/run/wrappers: remove unused newgidmap,newuidmap,newgrp binaries

hosts/common/polyunfill.nix

@@ -2,6 +2,19 @@
 
 { lib, ... }:
 {
+  # remove a few items from /run/wrappers we don't need.
+  # these were populated by <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
+  options.security.wrappers = lib.mkOption {
+    apply = lib.filterAttrs (name: _: !(builtins.elem name [
+      "newgidmap"
+      "newgrp"
+      "newuidmap"
+      # "sg"
+      # "su"
+    ]));
+  };
+
+  config = {
     # disable non-required packages like nano, perl, rsync, strace
     environment.defaultPackages = [];
 
@@ -85,4 +98,5 @@
     # - on x86 only: more keyboard stuff: "pcips2" "atkbd" "i8042"
 
     boot.initrd.includeDefaultModules = lib.mkDefault false;
+  };
 }