feat(mios-dev): overlay-builder.sh creates mios user + service accounts on MiOS-DEV

Closes the manifesto requirement that MiOS-DEV mirror a deployed MiOS
host's container-hosting surface: "MiOS-DEV should have the mios user
appended as it will be needed for this MiOS-DEV machine to hosts it's
containers (mirroring the layered containers in MiOS at build time;
guacamole, ollama, forgejo, cockpit etc-etc). Everything is present in
the MiOS-DEV machine as a testbed/development platform FOR MiOS itself."

Previously: overlay-builder.sh only rsynced files (CLI, MOTD, paths.sh,
docs) onto the podman machine and explicitly skipped sysusers.d /
tmpfiles.d / systemd units citing "would conflict with podman-machine
init." That left MiOS-DEV without the mios user + service accounts +
/var/lib/<service>/ dirs the MiOS Quadlets need to run rootless.
Result: MiOS-DEV could only HOST the canonical MiOS file overlay; it
could not actually RUN the MiOS Quadlet stack the way a deployed host
does. Operator can't `systemctl --user enable mios-forge.service` if
the mios-forge user / /var/lib/mios-forge/ doesn't exist.

This commit adds three integrated steps to overlay-builder.sh, all
keeping the original "don't touch podman-machine vendor files" rule:

1. SYSUSERS (etc-layer override)
   Drops the MiOS sysusers.d files into /etc/sysusers.d/ instead of
   /usr/lib/sysusers.d/ (where podman-machine-os's vendor file
   20-podman-machine.conf lives). systemd-sysusers materializes:
     - mios login user (uid 1000) with group memberships:
       wheel, libvirt, kvm, video, render, input, dialout, docker
     - mios-virt 800
     - mios-guacamole 810, mios-guacd 811, mios-postgres 812
     - mios-pxe-hub 813, mios-crowdsec 814
     - mios-ollama 815, mios-forge 816
     - cockpit (auto-allocate)
     - kvm/video/render/libvirt/input/dialout/docker groups
   Idempotent: existing entries with matching UID/GID are left alone.

2. TMPFILES (etc-layer override)
   Same /etc/tmpfiles.d/ pattern. systemd-tmpfiles --create materializes
   /var/lib/mios-{ai,forge,forge-runner,ollama,pxe-hub,guacamole,infra}/
   with the right owner so the Quadlet bind-mounts have somewhere to land
   on the podman-machine FS.

3. /var/home/mios + subuid/subgid + loginctl enable-linger mios
   Establishes the same /var/home/<user> convention FCOS/atomic-desktops
   use; seeds from /etc/skel; appends 'mios:524288:65536' to /etc/subuid
   and /etc/subgid for rootless container userns mapping; enables linger
   so systemd --user services (the Quadlets) start at boot without
   an active login session.

Net effect for the operator
───────────────────────────
- After `sudo bash automation/overlay-builder.sh /path/to/MiOS-repo` (or
  the auto-invocation from build-mios.ps1's Invoke-MachineSSH path),
  MiOS-DEV is a CONTAINER-HOSTING substrate. The operator can:
    sudo -u mios podman info
    systemctl --user --machine=mios@ start mios-forge.service
    systemctl --user --machine=mios@ start ollama.service
- MiOS-DEV becomes the genuine "testbed/development platform FOR MiOS
  itself" the manifesto describes -- it runs the same Quadlets the
  built MiOS image will run, so an operator iterating on Quadlet
  changes can validate against MiOS-DEV before triggering the OCI
  build pipeline.
- Idempotent: re-runs of overlay-builder.sh re-apply identically; no
  state loss, no UID drift.

What this commit explicitly does NOT do (still off-limits per the
podman-machine-init compatibility rule):
- Does not install systemd unit files into /usr/lib/systemd/system
- Does not install kargs.d (kernel cmdline is the podman-machine
  kernel's, not MiOS bootc's)
- Does not install SELinux modules (WSL substrate is permissive)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

