nixos/lldap: set service UMask=0027 and StateDirectoryMode=0750

While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.

There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.

As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.

This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.

However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.

Due to this, we instead change the service's to `027`.

And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.

nixos/modules/services/databases/lldap.nix

@@ -123,7 +123,9 @@ in
       '';
       serviceConfig = {
         StateDirectory = "lldap";
+        StateDirectoryMode = "0750";
         WorkingDirectory = "%S/lldap";
+        UMask = "0027";
         User = "lldap";
         Group = "lldap";
         DynamicUser = true;