nixos-containers: Set DevicePolicy=closed

This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)

nixos/modules/virtualisation/containers.nix

@@ -415,6 +415,8 @@ in
         # after the timeout). So send an ignored signal.
         KillMode = "mixed";
         KillSignal = "WINCH";
+
+        DevicePolicy = "closed";
       };
     };
   in {