refactor(users): migrate system.user to system.users[] for multi-user support

README.md

@@ -122,10 +122,11 @@ all:
                 mount:
                   path: /data
                   fstype: xfs
-            user:
-              name: ops
-              password: CHANGE_ME
-              key: "ssh-ed25519 AAAA..."
+            users:
+              - name: ops
+                password: CHANGE_ME
+                keys:
+                  - "ssh-ed25519 AAAA..."
             root:
               password: CHANGE_ME
             luks:
@@ -173,32 +174,36 @@ Top-level host install/runtime settings. Use these keys under `system`.
 | `packages`   | list       | `[]`                 | Additional packages installed post-reboot |
 | `network`    | dict       | see below            | Network configuration                    |
 | `disks`      | list       | `[]`                 | Disk layout (see [Multi-Disk Schema](#45-multi-disk-schema)) |
-| `user`       | dict       | see below            | User account settings                    |
+| `users`      | list       | `[]`                 | User accounts (see below)                |
 | `root`       | dict       | see below            | Root account settings                    |
 | `luks`       | dict       | see below            | Encryption settings                      |
 | `features`   | dict       | see below            | Feature toggles                          |
 
 #### `system.network`
 
-| Key            | Type        | Default | Description                                         |
-| -------------- | ----------- | ------- | --------------------------------------------------- |
-| `bridge`       | string      | empty   | Hypervisor network/bridge name                      |
-| `vlan`         | string/int  | empty   | VLAN tag                                            |
-| `ip`           | string      | empty   | Static IP (omit for DHCP)                           |
-| `prefix`       | int         | empty   | CIDR prefix for static IP                           |
-| `gateway`      | string      | empty   | Default gateway (static only)                       |
-| `dns.servers`  | list/string | `[]`    | DNS resolvers; comma-separated string is normalized |
-| `dns.search`   | list/string | `[]`    | Search domains; comma-separated string is normalized |
+| Key            | Type       | Default | Description                                          |
+| -------------- | ---------- | ------- | ---------------------------------------------------- |
+| `bridge`       | string     | empty   | Hypervisor network/bridge name                       |
+| `vlan`         | string/int | empty   | VLAN tag                                             |
+| `ip`           | string     | empty   | Static IP (omit for DHCP)                            |
+| `prefix`       | int        | empty   | CIDR prefix for static IP                            |
+| `gateway`      | string     | empty   | Default gateway (static only)                        |
+| `dns.servers`  | list       | `[]`    | DNS resolvers (must be a YAML list)                  |
+| `dns.search`   | list       | `[]`    | Search domains (must be a YAML list)                 |
+| `interfaces`   | list       | `[]`    | Multi-NIC config (overrides flat fields above)       |
 
-#### `system.user`
+When `interfaces` is empty, the flat fields (`bridge`, `ip`, `prefix`, `gateway`, `vlan`) are auto-wrapped into a single-entry `interfaces[]` list. When `interfaces` is set, it takes precedence and the flat fields are back-populated from `interfaces[0]` for backward compatibility. Each `interfaces[]` entry supports: `name`, `bridge` (required), `vlan`, `ip`, `prefix`, `gateway`.
 
-Credentials are prompted interactively by default via `vars_prompt` in `main.yml`, but can be supplied via inventory, vars files, or `-e` for non-interactive runs.
+#### `system.users`
 
-| Key        | Type   | Default | Description                           |
-| ---------- | ------ | ------- | ------------------------------------- |
-| `name`     | string | empty   | Username created on target            |
-| `password` | string | empty   | User password (also used for sudo)    |
-| `key`      | string | empty   | SSH public key for `authorized_keys`  |
+A list of user account dictionaries. Credentials for the first user are prompted interactively by default via `vars_prompt` in `main.yml`, but can be supplied via inventory, vars files, or `-e` for non-interactive runs.
+
+| Key        | Type   | Default | Description                                  |
+| ---------- | ------ | ------- | -------------------------------------------- |
+| `name`     | string | empty   | Username created on target (required)        |
+| `password` | string | empty   | User password (also used for sudo)           |
+| `keys`     | list   | `[]`    | SSH public keys for `authorized_keys`        |
+| `sudo`     | string | empty   | Custom sudoers rule (optional, per-user)     |
 
 #### `system.root`
 
@@ -387,7 +392,7 @@ To protect sensitive information such as passwords, API keys, and other confiden
 
 - For virtual installs, `system.cpus`, `system.memory`, and `system.disks[0].size` are required and validated.
 - For physical installs, sizing is derived from the detected install drive; set installer access (`ansible_user`/`ansible_password`) when the installer environment differs from the prompted user credentials.
-- `system.network.dns.servers` and `system.network.dns.search` accept either YAML lists or comma-separated strings.
+- `system.network.dns.servers` and `system.network.dns.search` must be YAML lists.
 - `hypervisor.type` selects backend-specific provisioning and cleanup behavior.
 - Guest tools are selected automatically by hypervisor: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`.
 - With `system.luks.method: tpm2` on virtual installs, the virtualization role enables a TPM2 device where supported (libvirt/proxmox/vmware).