refactor(nixos): extract shared modules, enable firewall, pin nixpkgs url

- Add common-nixos.nix (timezone, locale, git/fastfetch) imported by every
  NixOS host, and laptop.nix (systemd-boot, sway, dvorak, iwd, firewall)
  imported by X1 and MBP. Strip the nixos-generate-config boilerplate from
  both machine configs and reduce them to host-specific settings.
- Enable the firewall on the laptops (was disabled); X1 opens 22 next to
  its sshd.
- Pin nixpkgs input to github:nixos/nixpkgs/nixos-26.05 for consistency;
  lock rev unchanged (still b51242d).
- Drop unused module arguments.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

flake.nix

@@ -3,7 +3,7 @@
 
   inputs = {
     # Pinned stable channel; the single source of truth for every host.
-    nixpkgs.url = "nixpkgs/nixos-26.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-26.05";
     # Bleeding-edge channel, used only to pull individual packages via overlay.
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     # Home-manager release matched to the stable nixpkgs; `follows` keeps a single nixpkgs eval.
@@ -74,6 +74,7 @@
         # Shared scaffolding for every NixOS host: common user, settings, home-manager.
         baseModules = [
           ./lyrathorpe/user.nix
+          ./system/modules/common-nixos.nix
           commonModule
           home-manager.nixosModules.home-manager
           {
@@ -163,6 +164,7 @@
             fullName = "Lyra Thorpe";
             modules = [
               ./system/machine/MBP-Asahi/configuration.nix
+              ./system/modules/laptop.nix
               nixos-apple-silicon.nixosModules.default
               ./lyrathorpe/swaywm.nix
             ];
@@ -178,6 +180,7 @@
             fullName = "Lyra Thorpe";
             modules = [
               ./system/machine/X1/configuration.nix
+              ./system/modules/laptop.nix
               ./lyrathorpe/swaywm.nix
             ];
             homeModules = [