nixos/doc: mention postgresql hardening

- `iproute2` now has libbpf support.

- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.

  If you use extensions that are not packaged in nixpkgs, please review whether it still works

  with the current settings and adjust accordingly if needed.

- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.

  Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.

evaluates to `"foobar"`.

## Service hardening {#module-services-postgres-hardening}

The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses

several common hardening options from `systemd`, most notably:

* Memory pages must not be both writable and executable (this only applies to non-JIT setups).

* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).

* A stricter default UMask (`0027`).

* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.

* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).

The NixOS module also contains necessary adjustments for extensions from `nixpkgs`

if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks

with hardening, it's considered a bug.

When using extensions that are not packaged in `nixpkgs`, hardening adjustments may

become necessary.

## Notable differences to upstream {#module-services-postgres-upstream-deviation}

- To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.