nixos/public-inbox: use DynamicUser for readers
public-inbox-{http,nntp,imap}d only need to be able to read the
repositories, so they don't need to run as the public-inbox user,
which has write permission for /var/lib/public-inbox.
Annoyingly, confinement is currently not compatible with DynamicUser,
so we can't enable both at the same time.
