fix(postcheck): materialize sysusers.d before tmpfiles dry-run

Same cockpit-group resolution failure as before, different root cause.
The previous fix added a 'sysusers-declared' filter that suppressed
'Failed to resolve' warnings whose target was declared in a MiOS-owned
sysusers.d file. That covered our own users + cephadm, but did not
cover names declared by upstream RPMs whose sysusers.d entries are
present on disk but have not yet been materialized into /etc/passwd /
/etc/group.

Concrete failure:

  /usr/lib/tmpfiles.d/mios-infra.conf:5:
      Failed to resolve group 'cockpit': Unknown group
  /usr/lib/tmpfiles.d/mios-infra.conf:6:
      Failed to resolve group 'cockpit': Unknown group

The cockpit-ws RPM ships /usr/lib/sysusers.d/cockpit-ws.conf with the
cockpit group declaration. At first boot, systemd-sysusers runs before
systemd-tmpfiles and the group is created; at build time inside the
OCI image, neither has run when our postcheck fires, so the tmpfiles
dry-run sees an Unknown group.

Fix: call 'systemd-sysusers --no-pager' once at the top of postcheck
so EVERY declared sysusers entry (MiOS-owned + upstream-shipped)
lands in /etc/passwd and /etc/group before the tmpfiles dry-run
reads them. systemd-sysusers is idempotent, runs cleanly inside the
OCI image, and is the same operation the first-boot sequence
performs anyway, so this just brings the build-time state forward
to match runtime. Failure of the call itself is non-fatal -- a
warning is logged and the existing 'sysusers-declared' filter (added
in the prior fix) still covers the corner case.

After this commit:
  - cockpit, cockpit-ws, and any other group declared by an upstream
    RPM's sysusers.d file resolve cleanly at build time.
  - The MiOS-owned sysusers entries (mios-forge UID 816 included)
    also materialize before the dry-run, reinforcing the existing
    filter as belt-and-braces rather than the only line of defense.

Author: Kabuki94

automation/99-postcheck.sh

@@ -10,6 +10,23 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib/common.sh"
 
 log "'MiOS' build-time validation"
 
+# 0. Materialize sysusers.d entries so subsequent checks (#11 in particular)
+# see the same /etc/passwd + /etc/group state the deployed image will have
+# at first boot. Without this, upstream-RPM-shipped sysusers.d files (e.g.
+# cockpit-ws shipping a 'g cockpit' line) are present on disk but their
+# users/groups are not yet in /etc/group, so 'systemd-tmpfiles --dry-run'
+# reports false-positive 'Failed to resolve group cockpit: Unknown group'
+# warnings on lines that will resolve fine at runtime. systemd-sysusers
+# is idempotent and the same operation that runs at first boot anyway.
+if command -v systemd-sysusers >/dev/null 2>&1; then
+    log "Materializing sysusers.d into /etc/passwd + /etc/group..."
+    if systemd-sysusers --no-pager 2>/dev/null; then
+        log "  [ok] sysusers.d entries materialized"
+    else
+        log "  [warn] systemd-sysusers exited non-zero; subsequent checks may have false-positives"
+    fi
+fi
+
 # 1. OpenSSH Version Check (CVE-2026-4631 / Cockpit RCE mitigation)
 # Requirement: ≥ 9.6
 log "Checking OpenSSH version..."