fix: replace getent DNS check with curl in first-login.sh

getent blocks indefinitely when the nameserver is unreachable (QEMU 10.0.2.3,
or any network where DNS responds slowly). Replace with curl --connect-timeout 3
which has a hard 3s per-attempt timeout and is independent of the NSS stack.

installer/first-login.sh

@@ -11,12 +11,14 @@ exec > >(tee -a "$LOG") 2>&1
 
 echo "==> [$(date)] first-login setup starting"
 
-# Need network. Wait up to 60s for default route + DNS.
-for i in $(seq 1 30); do
-    getent hosts github.com >/dev/null 2>&1 && break
-    sleep 2
+# Need network. Wait up to 60s for HTTPS connectivity.
+# Use curl with a short timeout rather than getent — getent blocks indefinitely
+# when the DNS nameserver is unreachable (e.g. QEMU's 10.0.2.3 not responding).
+for i in $(seq 1 20); do
+    curl -fsSL --max-time 3 --connect-timeout 3 -o /dev/null https://api.github.com 2>/dev/null && break
+    sleep 3
 done
-if ! getent hosts github.com >/dev/null 2>&1; then
+if ! curl -fsSL --max-time 3 --connect-timeout 3 -o /dev/null https://api.github.com 2>/dev/null; then
     echo "!! no network; aborting first-login setup (will retry next login)"
     exit 0
 fi