nixos/lock-kernel-modules: reorder before/after

Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.

nixos/modules/security/lock-kernel-modules.nix

@@ -35,10 +35,10 @@ with lib;
       wants = [ "systemd-udevd.service" ];
       wantedBy = [ config.systemd.defaultUnit ];
 
-      before = [ config.systemd.defaultUnit ];
       after =
         [ "firewall.service"
           "systemd-modules-load.service"
+           config.systemd.defaultUnit
         ];
 
       unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";