ddclient nixos module: follow best practice for running daemons

Couple of changes:

 - move home to /var/lib/ddclient so we can enable ProtectSystem=full
 - do not stick binary into systemPackages as it will only run as a daemon
 - run as dedicated user/group
 - document why we cannot run as type=forking (output is swallowed)
 - secure things by running with ProtectSystem and PrivateTmp
 - .pid file goes into /run/ddclient
 - let nix create the home directory instead of handling it manually
 - make the interval configurable