diff --git a/README.txt b/README.txt
index 657ec93..95c6d69 100644
--- a/README.txt
+++ b/README.txt
@@ -11,3 +11,11 @@ Execute:
 
 This will generate ISO file, providing the custom bootsplash
 with Sipwise specific boot menu entries.
+
+To generate the underlying base ISO, you can use the wrapper script:
+
+  % osversion=auto release=trunk ./wrapper.sh
+
+To not use release-trunk, use something like:
+
+  % osversion=auto release=mr13.3.1 ./wrapper.sh
diff --git a/build_iso.sh b/build_iso.sh
index 32f750d..2b4a24f 100755
--- a/build_iso.sh
+++ b/build_iso.sh
@@ -120,7 +120,7 @@ mkdir -p artifacts
 echo "*** Moving ${SIPWISE_ISO} ${SIPWISE_ISO}.sha1 ${SIPWISE_ISO}.md5 to artifacts/ ***"
 mv "${SIPWISE_ISO}" "${SIPWISE_ISO}.sha1" "${SIPWISE_ISO}.md5" artifacts/
 
-docker run --rm -i --privileged -v "$(pwd)":/code/ docker.mgm.sipwise.com/deployment-iso-bullseye:latest \
+docker run --rm -i -v "$(pwd)":/code/ docker.mgm.sipwise.com/deployment-iso-trixie:latest \
   /code/t/iso-tester /code/artifacts/"${SIPWISE_ISO}" /code/artifacts/memtest.jpg "${MEMTEST_SCREENSHOT}"
 
 popd &>/dev/null
diff --git a/grml_build/Dockerfile b/grml_build/Dockerfile
old mode 100644
new mode 100755
index 1d73dd5..78a7208
--- a/grml_build/Dockerfile
+++ b/grml_build/Dockerfile
@@ -1,28 +1,26 @@
-# DOCKER_NAME=grml-build-bookworm
-FROM docker.mgm.sipwise.com/sipwise-bookworm:latest
+# DOCKER_NAME=grml-build-trixie
+FROM docker.mgm.sipwise.com/sipwise-trixie:latest
+#FROM --platform=linux/amd64 debian:trixie-slim
 
 # Important! Update this no-op ENV variable when this Dockerfile
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apt-get update` won't be using
 # old cached versions when the Dockerfile is built.
-ENV REFRESHED_AT 2024-06-10
+ENV REFRESHED_AT=2025-06-13
 
 # tools for building and testing
 RUN apt-get update && apt-get install --assume-yes --no-install-recommends \
   bc \
   bzip2 \
+  ca-certificates \
   dosfstools \
-  fai-client \
-  fai-server \
   git \
   grml2usb \
   imagemagick \
-  isolinux \
   isomd5sum \
   jo \
   kmod \
-  memtest86+ \
-  mksh \
+  mmdebstrap \
   moreutils \
   mtools \
   pciutils \
@@ -32,41 +30,13 @@ RUN apt-get update && apt-get install --assume-yes --no-install-recommends \
   socat \
   squashfs-tools \
   sudo \
-  syslinux \
   wget \
   xorriso
 
-RUN echo "SECURE_BOOT=disable ./grml-live -s bookworm -a amd64 -c GRMLBASE,SIPWISE,AMD64 -t /code/grml-live/templates/ -o /grml/ -r grml-sipwise -v 0.42" >/root/.bash_history && \
-  echo "export LIVE_CONF=/code/grml-live/etc/grml/grml-live.conf" >>/root/.bash_history && \
-  echo "export SCRIPTS_DIRECTORY=/code/grml-live/scripts"         >>/root/.bash_history && \
-  echo "export GRML_FAI_CONFIG=/code/grml-live/etc/grml/fai"      >>/root/.bash_history && \
-  echo "cp /deployment-iso/grml_build/package_config/SIPWISE /code/grml-live/etc/grml/fai/config/package_config/SIPWISE" >>/root/.bash_history
-
 # base build tools
 WORKDIR /code/
-RUN git clone -b 'v0.47.7' --single-branch --depth 1 https://github.com/grml/grml-live
-RUN mkdir -p /code/grml-live/templates/boot/addons/ \
-  /code/grml-live/etc/grml/fai/config/files/etc/apt/sources.list.d/sipwise.list/ \
-  /code/grml-live/etc/grml/fai/config/files/etc/apt/trusted.gpg.d/sipwise-keyring.gpg/ \
-  /code/grml-live/etc/grml/fai/config/files/etc/apt/trusted.gpg.d/sipwise-keyring-bootstrap.gpg/ \
-  /code/grml-live/etc/grml/fai/config/files/root/puppet.gpg/ \
-  /code/grml-live/etc/grml/fai/config/scripts/PUPPETLABS/
-
-# addons
-RUN wget https://debian.sipwise.com/debian/pool/main/m/memtest86+/memtest86+_6.00-1_amd64.deb && \
-  dpkg -x memtest86+_6.00-1_amd64.deb /tmp/memtest86 && \
-  cp /tmp/memtest86/boot/memtest86+x64.bin /code/grml-live/templates/boot/addons/memtest86+x64.bin && \
-  cp /tmp/memtest86/boot/memtest86+x64.efi /code/grml-live/templates/boot/addons/memtest86+x64.efi && \
-  rm -rf /tmp/memtest86
-
-RUN wget -O /code/grml-live/templates/boot/addons/netboot.xyz.efi https://boot.netboot.xyz/ipxe/netboot.xyz.efi && \
-  wget -O /code/grml-live/templates/boot/addons/netboot.xyz.lkrn https://boot.netboot.xyz/ipxe/netboot.xyz.lkrn
 
