fix(sysusers): override upstream cephadm UID + cross-repo hygiene mirror

- etc/sysusers.d/cephadm.conf pins cephadm UID/GID to 1100 so the upstream
  cephadm RPM's auto-allocated ('-') login user no longer fails postcheck
  invariant #8 (logind requires UID >= UID_MIN to mint /run/user/<uid>).
  /etc/sysusers.d/<name> shadows /usr/lib/sysusers.d/<name> per
  systemd-sysusers.d(5).
- automation/99-postcheck.sh: checks #8 and #8b now walk the *effective*
  sysusers file via a new _sysusers_effective helper, preferring /etc
  overrides over /usr/lib so the upstream cephadm.conf no longer trips the
  invariant once shadowed.
- .gitignore: whitelist /API.md (was blocked by /*), /.env.mios (mirrored
  from mios-bootstrap so user-runtime env defaults travel with this repo),
  and /etc/sysusers.d/** (admin overrides for upstream sysusers entries).
- .env.mios: mirrored verbatim from mios-bootstrap for cross-repo parity.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

.env.mios

@@ -0,0 +1,31 @@
+# MiOS user-runtime defaults.
+#
+# This file is sourced by the installed MiOS environment as a fallback when
+# /etc/mios/install.env or ~/.config/mios/env doesn't override a given key.
+# It's user-space only -- build-time env lives in MiOS (Justfile / image-versions.yml).
+
+# ============================================================================
+# Account convention
+# ============================================================================
+MIOS_DEFAULT_USER="mios" # @verb:SET_USER
+MIOS_DEFAULT_HOST="mios" # @verb:SET_HOST
+
+# ============================================================================
+# Inference backend (OpenAI-compatible)
+# ============================================================================
+MIOS_AI_ENDPOINT="http://localhost:8080/v1" # @verb:GET_ENDPOINT
+MIOS_AI_MODEL="default" # @verb:SET_MODEL
+
+# ============================================================================
+# Layered Flatpaks
+# ============================================================================
+MIOS_FLATPAKS="org.gnome.Epiphany,com.github.tchx84.Flatseal,io.github.kolunmi.Bazaar,com.mattjakeman.ExtensionManager" # @verb:INSTALL_FLATPAKS
+
+# ============================================================================
+# Image / branch metadata
+# ============================================================================
+MIOS_REPO_URL="https://github.com/MiOS-DEV/MiOS" # @verb:GET_REPO
+MIOS_BOOTSTRAP_REPO_URL="https://github.com/MiOS-DEV/MiOS-bootstrap" # @verb:GET_BOOTSTRAP
+MIOS_IMAGE_NAME="ghcr.io/MiOS-DEV/mios" # @verb:GET_IMAGE
+MIOS_IMAGE_TAG="latest" # @verb:SET_TAG
+MIOS_BRANCH="main" # @verb:SET_BRANCH

.gitignore

@@ -22,10 +22,12 @@
 !/.clinerules
 !/.cursorrules
 !/.editorconfig
+!/.env.mios
 !/.github/
 !/.github/**
 !/AGENTS.md
 !/AI.md
+!/API.md
 !/CLAUDE.md
 !/GEMINI.md
 !/system-prompt.md
@@ -113,6 +115,11 @@ etc/mios/*
 !/etc/mios/system-prompts/
 !/etc/mios/system-prompts/**
 
+# /etc/sysusers.d/ — admin overrides for upstream-RPM sysusers entries
+# (e.g. cephadm.conf pins UID >= 1000 so the postcheck #8 invariant passes).
+!/etc/sysusers.d/
+!/etc/sysusers.d/**
+
 # /home/ is BOOTSTRAP territory. Per-user templates and skel live in mios-bootstrap.
 # /agents/ is BOOTSTRAP territory (knowledge graphs / RAG manifests).