount /mnt/bd$n; done",
+      "sudo apt-get update",
+      # ── VS Code ─────────────────────────────────────────────────────────────
+      # Download the .deb directly — avoids apt-get update hitting stale CD-ROM sources
+      "curl -fL --retry 3 'https://code.visualstudio.com/sha/download?build=stable&os=linux-deb-x64' -o /tmp/vscode.deb",
+      "file /tmp/vscode.deb | grep -q 'Debian binary package' || { echo 'VS Code download is not a valid .deb'; head -c 500 /tmp/vscode.deb; exit 1; }",
+      "dpkg -i /tmp/vscode.deb || apt-get install -fy",
+      "rm -f /tmp/vscode.deb",
+      "code --install-extension redhat.vscode-yaml --no-sandbox --user-data-dir /root/.vscode --force",
+
+      # Patch the .desktop launcher so VS Code opens without the root sandbox error
+      "sed -i 's|Exec=/usr/share/code/code|Exec=/usr/share/code/code --no-sandbox|g' /usr/share/applications/code.desktop",
+
+      # ── Zeal ────────────────────────────────────────────────────────────────
+      "apt-get install -y zeal",
+      # Qt WebEngine (Chromium) refuses to run as root without disabling sandbox.
+      # Patch the launcher to pass the env var instead of --no-sandbox flag.
+      "sed -i 's|^Exec=zeal|Exec=env QTWEBENGINE_CHROMIUM_FLAGS=--no-sandbox zeal|' /usr/share/applications/org.zealdocs.zeal.desktop",
+      "mkdir -p /root/.local/share/Zeal/Zeal/docsets",
+      "wget -qO /tmp/Python.tgz  https://kapeli.com/feeds/Python.tgz  && tar -xz -C /root/.local/share/Zeal/Zeal/docsets -f /tmp/Python.tgz  && rm /tmp/Python.tgz",
+      "wget -qO /tmp/Ansible.tgz https://kapeli.com/feeds/Ansible.tgz && tar -xz -C /root/.local/share/Zeal/Zeal/docsets -f /tmp/Ansible.tgz && rm /tmp/Ansible.tgz",
+      "wget -qO /tmp/Nginx.tgz   https://kapeli.com/feeds/Nginx.tgz   && tar -xz -C /root/.local/share/Zeal/Zeal/docsets -f /tmp/Nginx.tgz   && rm /tmp/Nginx.tgz",
+      "wget -qO /tmp/Bash.tgz    https://kapeli.com/feeds/Bash.tgz    && tar -xz -C /root/.local/share/Zeal/Zeal/docsets -f /tmp/Bash.tgz    && rm /tmp/Bash.tgz",
+    ]
+  }
+
   # Generalise the VM so every clone starts with a clean identity
   provisioner "shell" {
     inline = [
diff --git a/common/template/debian13-gui/http/preseed.cfg b/common/template/debian13-gui/http/preseed.cfg
index c87561d..6aa3c37 100644
--- a/common/template/debian13-gui/http/preseed.cfg
+++ b/common/template/debian13-gui/http/preseed.cfg
@@ -135,7 +135,13 @@ d-i preseed/late_command string \
     in-target sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config; \
     in-target sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config; \
     in-target systemctl enable ssh; \
-    in-target sh -c 'printf "[SeatDefaults]\nautologin-user=root\nautologin-user-timeout=0\n" >> /etc/lightdm/lightdm.conf'
+    in-target sh -c 'printf "[SeatDefaults]\nautologin-user=root\nautologin-user-timeout=0\n" >> /etc/lightdm/lightdm.conf'; \
+    in-target mkdir -p /mnt/bd1 /mnt/bd2 /mnt/bd3 /mnt/bd4 /mnt/bd5 /mnt/bd6; \
+    printf '/dev/sr0\t/mnt/bd1\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr1\t/mnt/bd2\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr2\t/mnt/bd3\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr3\t/mnt/bd4\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr4\t/mnt/bd5\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr5\t/mnt/bd6\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n' >> /target/etc/fstab; \
+    printf 'deb [trusted=yes] file:///mnt/bd1 trixie main\ndeb [trusted=yes] file:///mnt/bd2 trixie main\ndeb [trusted=yes] file:///mnt/bd3 trixie main\ndeb [trusted=yes] file:///mnt/bd4 trixie main\ndeb [trusted=yes] file:///mnt/bd5 trixie main\ndeb [trusted=yes] file:///mnt/bd6 trixie main\n' > /target/etc/apt/sources.list
 
 # ── Finish ────────────────────────────────────────────────────────────────────
+# Do not eject the CDs at end of install — leaves the trays open so the
+# installed system boots with "no medium" and fstab mounts fail.
+d-i cdrom-detect/eject              boolean false
 d-i finish-install/reboot_in_progress note
diff --git a/common/template/debian13/debian.pkr.hcl b/common/template/debian13/debian.pkr.hcl
index 9657883..1bd2ed4 100644
--- a/common/template/debian13/debian.pkr.hcl
+++ b/common/template/debian13/debian.pkr.hcl
@@ -244,6 +244,10 @@ build {
   # Generalise the VM so every clone starts with a clean identity
   provisioner "shell" {
     inline = [
+      "set -e",
+      # Ensure BD ISOs are mounted (fstab handles this at boot via cdrom-detect/eject=false)
+      "for n in 1 2 3 4 5 6; do mountpoint -q /mnt/bd$n || mount /mnt/bd$n; done",
+
       # Remove SSH host keys — regenerated on first boot of each clone
       "sudo rm -f /etc/ssh/ssh_host_*",
 
diff --git a/common/template/debian13/http/preseed.cfg b/common/template/debian13/http/preseed.cfg
index a91f308..e8d7ce3 100644
--- a/common/template/debian13/http/preseed.cfg
+++ b/common/template/debian13/http/preseed.cfg
@@ -136,7 +136,13 @@ d-i preseed/late_command string \
     in-target systemctl enable ssh; \
     rm -f /target/var/lib/dhcp/*.leases; \
     rm -f /target/etc/resolv.conf; \
-    in-target ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+    in-target ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf; \
+    in-target mkdir -p /mnt/bd1 /mnt/bd2 /mnt/bd3 /mnt/bd4 /mnt/bd5 /mnt/bd6; \
+    printf '/dev/sr0\t/mnt/bd1\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr1\t/mnt/bd2\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr2\t/mnt/bd3\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr3\t/mnt/bd4\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr4\t/mnt/bd5\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n/dev/sr5\t/mnt/bd6\tiso9660\tro,nofail,x-systemd.device-timeout=30\t0\t0\n' >> /target/etc/fstab; \
+    printf 'deb [trusted=yes] file:///mnt/bd1 trixie main\ndeb [trusted=yes] file:///mnt/bd2 trixie main\ndeb [trusted=yes] file:///mnt/bd3 trixie main\ndeb [trusted=yes] file:///mnt/bd4 trixie main\ndeb [trusted=yes] file:///mnt/bd5 trixie main\ndeb [trusted=yes] file:///mnt/bd6 trixie main\n' > /target/etc/apt/sources.list
 
 # ── Finish ────────────────────────────────────────────────────────────────────
+# Do not eject the CDs at end of install — leaves the trays open so the
+# installed system boots with "no medium" and fstab mounts fail.
+d-i cdrom-detect/eject              boolean false
 d-i finish-install/reboot_in_progress note