-RUN wget http://ftp.de.debian.org/debian/pool/main/i/ipxe/ipxe_1.0.0+git-20190125.36a4c85-1_all.deb && \
-  dpkg -x ipxe_1.0.0+git-20190125.36a4c85-1_all.deb /tmp/ipxe && \
-  cp /tmp/ipxe/boot/ipxe.efi /code/grml-live/templates/boot/addons/ipxe.efi && \
-  cp /tmp/ipxe/boot/ipxe.lkrn /code/grml-live/templates/boot/addons/ipxe.lkrn && \
-  rm -rf /tmp/ipxe
+RUN git clone -b 'v0.53.2' --single-branch --depth 1 https://github.com/grml/grml-live
 
 WORKDIR /code/grml-live
 
@@ -75,20 +45,9 @@ WORKDIR /code/grml-live
 #
 # docker build --tag="grml-sipwise" -f grml_build/Dockerfile .
 #
-## Build Grml image (assuming current working directory is deployment-iso.git):
-#
-# mkdir -p grml/
-# docker run --rm -i -t --privileged -v $(pwd):/deployment-iso/ -v $(pwd)/grml:/grml/ grml-sipwise
-#
-## inside docker container (also available in shell history):
-#
-# export GRML_FAI_CONFIG=$(pwd)/etc/grml/fai
-# export SCRIPTS_DIRECTORY=$(pwd)/scripts
-# export LIVE_CONF=$(pwd)/etc/grml/grml-live.conf
-# cp /deployment-iso/grml_build/package_config/SIPWISE /code/grml-live/etc/grml/fai/config/package_config/SIPWISE
-# ./grml-live -s bookworm -a amd64 -c GRMLBASE,SIPWISE,AMD64 -t $(pwd)/templates/ -o /grml/ -r grml-sipwise -v 0.42
+## Build Grml image:
 #
-## A successful run results in ISO file in /grml/grml_isos/ (inside container),
-## available via volume folder also outside of docker container ($pwd/grml/grml_isos/).
+# osversion=auto release=trunk ./wrapper.sh
 #
+## A successful run results in an ISO file in grml_build/grml_isos/
 ####################################################################################################
diff --git a/templates/scripts/keys/sipwise-keyring-bootstrap.gpg b/grml_build/config/bootstrap-keyring/SIPWISE
similarity index 100%
rename from templates/scripts/keys/sipwise-keyring-bootstrap.gpg
rename to grml_build/config/bootstrap-keyring/SIPWISE
diff --git a/grml_build/config/files/PUPPETLABS/root/.gitignore b/grml_build/config/files/PUPPETLABS/root/.gitignore
new file mode 100644
index 0000000..72e8ffc
--- /dev/null
+++ b/grml_build/config/files/PUPPETLABS/root/.gitignore
@@ -0,0 +1 @@
+*
diff --git a/grml_build/config/files/SIPWISE/etc/apt/sources.list.d/.gitignore b/grml_build/config/files/SIPWISE/etc/apt/sources.list.d/.gitignore
new file mode 100644
index 0000000..72e8ffc
--- /dev/null
+++ b/grml_build/config/files/SIPWISE/etc/apt/sources.list.d/.gitignore
@@ -0,0 +1 @@
+*
diff --git a/grml_build/config/hooks/SIPWISE/updatebase b/grml_build/config/hooks/SIPWISE/updatebase
new file mode 100755
index 0000000..5e7c4db
--- /dev/null
+++ b/grml_build/config/hooks/SIPWISE/updatebase
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -eux
+
+# shellcheck disable=SC2154
+echo "Deploying /usr/share/keyrings/sipwise-archive-keyring.gpg to ${target}/etc/apt/trusted.gpg.d/"
+cp /usr/share/keyrings/sipwise-archive-keyring.gpg "${target}"/etc/apt/trusted.gpg.d/
diff --git a/grml_build/package_config/SIPWISE b/grml_build/config/package_config/SIPWISE
similarity index 97%
rename from grml_build/package_config/SIPWISE
rename to grml_build/config/package_config/SIPWISE
index 3905a99..0447f5b 100644
--- a/grml_build/package_config/SIPWISE
+++ b/grml_build/config/package_config/SIPWISE
@@ -30,6 +30,7 @@ imvirt
 iproute2
 iptstate
 iputils-ping
+ipxe
 isc-dhcp-client
 isomd5sum
 iw
@@ -41,6 +42,7 @@ locales
 lsof
 lsscsi
 mawk
+memtest86+
 mmdebstrap
 mount
 mtools
diff --git a/grml_build/10-gpgkey b/grml_build/config/scripts/PUPPETLABS/10-gpgkey
similarity index 100%
rename from grml_build/10-gpgkey
rename to grml_build/config/scripts/PUPPETLABS/10-gpgkey
diff --git a/t/Dockerfile b/t/Dockerfile
index 1345b9e..05f506c 100644
--- a/t/Dockerfile
+++ b/t/Dockerfile
@@ -1,14 +1,16 @@
-# DOCKER_NAME=deployment-iso-bookworm
-FROM docker.mgm.sipwise.com/sipwise-bookworm:latest
+# DOCKER_NAME=deployment-iso-trixie
+FROM docker.mgm.sipwise.com/sipwise-trixie:latest
 
