vmupdate: add support for nixos

[evq]

this PR adds support for nixos updates based on the discussion in https://github.com/QubesOS/qubes-issues/issues/7992.

thanks for all the quick replies and advice @marmarek

notes:

• this uses a qubes specific wrapper script in order to allow for end user customization of the nixos-rebuild flags via the qubes update nix module. the possibility was mentioned that reading flags from a file might be preferred - however it seemed tidier this way and we can instead have the wrapper simply pass it's arguments on to nixos-rebuild.
• it also uses a qubes specific wrapper to retrieve currently installed packages. of the options available for listing installed package versions, nix store diff-closures seemed to be the best option however it is designed to diff. e.g. compare the previous system closure to the previous ones. the wrapper script first constructs an empty closure so that we can diff against it. again, it seemed tidier to abstract these details away.