feat(base): blacklist unused network kernel modules

Disable rxrpc, kafs, af_key, esp4, esp6 across all systems that enable
metacfg.base. None of them are used on these hosts, and they have a
history of CVEs — blacklisting reduces kernel attack surface.

modules/nixos/services/base/default.nix

@@ -166,6 +166,13 @@ in
         timeout = 2;
       };
       initrd.systemd.enable = true;
+      blacklistedKernelModules = [
+        "rxrpc"
+        "kafs"
+        "af_key"
+        "esp4"
+        "esp6"
+      ];
     };
 
     system.autoUpgrade = {