refactor(nftables): minimize diff against upstream pristine

The previous custom config rewrote the file to 4-space indentation,
added an explicit accept-policy output chain, and expanded the icmp
section into per-type whitelists. None of that changed observable
behaviour vs the stock arch nftables.conf:

  * Stock already uses scoped `destroy table inet filter` (so podman
    and netavark tables survive a reload).
  * `meta l4proto { icmp, icmpv6 } accept` already covers NDP, MLD,
    PMTUD, and echo — the explicit per-type list was equivalent.
  * Without an output chain, outbound traffic is unfiltered, which is
    identical to `policy accept` on an explicit output chain.
  * DHCPv6 client (UDP/546) is only needed on networks that hand out
    DHCPv6 leases; my home/work LANs use SLAAC + RDNSS, and the rare
    DHCPv6 case can be added back in one line if it ever bites.

The only laptop-specific deviation is dropping the
`tcp dport ssh accept` line — no inbound SSH on a portable machine.
Net diff against pristine is now a single deletion, which makes
`just etc-upstream-diff` actually useful for spotting upstream
ruleset improvements on package updates.

1 files changed, 6 insertions, 2 deletions

diff --git a/etc/nix/nix.conf b/etc/nix/nix.conf
index eb24511..633422b 100644
--- a/etc/nix/nix.conf
+++ b/etc/nix/nix.conf
@@ -1,5 +1,9 @@
-# /etc/nix/nix.conf — daemon-wide Nix config.
-# Managed by chezmoi (etc/nix/nix.conf in dotfiles).
+#
+# https://nixos.org/manual/nix/stable/#sec-conf-file
+#
+
+# Unix group containing the Nix build user accounts
+build-users-group = nixbld
 
 # Enable `nix` CLI (vs legacy nix-* commands) and flakes.
 experimental-features = nix-command flakes