crowdsec: add systemd-journal group so journalctl acquisitions work

DynamicUser can only see its own journald entries by default, so the
sshd + authelia journalctl acquisitions were dying with "insufficient
permissions" and exit status 1 from the spawned journalctl process.
Adding systemd-journal grants the read access journald gates on group
membership, restoring the ssh-bf / authelia-bf detection chain.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/crowdsec.nix

@@ -62,11 +62,13 @@ in
         "crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
       ];
 
-      # Allow the agent (DynamicUser) to read nginx logs:
-      # readOnlyPaths makes the dir visible inside the sandbox; extraGroups
-      # gets it past Unix perms (access.log is nginx:nginx 640).
+      # Allow the agent (DynamicUser) to read its acquisition sources:
+      #  - nginx group → /var/log/nginx/access.log (nginx:nginx 640)
+      #  - systemd-journal → journald entries from sshd + authelia
+      #    (without it, journalctl returns "insufficient permissions" and
+      #    the entire ssh-bf / authelia-bf detection chain runs blind)
       readOnlyPaths = [ "/var/log/nginx" ];
-      extraGroups = [ "nginx" ];
+      extraGroups = [ "nginx" "systemd-journal" ];
 
       settings = {
         # config.yaml — main agent + LAPI configuration