nut: Do not run as privileged container

The only privilege NUT needs is access to the USB device nodes.  Using a
device CGroup rule to allow this is significantly better than disabling
all restrictions.  Especially since I discovered that `--privileged`
implies `--security-opt label=disable`, effectively disabling SELinux
confinement of the container.

templates/nut/nut-server.container

@@ -16,8 +16,8 @@ Volume=/etc/ups:/etc/ups:ro
 Volume=/dev:/dev:rw
 ReadOnly=true
 VolatileTmp=true
-PodmanArgs=--privileged
 Network=host
+PodmanArgs=--device-cgroup-rule 'c 189:* rw'
 
 [Service]
 ExecReload=podman exec systemd-%N upsd -c reload