crowdsec: add community IDS/IPS with ntfy push alerts

Enables the CrowdSec agent with sshd/nginx/http-cve hub collections,
acquires logs from nginx, sshd, and Authelia journald, and wires the
firewall bouncer to enforce bans via nftables. Alerts are POSTed to a
self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls
back to a placeholder so the repo stays eval-clean without the secret).

Module is self-contained — remove the file + import to uninstall; state
lives under /var/lib/crowdsec.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

common.nix

@@ -34,6 +34,7 @@
     ./services/arr-interconnect.nix
     ./services/adguard.nix
     ./services/router.nix
+    ./services/crowdsec.nix
   ];
 
   ### Make build time quicker