refactor(users): migrate system.user to system.users[] for multi-user support

Replace the single-user system.user dict with a system.users list to
support multiple user accounts. Update all roles, templates, examples,
validation, and documentation to use the new format. Remove redundant
post-normalization type checks from validation.yml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

roles/virtualization/tasks/proxmox.yml

@@ -34,8 +34,8 @@
     api_host: "{{ hypervisor_cfg.url }}"
     api_user: "{{ hypervisor_cfg.username }}"
     api_password: "{{ hypervisor_cfg.password }}"
-    ciuser: "{{ system_cfg.user.name }}"
-    cipassword: "{{ system_cfg.user.password }}"
+    ciuser: "{{ system_cfg.users[0].name }}"
+    cipassword: "{{ system_cfg.users[0].password }}"
     ciupgrade: false
     node: "{{ hypervisor_cfg.host }}"
     vmid: "{{ system_cfg.id }}"

roles/virtualization/templates/cloud-user-data.yml.j2

@@ -4,9 +4,18 @@ ssh_pwauth: true
 package_update: false
 package_upgrade: false
 users:
-  - name: "{{ system_cfg.user.name }}"
-    primary_group: "{{ system_cfg.user.name }}"
+{% for user in system_cfg.users %}
+  - name: "{{ user.name }}"
+    primary_group: "{{ user.name }}"
     groups: users
-    sudo: ALL=(ALL) NOPASSWD:ALL
-    passwd: "{{ system_cfg.user.password | password_hash('sha512') }}"
-    lock_passwd: False
+    sudo: "{{ user.sudo | default('ALL=(ALL) NOPASSWD:ALL') }}"
+    passwd: "{{ user.password | password_hash('sha512') }}"
+    lock_passwd: false
+{% set ssh_keys = user.keys | default([]) %}
+{% if ssh_keys | length > 0 %}
+    ssh_authorized_keys:
+{% for key in ssh_keys %}
+      - "{{ key }}"
+{% endfor %}
+{% endif %}
+{% endfor %}