automation/overlay-builder.sh

@@ -1,25 +1,50 @@
 #!/usr/bin/env bash
-# 'MiOS' BUILDER overlay -- makes the build-host WSL2 podman machine
-# look and feel like a Live 'MiOS' environment without breaking the
-# podman-machine OS plumbing underneath.
+# 'MiOS' MiOS-DEV overlay -- makes the build-host podman machine look and
+# feel like a Live 'MiOS' environment so it can host the same Quadlets the
+# deployed image runs (manifesto: "MiOS-DEV is the source upon what MiOS
+# itself is based upon ... mios user appended for hosting the layered
+# containers; guacamole, ollama, forgejo, cockpit etc-etc").
 #
-# Run inside the BUILDER, from the MiOS repo working tree:
+# Run inside MiOS-DEV, from the MiOS repo working tree:
 #   sudo bash automation/overlay-builder.sh /path/to/MiOS-repo
 #
-# What it does (idempotent, --ignore-existing throughout):
+# What it does (idempotent throughout):
 #   * rsync usr/share/mios/, usr/lib/mios/, usr/libexec/mios/, usr/bin/mios
 #     onto / so the canonical 'MiOS' CLI / docs / paths.sh / motd binary all
 #     exist at the expected paths
 #   * rsync usr/lib/profile.d/mios-*.sh + etc/profile.d/mios-*.sh so login
 #     shells get the 'MiOS' MOTD + WSLg env exports
 #   * rsync /etc/skel skeleton from the repo if present
 #   * rsync etc/mios/ (vendor host config templates)
-#   * NOT touched: systemd units, drop-ins, tmpfiles.d, sysusers.d, kargs.d,
-#     SELinux modules -- these would conflict with the podman-machine init
-#     and must only land in the bootc image proper.
+#   * COPY MiOS sysusers.d into /etc/sysusers.d/ + run systemd-sysusers,
+#     creating the 'mios' login user (uid 1000) and the service accounts
+#     (mios-ollama, mios-forge, mios-guacamole, mios-pxe-hub,
+#     mios-crowdsec, mios-guacd, mios-postgres -- 810-829 range; mios-virt
+#     800; cockpit). Drops into /etc (host-layer override) instead of
+#     /usr/lib (vendor layer) to avoid colliding with podman-machine-os's
+#     own /usr/lib/sysusers.d/20-podman-machine.conf.
+#   * COPY MiOS tmpfiles.d into /etc/tmpfiles.d/ + run systemd-tmpfiles
+#     --create so /var/lib/<service>/ dirs the Quadlets bind-mount exist
+#     with the right ownership.
+#   * Establish /var/home/mios (FCOS atomic-desktops home convention)
+#     seeded from /etc/skel.
+#   * Append /etc/subuid + /etc/subgid entries so the mios user can run
+#     rootless podman containers (which is how MiOS-DEV mirrors a deployed
+#     MiOS host's Quadlet hosting).
 #
-# After running, opening any new shell in BUILDER shows the 'MiOS' MOTD and
-# `mios` is on PATH.
+# What it explicitly does NOT do (would conflict with podman-machine init):
+#   * Install systemd unit files (the podman-machine OS owns /usr/lib/
+#     systemd/system; Quadlets land in /etc/containers/systemd/ which is
+#     separate)
+#   * Install kargs.d (kernel command line is the podman-machine kernel,
+#     not bootc; MiOS kargs only matter on a deployed bootc host)
+#   * Install SELinux policy modules (MiOS-DEV runs in WSL where SELinux
+#     is permissive at best)
+#
+# After running, opening any new shell in MiOS-DEV shows the 'MiOS' MOTD,
+# `mios` is on PATH, and `id mios` returns uid 1000. `loginctl enable-linger
+# mios` then enables rootless container hosting so the operator can
+# `systemctl --user start mios-forge.service` or any other MiOS Quadlet.
 
 set -euo pipefail
 
@@ -82,12 +107,104 @@ _rsync_in "etc/mios/"          "/etc/mios/"
 find /usr/libexec/mios -type f -exec chmod +x {} + 2>/dev/null || true
 chmod +x /usr/bin/mios 2>/dev/null || true
 
