disable newly (all) installed services by default

Should be considered for Whonix and Kicksecure.

After a package is installed (perhaps as a dependency) not all systemd unit files should be enabled automatically to reduce attack surface, more efficient RAM use and better performance.

Configure systemd units to not be enabled by default.
We’d ship a systemd preset file to explicitly enable any default service that we install by default and want to be enabled.

Users who do sudo apt install nginx though would be left annoyed and confused why they also need to run sudo systemctl enable nginx, sudo systemctl start nginx (or some combined command, if existing).

Similar to: