NixOS System Configuration Refactor, ACME Enhancements, and Service Updates

If a service requires a syntactically valid certificate to start it should now depend on the `acme-{certname}.service` unit. We now always generate initial self-signed certificates as this drastically simplifies the dependency structure. As a result, the option `security.acme.preliminarySelfsigned` has been removed. Instead of the previous `acme-finished-{certname}.target`s there are now `acme-order-renew-{certname}.service`s that will be activated in a delayed fashion to ensure that bootstrapping with servers like nginx that take part in the acquisition/renewal process works smoothly. Dependencies on `acme-finished` units should move to `acme-order-renew`. Note that system activation will complete before all certificates may have been renewed or acquired. - `libvirt` now supports using `nftables` backend. - The `virtualisation.libvirtd.firewallBackend` option can be used to configure the firewall backend used by libvirtd. - The third-party `ant-contrib` is no longer included in the `ant` package. - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively. - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec` - `systemd.watchdog.device` was renamed to `systemd.settings.Manager.WatchdogDevice` - `systemd.watchdog.rebootTime` was renamed to `systemd.settings.Manager.RebootWatchdogSec` - `systemd.watchdog.kexecTime` was renamed to `systemd.settings.Manager.KExecWatchdogSec` - `systemd.enableCgroupAccounting` was removed. Cgroup accounting now needs to be disabled directly using `systemd.settings.Manager.*Accounting`. - `services.logind.extraConfig` was converted to RFC42-style `services.logind.settings.Login`. - `services.ntpd-rs` now performs configuration validation. - Immich now has support for [VectorChord](https://github.com/tensorchord/VectorChord) when using the PostgreSQL configuration provided by `services.immich.database.enable`, which replaces `pgvecto-rs`. VectorChord support can be toggled with the option `services.immich.database.enableVectorChord`. Additionally, `pgvecto-rs` support is now disabled from NixOS 25.11 onwards using the option `services.immich.database.enableVectors`. This option will be removed fully in the future once Immich drops support for `pgvecto-rs` fully. See [Immich migration instructions](#module-services-immich-vectorchord-migration) - `services.restic.backups` now includes a `command` option for passing a command to the [--stdin-from-command](https://github.com/restic/restic/pull/4410) flag. - `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option. - `services.pfix-srsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.pfix-srsd.configurePostfix](#opt-services.pfix-srsd.configurePostfix) option.

NixOS updates include a revamped ACME certificate process: initial self-signed certificates are always generated (removing `security.acme.preliminarySelfsigned`), services depend on `acme-{certname}.service`, and `acme-order-renew-{certname}.service` replaces `acme-finished` for delayed activation. `libvirt` now supports `nftables` firewall. Core system configuration, including `systemd.extraConfig` and `boot.initrd.systemd.extraConfig`, is refactored to RFC42-style `systemd.settings.Manager` (renaming watchdog options), and `services.logind.extraConfig` to `services.logind.settings.Login`. `systemd.enableCgroupAccounting` was removed. Other service changes: `ntpd-rs` adds config validation; `immich` adopts VectorChord (replacing `pgvecto-rs`); `restic.backups` gains a `command` option; and `postsrsd`/`pfix-srsd` auto-integrate with Postfix. `ant-contrib` is no longer in the `ant` package.