These services evolve as munix evolves, so they should not be part of
the system closures themselves. Mount them into /run/systemd instead.
(Yes, making /run/systemd/system a symlink to RO files is unfortunate,
that could be changed in the future. FS prep code is annoying too..)
Instead of interpreting all that shell and running actual tmpfiles, use
a tiny stage before systemd that mounts a tmpfs at /run (preventing
systemd from doing the same), populates it with NixOS symlinks and
preserved resolv.conf, and mounts the immutable /etc overlay before
passing control over to systemd.
