waydroid-nftables: init (#455257)

- `forgejo-runner`: The upgrade to version 11 brings a license change from MIT to GPLv3-or-later.

- `waydroid-nftables`: New variant of `waydroid` that supports nftables instead of iptables.

- `lisp-modules` were brought in sync with the [June 2025 Quicklisp release](http://blog.quicklisp.org/2025/07/june-2025-quicklisp-dist-now-available.html).

- `ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg remains ffmpeg_7 for now, though this may change before release.

- `vmalert` now supports multiple instances with the option `services.vmalert.instances."".enable`

- [`virtualisation.waydroid.package`](#opt-virtualisation.waydroid.package) now defaults to `waydroid-nftables` on systems with nftables enabled.

- [`services.victorialogs.package`](#opt-services.victorialogs.package) now defaults to `victorialogs`, as `victoriametrics` no longer contains the VictoriaLogs binaries.

- The `services.traccar.settings` attribute has been reworked. Instead of the previous flat attribute set the new implementation uses nested attribute sets. You need to update you configuration manually. For instance, `services.traccar.settings.loggerConsole` becomes `services.traccar.settings.logger.console`.

  options.virtualisation.waydroid = {

    enable = lib.mkEnableOption "Waydroid";

    package = lib.mkPackageOption pkgs "waydroid" { };

    package = lib.mkPackageOption pkgs "waydroid" { } // {

      default = if config.networking.nftables.enable then pkgs.waydroid-nftables else pkgs.waydroid;

      defaultText = lib.literalExpression ''if config.networking.nftables.enable then pkgs.waydroid-nftables else pkgs.waydroid'';

    };

  };

  config = lib.mkIf cfg.enable {

  lxc,

  iproute2,

  iptables,

  nftables,

  util-linux,

  wrapGAppsHook3,

  wl-clipboard,

  runtimeShell,

  nix-update-script,

  withNftables ? false,

}:

python3Packages.buildPythonApplication rec {

    "USE_SYSTEMD=0"

    "SYSCONFDIR=$(out)/etc"

  ];

  postInstall = lib.optionalString withNftables ''

    substituteInPlace $out/lib/waydroid/data/scripts/waydroid-net.sh \

      --replace-fail 'LXC_USE_NFT="false"' 'LXC_USE_NFT="true"'

  '';

  preFixup = ''

    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")

          dnsmasq

          getent

          iproute2

          iptables

          (if withNftables then nftables else iptables)

        ]

      }

  vprof = with python3Packages; toPythonApplication vprof;

  waydroid-nftables = waydroid.override { withNftables = true; };

  winbox = winbox3;

  winbox3 = callPackage ../tools/admin/winbox {

    wine = wineWowPackages.stable;