nixos/networkd: support systemd-creds in WireGuard

systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826).
Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.

nixos/lib/systemd-lib.nix

@@ -17,6 +17,7 @@ let
     filterAttrs
     flatten
     flip
+    hasPrefix
     head
     isInt
     isFloat
@@ -196,6 +197,10 @@ in rec {
     optional (attr ? ${name})
       "Systemd ${group} field `${name}' has been removed. See ${see}";
 
+  assertKeyIsSystemdCredential = name: group: attr:
+    optional (attr ? ${name} && !(hasPrefix "@" attr.${name}))
+      "Systemd ${group} field `${name}' is not a systemd credential";
+
   checkUnitConfig = group: checks: attrs: let
     # We're applied at the top-level type (attrsOf unitOption), so the actual
     # unit options might contain attributes from mkOverride and mkIf that we need to