refactor(nixos): extract shared modules, enable firewall, pin nixpkgs url

- Add common-nixos.nix (timezone, locale, git/fastfetch) imported by every
  NixOS host, and laptop.nix (systemd-boot, sway, dvorak, iwd, firewall)
  imported by X1 and MBP. Strip the nixos-generate-config boilerplate from
  both machine configs and reduce them to host-specific settings.
- Enable the firewall on the laptops (was disabled); X1 opens 22 next to
  its sshd.
- Pin nixpkgs input to github:nixos/nixpkgs/nixos-26.05 for consistency;
  lock rev unchanged (still b51242d).
- Drop unused module arguments.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/modules/common-nixos.nix

@@ -0,0 +1,15 @@
+# Options shared by every NixOS host (laptops and the WSL box). Imported via
+# baseModules in flake.nix. Host- and platform-specific settings stay in the
+# per-machine configs; laptop-only settings live in ./laptop.nix.
+{ pkgs, ... }:
+{
+  time.timeZone = "Europe/London";
+  i18n.defaultLocale = "en_GB.UTF-8";
+
+  # Minimal system-level CLI available before the home-manager profile loads
+  # (e.g. early boot / rescue). User-level tooling lives in home-manager.
+  environment.systemPackages = with pkgs; [
+    git
+    fastfetch
+  ];
+}