 # Important! Update this no-op ENV variable when this Dockerfile
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apt-get update` won't be using
 # old cached versions when the Dockerfile is built.
-ENV REFRESHED_AT 2023-06-26
+ENV REFRESHED_AT=2025-06-13
 
 RUN apt-get update && apt-get install --assume-yes git make gcc dpkg-dev
 
+RUN git config --global --add safe.directory /code
+
 RUN echo './t/testrunner' >>/root/.bash_history
 
 WORKDIR /code/
@@ -19,13 +21,13 @@ WORKDIR /code/
 # When you want to build the base image from scratch
 # jump to the next section if you don't want to build yourself!:
 #
-# % docker build --tag="deployment-iso-bookworm" -f t/Dockerfile .
-# % docker run --rm -i -t -v $(pwd):/code:rw deployment-iso-bookworm:latest bash
+# % docker build --tag="deployment-iso-trixie" -f t/Dockerfile .
+# % docker run --rm -i -t -v $(pwd):/code:rw deployment-iso-trixie:latest bash
 #
 # Use the existing docker image:
-# % docker pull docker.mgm.sipwise.com/deployment-iso-bookworm
+# % docker pull docker.mgm.sipwise.com/deployment-iso-trixie
 # NOTE: run the following command from root folder of git repository:
-# % docker run --rm -i -t -v $(pwd):/code:rw docker.mgm.sipwise.com/deployment-iso-bookworm:latest bash
+# % docker run --rm -i -t -v $(pwd):/code:rw docker.mgm.sipwise.com/deployment-iso-trixie:latest bash
 #
 # Inside docker (the command is in history, just press UP button):
 #   ./t/testrunner
diff --git a/wrapper.sh b/wrapper.sh
new file mode 100755
index 0000000..df471d6
--- /dev/null
+++ b/wrapper.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# sanity checks
+if [ -z "${osversion:-}" ];  then
+  echo "Error: osversion is unset, please set to supported Debian/release (like 'trixie' or 'auto')" >&2
+  exit 1
+fi
+
+if [ -z "${release:-}" ];  then
+  echo "Error: release is unset, please set to supported Sipwise release (like 'mr13.5.1' or 'trunk')" >&2
+  exit 1
+fi
+
+if ! [ -d grml_build ] ; then
+  echo "Error: grml_build doesn't exist, executing outside deployment-iso directory?" >&2
+  exit 1
+fi
+
+# ensure that we're running it manually inside deployment-iso,
+# or we're running it from within Jenkins
+if [ "$(basename "$(pwd)")" = "deployment-iso" ] ; then
+  echo "*** Looks we're running locally inside deployment-iso directory ***"
+elif [ -n "${WORKSPACE:-}" ] && [ "$(basename "$(pwd)")" = "source" ] ; then
+  echo "*** Looks we're running inside Jenkins ***"
+else
+  echo "Error: you need to run this inside the deployment-iso directory or from within Jenkins" >&2
+  exit 1
+fi
+
+# derive Debian release from grml_build/Dockerfile if osversion is set to "auto"
+if [[ "${osversion}" == 'auto' ]]; then
+  osversion="$( sed -rn 's|^FROM docker.mgm.sipwise.com/sipwise-([A-Za-z0-9]+):.+$|\1|p' grml_build/Dockerfile )"
+fi
+
+if [ -z "${WORKSPACE:-}" ] ; then
