nixos/confinement: Use prio 100 for RootDirectory

One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).

The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.

To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.

Signed-off-by: aszlig <aszlig@nix.build>

nixos/modules/security/systemd-confinement.nix

@@ -107,7 +107,7 @@ in {
         serviceConfig = {
           ReadOnlyPaths = [ "+/" ];
           RuntimeDirectory = [ "confinement/${mkPathSafeName name}" ];
-          RootDirectory = lib.mkDefault "/run/confinement/${mkPathSafeName name}";
+          RootDirectory = "/run/confinement/${mkPathSafeName name}";
           InaccessiblePaths = [
             "-+/run/confinement/${mkPathSafeName name}"
           ];