-# Re-run tmpfiles for /usr/lib/mios subdirs (logs, scratch). These are
-# declared in usr/lib/tmpfiles.d/mios.conf in the bootc image; on BUILDER
-# we just create them imperatively because the tmpfiles.d file isn't
-# overlaid (would clash with podman-machine).
+# ── sysusers: create the mios login user + service accounts so MiOS-DEV
+# can host the same Quadlets as a deployed MiOS host. Drop into
+# /etc/sysusers.d/ (host-layer override) instead of /usr/lib/sysusers.d/
+# (vendor layer) so we coexist with podman-machine-os's vendor file
+# /usr/lib/sysusers.d/20-podman-machine.conf without overwriting it.
+echo "[overlay-builder] Setting up MiOS sysusers (etc-layer override)..."
+install -d -m 0755 /etc/sysusers.d
+_sysusers_added=0
+for sf in usr/lib/sysusers.d/10-mios.conf \
+          usr/lib/sysusers.d/30-mios-tmpfiles-prereq.conf \
+          usr/lib/sysusers.d/50-mios.conf \
+          usr/lib/sysusers.d/50-mios-ai.conf \
+          usr/lib/sysusers.d/50-mios-gpu.conf \
+          usr/lib/sysusers.d/50-mios-services.conf \
+; do
+    [[ -f "$sf" ]] || continue
+    install -m 0644 "$sf" "/etc/sysusers.d/$(basename "$sf")"
+    echo "[overlay-builder]  /etc/sysusers.d/$(basename "$sf")"
+    _sysusers_added=$((_sysusers_added + 1))
+done
+if (( _sysusers_added > 0 )); then
+    # systemd-sysusers materializes the entries into /etc/passwd + /etc/group.
+    # Idempotent: existing users with matching UID/GID are left alone.
+    systemd-sysusers 2>&1 | sed 's/^/[overlay-builder] sysusers: /' || true
+fi
+
+# ── tmpfiles: create /var/lib/<service>/ dirs the Quadlets bind-mount.
+# Same /etc-layer override pattern. mios-services.conf, mios-ollama.conf,
+# mios-forge.conf etc. declare per-service writable state directories that
+# the matching Quadlets expect to find pre-created with the right owner.
+echo "[overlay-builder] Setting up MiOS tmpfiles.d (etc-layer override)..."
+install -d -m 0755 /etc/tmpfiles.d
+_tmpfiles_added=0
+for tf in usr/lib/tmpfiles.d/mios.conf \
+          usr/lib/tmpfiles.d/mios-services.conf \
+          usr/lib/tmpfiles.d/mios-ollama.conf \
+          usr/lib/tmpfiles.d/mios-forge.conf \
+          usr/lib/tmpfiles.d/mios-forge-runner.conf \
+          usr/lib/tmpfiles.d/mios-ai.conf \
+          usr/lib/tmpfiles.d/mios-pxe-hub.conf \
+          usr/lib/tmpfiles.d/mios-guacamole.conf \
+          usr/lib/tmpfiles.d/mios-infra.conf \
+          usr/lib/tmpfiles.d/mios-user.conf \
+; do
+    [[ -f "$tf" ]] || continue
+    install -m 0644 "$tf" "/etc/tmpfiles.d/$(basename "$tf")"
+    echo "[overlay-builder]  /etc/tmpfiles.d/$(basename "$tf")"
+    _tmpfiles_added=$((_tmpfiles_added + 1))
+done
 install -d -m 0755 /usr/lib/mios/logs
 install -d -m 0755 /var/lib/mios
+if (( _tmpfiles_added > 0 )); then
+    # --create materializes declared paths; --remove would clean up paths
+    # marked for removal (we skip that to be conservative -- the Quadlet
+    # mounts that touch /var should never see "missing" as their state).
+    systemd-tmpfiles --create 2>&1 | sed 's/^/[overlay-builder] tmpfiles: /' || true
+fi
+
+# ── /var/home/mios -- FCOS / atomic-desktops home convention
+# (the deployed MiOS image uses /var/home/mios as the operator's $HOME so
+# /etc 3-way merge doesn't have to deal with home-dir state). Establish
+# the same on MiOS-DEV so configs match across substrates.
+install -d -m 0755 /var/home
+if id mios >/dev/null 2>&1; then
+    install -d -m 0755 -o mios -g mios /var/home/mios 2>/dev/null || \
+        install -d -m 0755 /var/home/mios
+    if [[ -d /etc/skel ]] && [[ ! -e /var/home/mios/.bashrc ]]; then
+        rsync -aH --ignore-existing /etc/skel/ /var/home/mios/ 2>/dev/null || true
+        chown -R mios:mios /var/home/mios 2>/dev/null || true
+        echo "[overlay-builder]  /var/home/mios seeded from /etc/skel"
+    fi
+fi
+
+# ── subuid / subgid for rootless podman as the mios user.
+# Rootless containers need an unprivileged uid/gid range available for
+# user-namespace mapping. Standard convention: 524288 + 65536 (one
+# 64K-uid range, starting outside the host's regular uid space). The
+# mios-services accounts (810-829) don't need their own subuid ranges
+# because they're nologin shell-less daemons that do not run rootless
+# containers themselves.
+if ! grep -q '^mios:' /etc/subuid 2>/dev/null; then
+    echo 'mios:524288:65536' >> /etc/subuid
+    echo "[overlay-builder]  /etc/subuid: mios:524288:65536 added"
+fi
+if ! grep -q '^mios:' /etc/subgid 2>/dev/null; then
+    echo 'mios:524288:65536' >> /etc/subgid
+    echo "[overlay-builder]  /etc/subgid: mios:524288:65536 added"
+fi
+
+# ── Linger so the mios user can run systemd --user services (the
+# Quadlets) without a logged-in session. Required for `systemctl --user
+# enable mios-forge.service` etc. to actually start at boot.
+if command -v loginctl >/dev/null 2>&1 && id mios >/dev/null 2>&1; then
+    loginctl enable-linger mios 2>/dev/null || true
+    echo "[overlay-builder]  loginctl enable-linger mios"
+fi
 
 echo "[overlay-builder] Overlay complete."
 echo "[overlay-builder] Open a fresh shell to see the 'MiOS' MOTD."
+echo "[overlay-builder] Verify mios user: id mios; subuid grep mios /etc/subuid"
+echo "[overlay-builder] Container-host probe: sudo -u mios podman info"