Use --read-only FS for metrics-related containers

It seems like it doesn't cause any issues for any of these services.

roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2

@@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--read-only \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_grafana_container_http_host_bind_port %}
 			-p {{ matrix_grafana_container_http_host_bind_port }}:3000 \

roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2

@@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--read-only \
 			{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
 			-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
 			{% endif %}

roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2

@@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--read-only \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_prometheus_container_http_host_bind_port %}
 			-p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \