Introduce micro-activate (RIIR activate script + tiny bit of tmpfiles)

Instead of interpreting all that shell and running actual tmpfiles, use
a tiny stage before systemd that mounts a tmpfs at /run (preventing
systemd from doing the same), populates it with NixOS symlinks and
preserved resolv.conf, and mounts the immutable /etc overlay before
passing control over to systemd.

packages/munix/default.nix

@@ -1,12 +1,25 @@
-{ writeScriptBin, symlinkJoin, makeWrapper, muvm, passt, bubblewrap, sidebus-broker, mesa }:
+{ stdenv, writeScriptBin, symlinkJoin, makeWrapper, muvm, passt, bubblewrap, sidebus-broker, mesa, rustc }:
 
 let
   munixScript = (writeScriptBin "munix" (builtins.readFile ../../munix)).overrideAttrs(old: {
     buildCommand = "${old.buildCommand}\n patchShebangs $out";
   });
+  microActivate = stdenv.mkDerivation {
+    name = "micro-activate";
+    src = ../../micro-activate.rs;
+    dontUnpack = true;
+    nativeBuildInputs = [ rustc ];
+    buildPhase = ''
+      rustc -C opt-level=s -C panic=abort --edition 2024 -o micro-activate $src
+    '';
+    installPhase = ''
+      mkdir -p $out/bin
+      mv micro-activate $out/bin
+    '';
+  };
 in symlinkJoin {
   name = "munix";
-  paths = [ munixScript muvm passt bubblewrap sidebus-broker ];
+  paths = [ munixScript microActivate muvm passt bubblewrap sidebus-broker ];
   buildInputs = [ makeWrapper ];
   postBuild = ''
     wrapProgram $out/bin/munix --prefix PATH : $out/bin --set FALLBACK_OPENGL_DRIVER ${mesa}