nixos/apparmor: ensure that apparmor is selected at boot

Otherwise we're subject to whatever defaults were selected at kernel build
time.

See also: https://github.com/NixOS/nixpkgs/issues/61145

nixos/modules/security/apparmor.nix

@@ -29,6 +29,8 @@ in
    config = mkIf cfg.enable {
      environment.systemPackages = [ pkgs.apparmor-utils ];
 
+     boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
+
      systemd.services.apparmor = let
        paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")
          ([ pkgs.apparmor-profiles ] ++ cfg.packages);