nixos: make the grsec-lock unit depend on the path it writes to

The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.

nixos/modules/security/grsecurity.nix

@@ -290,6 +290,7 @@ in
       wantedBy        = [ "multi-user.target" ];
       serviceConfig.Type = "oneshot";
       serviceConfig.RemainAfterExit = "yes";
+      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock";
       script = ''
         locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
         if [ "$locked" == "0" ]; then