use dedicated podman user for rootless containers

Adds a system user 'podman' (uid 900) with subuid/subgid ranges
and linger for running OCI containers. Removes podman-specific
settings from lew user. DokuWiki switches to sdnotify=healthy
since the image has a built-in healthcheck.

hosts/lab/dokuwiki.nix

@@ -9,7 +9,8 @@
 
   virtualisation.oci-containers.containers.dokuwiki = {
     image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299";
-    podman.user = "lew";
+    podman.user = "podman";
+    podman.sdnotify = "healthy";
     environment = {
       PUID = "1000";
       PGID = "1000";
@@ -21,7 +22,4 @@
     ];
     ports = [ "127.0.0.1:8070:80" ];
   };
-
-  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
-  systemd.services.podman-dokuwiki.serviceConfig.Delegate = true;
 }