Introduce micro-activate (RIIR activate script + tiny bit of tmpfiles)

Instead of interpreting all that shell and running actual tmpfiles, use
a tiny stage before systemd that mounts a tmpfs at /run (preventing
systemd from doing the same), populates it with NixOS symlinks and
preserved resolv.conf, and mounts the immutable /etc overlay before
passing control over to systemd.

.gitignore

@@ -1,3 +1,5 @@
 result
 /testvm*
+/target
+/micro-activate
 .direnv/