Tutorial for configuring access control and security features

part of #64

- Implement default-deny ACLs as a baseline.

- Define granular, least-privilege access rules for groups and services.

- Configure split tunneling and per-group DNS settings.

- Enforce SSO/OIDC for user authentication.

- Establish a process for regular WireGuard key rotation.