+  docker_image="grml-sipwise"
+  echo "*** Assuming local build with docker image '${docker_image}' ***"
+else
+  echo "*** Looks like we are running inside Jenkins environment ***"
+  docker_repo=${docker_repo:-docker.mgm.sipwise.com}
+  docker_repo_port=${docker_repo_port:-5000}
+  docker_name="grml-build-${osversion}"
+  docker_tag="${dockertag:-latest}"  # support custom build param via grml-build-iso Jenkins job
+  docker_image="${docker_repo}:${docker_repo_port}/${docker_name}:${docker_tag}"
+  echo "*** Pulling ${docker_image} docker image ***"
+  docker pull "${docker_image}"
+fi
+
+if [ -z "${osversion:-}" ]; then
+  echo "Can not detect osversion, exiting" >&2
+  exit 1
+fi
+
+# misc variables
+fai_config='/code/grml-live/config/'
+outside_fai_config="${PWD}/grml_build/config/"
+debian_bootstrap_url="https://debian.sipwise.com/debian/"
+iso_image_name="grml-sipwise-${osversion}-$(date +%Y%m%d_%H%M%S).iso"
+
+# write apt sources
+source_list_path='etc/apt/sources.list.d/sipwise.list'
+repo_addr="deb https://deb.sipwise.com/autobuild release-trunk-${osversion} main"
+if [[ "${release}" != 'trunk' ]]; then
+  repo_addr="deb https://deb.sipwise.com/spce/${release} ${osversion} main"
+fi
+echo "${repo_addr}" > "${outside_fai_config}files/SIPWISE/${source_list_path}"
+
+# get the puppet public key, so no need to download it in deployment.sh
+puppet_key='puppet.gpg'
+wget -O "${outside_fai_config}/files/PUPPETLABS/root/${puppet_key}" http://apt.puppetlabs.com/DEB-GPG-KEY-puppetlabs
+
+build_command=''
+build_command+=" cp -rv /grml/config/ /code/grml-live/"
+build_command+=" && ulimit -n 1048576"  # workaround to fix apt/apt-mark performance issue
+build_command+=" && GRML_NAME=grml64-small"
+build_command+=" CHROOT_OUTPUT=/root/grml_chroot"
+build_command+=" FAI_DEBOOTSTRAP='${osversion} ${debian_bootstrap_url}'"
+build_command+=" LIVE_CONF=/code/grml-live/etc/grml/grml-live.conf"
+build_command+=" GRML_FAI_CONFIG=${fai_config}"
+build_command+=" ./grml-live"
+build_command+=" -s '${osversion}'"
+build_command+=" -a amd64"
+build_command+=" -i '${iso_image_name}'"
+build_command+=" -c GRMLBASE,SIPWISE,AMD64,PUPPETLABS"
+build_command+=" -t /code/grml-live/templates/"
+build_command+=" -o /grml/"
+build_command+=" -r 'grml-sipwise-${osversion}'"
+build_command+=" -v '${release}'"
+build_command+=" -F"
+build_command+=" && cd /grml/grml_isos/"
+build_command+=" && sha1sum '${iso_image_name}' > '${iso_image_name}.sha1'"
+build_command+=" && md5sum  '${iso_image_name}' > '${iso_image_name}.md5'"
+
+echo "System information:"
+uname -a
+lsb_release -a
+docker --version
+dpkg -l | grep docker
+
+echo "Build command is:"
+echo "${build_command}"
+
+docker run --rm \
+  -v "$(pwd)":/deployment-iso/ \
+  -v "$(pwd)/grml_build/":/grml/ \
+  "${docker_image}" \
+  /bin/bash -c "${build_command}"