fix: Use correct paths for Secure Boot OVMF_VARS on NixOS hosts

[alexhaydock]

Description

This is an extremely minor change that corrects the paths used for Secure Boot OVMF vars on NixOS.

This makes the assumption that by enabling secureboot="on", the user wants their VARS store to be pre-populated with Microsoft's signing keys. I think this is a safe assumption and matches what we're doing for other host distributions.

While this is not strictly a breaking change, it's worth noting that using a blank VARS store (as has been the case on NixOS until now) means Secure Boot remains in Setup (i.e. non-enforcing) mode. This means that Secure Boot has been non-functional for NixOS users until now, even when secureboot="on" has been set. So there's a small chance that some users might see a change in behaviour here - though admittedly it'd only be when creating new VMs, as we don't overwrite the VARS store at any point for existing VMs.

FWIW I also think the above population will be very small as Secure Boot was completely broken until 6d5b923 which didn't land until 4.9.8, and NixOS 25.11 is still shipping 4.9.7.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Packaging (updates the packaging)
• Documentation (updates the documentation)

Checklist:

• I have performed a self-review of my code
• I have tested my code in common scenarios and confirmed there are no regressions

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Auto-approved: This is a trivial path correction in the Nix packaging configuration to fix Secure Boot functionality on NixOS. It is extremely isolated and low-risk.}