firewall module: provide default rules and merge extraRules

a firewall with no configuration will get a relatively sane ruleset. a
firewall with `extraRules` will get them deep merged into the default
rules.  Specifying `rules` will override the defaults

modules/profiles/gateway.nix

@@ -151,7 +151,7 @@ in {
 
     services.firewall = mkIf cfg.firewall.enable
       (svc.firewall.build {
-        ruleset = cfg.firewall.rules;
+        extraRules = cfg.firewall.rules;
       });
 
     services.resolvconf = oneshot rec {