refactor(users): migrate system.user to system.users[] for multi-user support

roles/global_defaults/tasks/system.yml

@@ -9,14 +9,14 @@
     that:
       - system is mapping
       - system.network is not defined or system.network is mapping
-      - system.user is not defined or system.user is mapping
+      - system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
       - system.root is not defined or system.root is mapping
       - system.luks is not defined or system.luks is mapping
       - system.features is not defined or system.features is mapping
-    fail_msg: "system and its nested keys (network, user, root, luks, features) must be dictionaries."
+    fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
     quiet: true
 
-- name: Validate DNS and user.keys are lists (not strings)
+- name: Validate DNS lists (not strings)
   when: system.network is defined and system.network.dns is defined
   ansible.builtin.assert:
     that:
@@ -25,13 +25,18 @@
     fail_msg: "system.network.dns.servers and system.network.dns.search must be lists, not strings."
     quiet: true
 
-- name: Validate user.keys is a list
-  when: system.user is defined and system.user.keys is defined
+- name: Validate system.users entries
+  when: system.users is defined and system.users | length > 0
   ansible.builtin.assert:
     that:
-      - system.user.keys is iterable and system.user.keys is not string
-    fail_msg: "system.user.keys must be a list of SSH public key strings."
+      - item is mapping
+      - item.name is defined and (item.name | string | length) > 0
+      - item.keys is not defined or (item.keys is iterable and item.keys is not string)
+    fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
     quiet: true
+  loop: "{{ system.users }}"
+  loop_control:
+    label: "{{ item.name | default('(unnamed)') }}"
 
 - name: Validate system features input types
   when: system.features is defined
@@ -122,10 +127,7 @@
           | list
         }}
       disks: "{{ system_raw.disks | default([]) }}"
-      user:
-        name: "{{ system_raw.user.name | string }}"
-        password: "{{ system_raw.user.password | string }}"
-        keys: "{{ system_raw.user.keys | default([]) }}"
+      users: "{{ system_raw.users | default([]) }}"
       root:
         password: "{{ system_raw.root.password | string }}"
       luks: