Improve security of example systemd unit file

The supplied systemd unit file places some basic security restrictions
on the rest service.  This patch enhances those, and improves the
overall security assessment score given by `systemd-analyze security`
from "8.3 EXPOSED" to "1.3 OK".

Closes #148

changelog/unreleased/issue-148

@@ -0,0 +1,7 @@
+Bugfix: Enhance security for example systemd unit file
+
+Additional systemd features have been used to enhance the security of the
+rest-server for systemd users.
+
+https://github.com/restic/rest-server/issues/148
+https://github.com/restic/rest-server/pull/149

examples/systemd/rest-server.service

@@ -10,13 +10,35 @@ Group=www-data
 ExecStart=/usr/local/bin/rest-server --path /path/to/backups
 Restart=always
 RestartSec=5
+# Makes created files group-readable, but inaccessible by others
+UMask=027
 
-# Optional security enhancements
+# Recommended security enhancements using features present in systemd version 247
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
 NoNewPrivileges=yes
 PrivateTmp=yes
+PrivateDevices=true
+PrivateUsers=true
 ProtectSystem=strict
 ProtectHome=yes
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectHostname=true
+ProcSubset=pid
 ReadWritePaths=/path/to/backups
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictSUIDSGID=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target