firewall module: provide default rules and merge extraRules

a firewall with no configuration will get a relatively sane ruleset. a
firewall with `extraRules` will get them deep merged into the default
rules.  Specifying `rules` will override the defaults

examples/rotuer.nix

@@ -67,9 +67,7 @@ in rec {
     };
     firewall = {
       enable = true;
-      rules =
-        let defaults = import ./demo-firewall.nix;
-        in lib.recursiveUpdate defaults secrets.firewallRules;
+      rules = secrets.firewallRules;
     };
     wireless.networks = {
       "${secrets.ssid}" = {