postprocess: Split up, improve docs

[cgwalters]

ref https://gitlab.com/fedora/bootc/tracker/-/issues/32#note_2303855769

We should more clearly split up postprocessing into distinct documentable steps, and make it easy to run a subset of them individually.

Something like this: rpm-ostree compose postprocess --stages=tmpfiles.d,altfiles or so to opt into just those phases.

Eventually of course some of this stuff should probably live elsewhere; the tmpfiles.d conversion could go in dnf for example.

[cgwalters]

Also relates to https://gitlab.com/fedora/bootc/tracker/-/issues/50

[cgwalters]

We should also ensure that we expose our code for #4503

[cgwalters]

Another big topic here is sysusers.

I think unfortunately we have to take tmpfiles.d and sysusers as kind of a "bundle" because sometimes packages may have non-root owned content in /var for example.

I had forgotten that a while ago we did "automatic sysusers.d generation by intercepting useradd/groupadd" (ref #3897 and later #4092 )

Ultimately I think we need to really try to upstream this into shadow-utils...but in the short term we should support turning this on in the base image.

It'd be helpful if dnf learned to do this in the same way rpm-ostree does.

I kind of lean towards forcibly overriding useradd/groupadd always in the base image to our versions, and just be careful to detect the case where we're not in a container and defer to the default ones.