d/chrony.service: Do not run inside containers by default

Chrony currently activates its service conditionally on CAP_SYS_TIME to avoid running it inside containers. Though, some container implementations offer CAP_SYS_TIME to the container. Since from the container's point of view, this capability is available for the container's user namespace. Just later on adjtimex and similar are actually evaluated against the host kernel where they will fail. (see https://git.launchpad.net/ubuntu/+source/chrony/tree/debian/README.container)

systemd-timesyncd uses ConditionVirtualization=!container in addition to the CAP_SYS_TIME condition. And I suggest doing the same here. See this Ubuntu bug report for more details: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2111535/