fix: use podman.user for rootless instead of mkForce on serviceConfig

The oci-containers module has native rootless support via podman.user
which handles cgroup delegation, runtime dirs, and cidfile paths.
Delegate=true workaround for NixOS/nixpkgs#410857.

hosts/lab/dokuwiki.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ ... }:
 {
   services.caddy.virtualHosts."wiki.ily.rs" = {
     extraConfig = ''
@@ -9,6 +9,7 @@
 
   virtualisation.oci-containers.containers.dokuwiki = {
     image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299";
+    podman.user = "lew";
     environment = {
       PUID = "1000";
       PGID = "1000";
@@ -21,5 +22,6 @@
     ports = [ "127.0.0.1:8070:80" ];
   };
 
-  systemd.services.podman-dokuwiki.serviceConfig.User = lib.mkForce "lew";
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
+  systemd.services.podman-dokuwiki.serviceConfig.Delegate = true;
 }

hosts/lab/foundry.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ ... }:
 {
   services.caddy.virtualHosts."foundry.ily.rs" = {
     extraConfig = ''
@@ -12,6 +12,7 @@
     cmd = [ "node" "main.js" "--dataPath=/data" ];
     workdir = "/app";
     user = "1000:1000";
+    podman.user = "lew";
     volumes = [
       "/srv/foundry/app:/app:ro"
       "/srv/foundry/data:/data"
@@ -19,5 +20,6 @@
     ports = [ "127.0.0.1:30000:30000" ];
   };
 
-  systemd.services.podman-foundry.serviceConfig.User = lib.mkForce "lew";
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
+  systemd.services.podman-foundry.serviceConfig.Delegate = true;
 }